NTLM Authentication
- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupNTLM
You can use NT LAN Manager (NTLM)
to authenticate only Windows users.
When a client web request matches an Authentication policy rule
in which the authentication enforcement object specifies a browser-challenge
(see Policies
> Authentication), an NTLM challenge transparently authenticates
the client. The firewall then collects user mapping information
from the NTLM domain.

You can enable NTLM authentication processing for only one virtual
system per firewall, which you select in the
Location
drop-down
at the top of the User Mapping
page.Optionally, you can use the firewall to perform NTLM authentication
processing for other firewalls by adding it as a User-ID agent to
those firewalls. For details, see Configure
Access to User-ID Agents.
If you use the Windows-based User-ID agent, NTLM responses go
directly to the domain controller where you installed the agent. For
details, see the
NTLM Authentication
field
in Device
> User Identification > Captive Portal Settings.Configure Authentication rules to use Kerberos single sign-on
instead of NTLM authentication. Kerberos
is a stronger, more robust authentication method than NTLM and does
not require the firewall to have an administrative account to join
the domain. For details on configuring the authentication methods
for Authentication rules, see Objects
> Authentication.

The complete procedures to configure Captive Portal
or Windows-based User-ID agents
require additional tasks besides
enabling NTLM.


To configure NTLM authentication processing, specify the settings
described in the following table.
Field | Description |
---|---|
Enable NTLM authentication processing | Select this option to enable NTLM authentication
processing. |
NTLM Domain | Enter the NTLM domain name. |
Admin User Name ( for the NTLM domain ) | Enter the administrator account that has
access to the NTLM domain. Do not include
the domain in the Admin User Name field.
Otherwise, the firewall will fail to join the domain. |
Password/Confirm Password ( for the NTLM domain ) | Enter the password for the administrator
account that has access to NTLM domain. |
Recommended For You
Recommended Videos
Recommended videos not found.