- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupNTLM
You can use NT LAN Manager (NTLM) to authenticate only Windows users. When a client web request matches an Authentication policy rule in which the authentication enforcement object specifies a browser-challenge (see Policies > Authentication), an NTLM challenge transparently authenticates the client. The firewall then collects user mapping information from the NTLM domain.
You can enable NTLM authentication processing for only one virtual system per firewall, which you select in the Location drop-down at the top of the User Mapping page.
Optionally, you can use the firewall to perform NTLM authentication processing for other firewalls by adding it as a User-ID agent to those firewalls. For details, see Configure Access to User-ID Agents.
If you use the Windows-based User-ID agent, NTLM responses go directly to the domain controller where you installed the agent. For details, see the NTLM Authentication field in Device > User Identification > Captive Portal Settings.
Configure Authentication rules to use Kerberos single sign-on instead of NTLM authentication. Kerberos is a stronger, more robust authentication method than NTLM and does not require the firewall to have an administrative account to join the domain. For details on configuring the authentication methods for Authentication rules, see Objects > Authentication.
To configure NTLM authentication processing, specify the settings described in the following table.
Enable NTLM authentication processing
Select this option to enable NTLM authentication processing.
Enter the NTLM domain name.
Admin User Name (for the NTLM domain)
Enter the administrator account that has access to the NTLM domain.
Do not include the domain in the Admin User Name field. Otherwise, the firewall will fail to join the domain.
Password/Confirm Password (for the NTLM domain)
Enter the password for the administrator account that has access to NTLM domain.
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Captive Portal Authentication Methods
Captive Portal Authentication Methods Captive Portal uses the following methods to authenticate users whose web requests match Authentication Policy rules: Authentication Method Description Kerberos SSO ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
Create a Dedicated Service Account for the User-ID Agent
Create a Dedicated Service Account for the User-ID Agent To use either the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to map users ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Palo Alto Networks User-ID Agent Setup
These settings define the methods that the User-ID agent uses to perform user mapping. ...
CLI Cheat Sheet: User-ID
CLI Cheat Sheet: User-ID Use the following commands to perform common User-ID configuration and monitoring tasks. To see more comprehensive logging information enable debug mode ...
Manage Access to User-ID Agents
Manage Access to User-ID Agents Perform the following tasks for managing connections from the firewall to User-ID agents or redistribution points. Task Description Display information ...