SonicOS 7.1 Users
- SonicOS 7.1
- About SonicOS
- About User Management
- Using Local Users and Groups for Authentication
- Using RADIUS for Authentication
- Using LDAP/Active Directory/eDirectory Authentication
- Using RADIUS
- Using TACACS+
- Using Single Sign-On
- What is Single Sign-On?
- Benefits of SonicWall SSO
- Platforms and Supported Standards
- How Does Single Sign-On Work?
- How Does SSO Agent Work?
- How Does Terminal Services Agent Work?
- How Does Browser NTLM Authentication Work?
- How Does RADIUS Accounting for Single-Sign-On Work?
- Installing the Single Sign-On Agent and/or Terminal Services Agent
- Single Sign-On Advanced Features
- Configuring Access Rules
- Managing SonicOS with HTTP Login from a Terminal Server
- Viewing and Managing SSO User Sessions
- Multiple Administrator Support
- Configuring Users Status
- Configuring User Settings
- User Login Settings
- Setting the Authentication Method for Login
- Configuring RADIUS Authentication
- Configuring LDAP
- Configuring TACACS+
- Requiring User Names be Treated as Case-Sensitive
- Preventing Users From Logging in from More than One Location
- Forcing Users to Log In Immediately After Changing Their Passwords
- Displaying User Login Information Since the Last Login
- Setting the Single-Sign-On Methods
- One-Time Password Settings
- Configuring the User Web Login Settings
- Adding URLs to Authentication Bypass
- User Session Settings
- Accounting
- [[[Missing Linked File System.LinkedTitle]]]
- User Login Settings
- Configuring and Managing Partitions
- Configuring Local Users and Groups
- Configuring Guest Services
- Configuring Guest Accounts
- Managing Guest Status
- SonicWall Support
SonicWall SSO Authentication Using Browser NTLM Authentication
For users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox, Chrome, and Safari) the firewall supports identifying them through NTLM (NT LAN Manager) authentication. NTLM is part of a browser authentication suite known as “Integrated Windows Security” and is supported by all Mozilla-based browsers. NTLM allows a direct authentication request from the appliance to the browser without involving the SSO agent. NTLM is often used when a domain controller is not available, such as when the user is remotely authenticating over the Web.
NTLM Authentication is currently available for HTTP; it is not available for use with HTTPS traffic.
Browser NTLM authentication can be tried before or after the SSO agent attempts to acquire the user information. For example, if the SSO agent is tried first and fails to identify the user, then, if the traffic is HTTP, NTLM is tried.
To use this method with Linux or Mac clients as well as Windows clients, you can also enable SSO to probe the client for either NetAPI or WMI, depending on which is configured for the SSO Agent. This causes the firewall to probe for a response on the NetAPI/WMI port before requesting that the SSO Agent identify a user. If no response occurs, these devices fail SSO immediately. For a:
- Windows PC, the probe generally works (unless blocked by a personal firewall) and the SSO agent is used.
- Linux/Mac PC (assuming it is not set up to run Samba server), the probe fails, the SSO agent is bypassed, and NTLM authentication is used when HTTP traffic is sent.
NTLM cannot identify the user until they browse with HTTP, so any traffic sent before that is treated as unidentified. The default CFS policy is applied, and any rule requiring authenticated users does not allow the traffic to pass.
If NTLM is configured to be used before the SSO agent, then if HTTP traffic is received first, the user is authenticated with NTLM. If non-HTTP traffic is received first, the SSO agent is used for authentication.
Was This Article Helpful?
Help us to improve our support portal