Views:
Before you configure your NTLM or Kerberos for single sign-on with Active Directory (on-premises), you must first configure the Active Directory server and the client computer.
Important
Important
Make sure you have a Service Gateway configured with the Zero Trust Secure Access On-premises Gateway installed and enabled.
Related information

Configuring the Active Directory server for Kerberos or NTLM single sign-on

Configure your Active Directory server to prepare for enabling single sign-on authentication services on your Internet Access on-premises gateway.

To configure your Active Directory server for Kerberos or NTLM single sigh-on, you must add a DNS record of the on-premises gateway being used as an authentication proxy.

Procedure

  1. Get the IP address of the Service Gateway configured with the on-premises gateway service that you want to use as the authentication proxy.
    1. On the Trend Vision One console, go to Workflow and AutomationService Gateway Management.
    2. Click the identifier of the Service Gateway you want to use as the authentication proxy.
    3. From the Service Gateway details screen, copy the IPv4 address.
  2. On your Active Directory server console, go to Administrative ToolsDNSForward Lookup Zones.
  3. Right-click the name of the Active Directory domain you wish to synchronize with the specified Internet Access on-premises gateway and select New Host...,.
  4. In the New Host screen that appears, provide a Name for the authentication proxy.
    Use a name that is easy to remember, such as authproxy.
  5. Type the IPv4 address of the Service Gateway being used as an authentication proxy.
    The FQDN field automatically fills in. Copy the FQDN for a later step.
  6. Click Add Host.
  7. Update the Service Gateway FQDN.
    1. On the Trend Vision One console, go to Workflow and AutomationService Gateway Management.
    2. Locate the Service Gateway you are using as the authentication proxy.
    3. Click the Configure settings icon (configure.png).
      The Service Gateway Settings window appears.
    4. Click the Edit name icon (edit_001.png).
    5. Replace the value with the FQDN you copied.
    6. Click Change, then click Save.

Configuring the client computer for Kerberos or NTLM single sign-on

Configure your client computer to prepare for enabling single sign-on authentication services on your Internet Access on-premises gateway.

Procedure

  1. Configure the DNS server for the client computer.
    1. Open a web browser on the client computer and go to Internet Protocol Version 4 (TCP/IPv4) in the internet settings.
    2. In the Preferred DNS server field, enter the IP address of your Active Directory server.
    3. Click OK.
  2. Disable IPv6 on the client computer.
    1. In the browser on your client computer, go to Internet Protocol Version 6 (TCP/IPv6) in the internet settings.
    2. Uncheck the box enabling IPv6 use.
    3. Click OK.
  3. Add the client computer to an Active Directory domain.
    1. Go to System Properties and select the Computer Name tab.
    2. Select Change.
    3. On the Computer Name/Domain Changes screen that appears, select Domain and enter the name of the desired Active Directory domain.
    4. Click OK.
    5. Confirm the user name and password of the administrator account.
    6. Restart the client computer and sign in using the Active Directory domain user account credentials.
  4. Ensure the FQDN of the authentication proxy is on the bypass or exceptions list in the client proxy settings.
    • If you are using a PAC file, add the FQDN to the PAC File Settings in Trend Vision One
      1. On the Trend Vision One console, go to Zero Trust Secure AccessSecure Access ConfigurationInternet Access ConfigurationPAC Files.
      2. Locate the PAC file the client computer is using and click the edit icon (modify-connector.jpg).
      3. Add the FQDN to the bypass proxy list.
      4. Click Save.
      5. Deploy the updated PAC file to the client computer.
    • If you are using manual proxy setup on the client computer, add the FQDN to the proxy exception list.
      1. On the client computer, go to StartSettingsNetwork & InternetProxy.
      2. Add the FQDN to the list under Use the proxy server except for addresses that start with the following entries.
      3. Click Save.
  5. On the client computer, allow automatic logon in Intranet zone by adding the FQDN of the authentication proxy to your Intranet based on whether Secure Access Module is installed or by supported browser.
    Connection Method
    Supported Browser
    Settings
    With Secure Access Module installed
    n/a
    1. Go to Control PanelNetwork and InternetInternet Options and click the Security tab.
    2. Select Local intranet and click Sites.
    3. In the Local intranet screen, click Advanced, add the FQDN of the authentication proxy and click Add.
    4. Close the screen.
    Without Secure Access Module installed (use a supported browser)
    Mozilla® Firefox®
    1. Open Firefox, type about:config in the address bar, and then click I accept the risk!.
    2. For NLTM, type network.automatic in the search box and double-click network.automatic-ntlm-auth.trusted-uris.
    3. For Kerberos: type network.negotiate-auth in the search box and double-click network.negotiate-auth.trusted-uris.
    4. Type the FQDN of the authentication proxy and click OK.
    Google Chrome™
    Microsoft Edge™ (Chromium-based)
    1. Open Internet Options and click the Security tab.
    2. Select Local intranet and click Sites.
    3. In the Local intranet screen, click Advanced, add the FQDN of the authentication proxy and click Add.
    4. Close the screen.