NTLM configuration (one-shot flow)

Airlock Gateway (WAF) configuration

The following description assumes that Airlock IAM is mapped as /auth (as Entry Path)in the Airlock Gateway (WAF) configuration.

Then you have to enable the AuthNTLMFrontChannelAuthentication rule in the Airlock IAM mapping. Moreover, you have to disable the Remove NTLM Header from the "Response Actions".

  • Enable the AuthNTLMFrontChannelAuthentication allow rule in the Airlock IAM mapping.
  • As Authentication Flow select NTLM.
  • Use /auth/check-ntlm as Denied access URL.

Airlock IAM configuration

The Airlock IAM configuration for NTLM front-side authentication is located under Loginapp >> NTLM Front-Side Authentication.

  • Most important configuration options:
  • The domain controllers to use for authenticating the users using NETLOGON. In case multiple domain controllers are configured, Airlock IAM automatically excludes domain controllers that are not available anymore and periodically rechecks them (supports clustered domain controllers).
  • The machine account to use for accessing the NETLOGON service. Note that you cannot use a normal user account for this. You have to create a dedicated "Computer Account" in your active directory. Then you set the password of the newly created computer account. The easiest way to set this password is by a small Visual Basic Script (VBS) script. Assuming your Windows AD domain is for yourDomain.yourCountry, the machine account to set a password is yourMachineAccount, and the password to set is password123 then the script is:
  • Set objComputer = GetObject("LDAP://CN=yourMachineAccount,CN=Computers,DC=yourDomain,DC=yourCountry")
    objComputer.SetPassword "password123"
    MsgBox "Password successfully set"
  • Then you store the script in a file, e.g. setMachineAccountPasswordForAirlockIAM.vbs, and execute it.
  • Enable BASIC-authentication for clients that do not support NTLM.
  • Specify Airlock IAM internal authentication checks, e.g. check if there is a user in the Airlock IAM data store, check if the Airlock IAM user is locked. Note that the NTLM protocol enforces using the expected three steps. Hence you cannot use Airlock IAM features that bring in an additional step like a step-up authentication, a second factor, and so on.
  • If you have a User Persister configured underLoginapp, the user must exist in this user store. If this is not applicable in your setting, you have to delete this User Persister.