Skip to content

Use LDAP to restrict access to NTLMv2 sessions

To configure Windows Authentication - NTLMv2 with LDAP authorization, first enter the LDAP settings and then the authentication settings.

  1. Enter the LDAP Server information:

    • Server type and Security options
    • Server name and Server port — or — DNS domain and Server port
    • Username
    • Password

  2. Enter the Directory search base, and choose Logical groups or Folders.

  3. Enter the Domain used to authenticate end users.

  4. If desired, click Password expiration to set a reminder.

  5. Continue with the Single Sign-on through Windows Authentication Configuration. Enter the required settings:

    a. NetBIOS hostname of domain controller

    Hint

    To obtain the NetBIOS name for a domain on Windows Server 2000 or higher:

    1. Open the Active Directory Domains and Trusts snap-in (domain.msc).

    2. In the console tree, right-click the domain and select Properties.

    3. The Domain name (pre-Windows 2000) field displays the NetBIOS name.

    On Windows Server 2008 or higher, you can also use the Active Directory module for Windows PowerShell to find the NetBIOS name of a domain in Active Directory Domain Services.

    On Windows Server 2008 only, if the Active Directory module is not available, you may need to install it first, using this PowerShell command:

    import-module activedirectory

    Example: To find the NetBIOS name of the domain called mydomain.com:

    Get-ADDomain -Identity mydomain.com | findstr /I NetBIOSName

    b. Computer account (for servicing): A computer account in the Active Directory domain.

    A computer account is different than a user account. The computer account should not be associated with an actual physical or virtual computer.

    To specify the Computer account for servicing:

    A computer account's syntax is the pre-Windows 2000 computer name, followed by a $ sign, followed by the @ symbol, and then the DNS domain name. (The term NetBIOS is called pre-Windows 2000 in some Windows utilities.)

    Syntax: <Computer name (pre-Windows 2000)>$@<DNS domain name>

    For example, if the Computer name is ReflServiceAccount, the pre-Windows 2000 Computer name is REFLSERVICEACCO and the computer account is: REFLSERVICEACCO$@mydomain.com

    c. Computer account password

    If the password of the computer account is not already known, it must be explicitly reset in Active Directory. You can reset a computer account’s password using a simple VBScript, or the ADSI Edit tool.

  6. Click TEST CONNECTION.

    This action checks the NTLMv2 connection to be sure the server is listening and is in fact a domain controller. The test attempts to authenticate to the server using the IP address or alias for the domain controller, the NetBIOS hostname, computer account, and password.

    Then, the LDAP connection is tested.

    Note

    The Domain is not tested and could still be a cause for error later in the authentication process.

    If the result is Success, click OK.

    If TEST CONNECTION fails, the message specifies whether check the NTLM or the LDAP server connection failed. Check the logs and resolve the issue before continuing.

  7. Advanced Settings: For the Maximum nested level for groups, accept the default (5), or change the number.

  8. Click OK.

  9. To add another server, see Adding Another Server for Windows Authentication NTLMv2.