NTLM single sign-on for Internet Access

Procedure

1. Go to Zero Trust Secure Access → Secure Access Configuration → Internet Access Configuration → Global Settings, and click Single Sign-On with Active Directory (On-Premises).
2. Enable single sign-on.
3. Select an on-premises gateway to assign as the authentication proxy to communicate with Active Directory for authentication.
   All on-premises Active Directory users are authenticated through the specified gateway with the specified Active Directory server.

   Note The on-premises gateway uses port 8089 for authentication traffic.

4. Select and import a trusted server certificate from your organization.

   Note By default, Internet Access uses the built-in CA certificate for HTTPS inspection to sign the server certificate for user authentication. To use a custom certificate, select the option, upload your own certificate and private key, and provide and confirm the password. The common name (CN) and subject alternative name (SAN) on the certificate must match the host name of the specified on-premises gateway.

5. If desired, select to enable NTLM v2-based single sign-on.
   1. On the Trend Vision One console, choose your Active Directory server type and specify the IP address or FQDN of the Active Directory server.
   2. Protect authentication data during communication with Active Directory by selecting Use LDAPS.
   3. Specify the port for transmitting authentication data based on the selected server type and protocol.

      Protocol	Microsoft Active Directory	Microsoft Active Directory Global Catalog
      LDAP	389	3268
      LDAPS	636	3269

   4. Sign in to your Active Directory server using an account with administrator privileges.
   5. Go to Start → Server Manager → Tools → Group Policy Management.
      The Group Policy Management screen appears.
   6. From the left-hand navigation menu, select your forest and domain.
   7. Right-click Default Domain Policy under your domain and select Edit....
      The Group Policy Management Editor appears.
   8. Under Computer Configuration, go to Policies → Windows Settings → Security Settings → Local Policies → Security Options → .
   9. If you are using LDAP:
      1. Double-click Domain controller: LDAP server signing requirements.
      2. Click Define this policy setting.
      3. Select None.
      4. Click Apply and then OK.
   10. If you are using LDAPS:
       1. Double-click Domain controller: LDAP server channel binding token requirements.
       2. Click Define this policy setting.
       3. Select Never.
       4. Click Apply and then OK.
       NTLM v2 authentication can be successfully enabled after the group policy changes take effect, which may take up to two hours.
6. If desired, enable Kerberos-based single sign-on and upload the required keytab file.
   1. Sign in to your Active Directory domain controller using an account with administrator privileges.
   2. Create a new Active Directory user to serve as the service principal name (SPN) for Kerberos authentication.
      1. Specify the account user name and password.
      2. Select the option Password never expires to ensure the keytab file remains valid.
      3. Select the option This account supports Kerberos AES 256 bit encryption to allow the account to be used for authentication.

         Note You may verify the configuration of the authentication account at any time by selecting the corresponding user in Active Directory and going to Properties → Account → Account options.

   3. From the command line, run the following command to set the new user as the SPN.

      setspn -a HTTP/<auth proxy fqdn> <user name>

      Note The <auth proxy fqdn> is the FQDN of the Service Gateway which hosts the Internet Access on-premises gateway. The FQDN is created when configuring the Active Directory server.

   4. Run the following command to generate the keytab file associating the new SPN with the Kerberos service.

      ktpass -princ HTTP/<auth proxy fqdn>@<DOMAIN> -mapuser <user name>@<domain> -pass <user password> -out swg.keytab -ptype KRB5_NT_PRINCIPAL -mapop add -crypto all

      A keytab file named swg.keytab is generated and stored under C:\Users\Administrator.

      Note Kerberos commands are case-sensitive. In the keytab generation command, the server FQDN based on your on-premises gateway (<auth proxy fqdn>) is all lowercase while the Kerberos realm (the Active Directory domain, @<DOMAIN>) should be all uppercase. If the keytab file is ever changed, users may need to clear their Kerberos cache to avoid authentication failure.

   5. Upload the generated keytab file to the Kerberos settings in Single Sign-On with Active Directory (On-Premises) on the Trend Vision One console.
7. Click Save.
   It might take a few minutes for the configuration to take effect.
8. View the on-premises gateway status in the Gateways screen.
   • Setting up auth proxy: Internet Access is applying the NTLM v2 or Kerberos-based single sign-on settings to the on-premises gateway.
   • Used as auth proxy: The on-premises gateway is successfully configured as the authentication proxy.
   • Auth proxy error: An error occurred due to one of the following issues:

     • The on-premises gateway attempted to communicate with the Active Directory server or Trend Vision One while the Zero Trust Secure Access On-Premises Gateway service is disabled or uninstalled on the Service Gateway appliance.
     • The Service Gateway appliance is disconnected.
     • The on-premises gateway host name is not associated with any SPN in the Kerberos keytab file.