Connecting to Active Directory via NTLM Pass-Through (Netlogon)
In production systems, AtScale can communicate with Active Directory to authenticate users. For security reasons, sometimes Active Directory is configured to use channel binding via the LdapEnforceChannelBinding registry setting. Here you can find information how to configure the communication between AtScale and Active Directory in such situations.
There are two main steps, described in the sections below:
Before you begin
Before beginning this procedure, ensure that:
- You are familiar with the procedure for creating a computer account in Active Directory. For details, see Create a New Computer Account.
- AtScale is connected to Microsoft Active Directory. For more information, see Connecting To An LDAP Server.
Note: If Active Directory is configured to use channel binding, it is safe to use NTML with Netlogon.
Creating a computer account for AtScale
Perform the following steps on the Active Directory system:
-
Log in to the system using an account that has the required privileges.
-
Go to Control Panel and choose System and Security > Administrative Tools > Active Directory Users and Computers.
-
In the console tree, right-click Computers and choose New > Computer in the context menu.
-
Enter the computer name for the AtScale system and save your changes.
You can use any name that is less than 15 characters and meets the naming conventions for Active Directory. For the examples in this procedure, it is assumed that the name is
atscale-node
. -
Create a password for the computer account:
-
Start PowerShell and execute the following command:
Set-ADAccountPassword -Reset -Identity atscale-node$
Note that the computer account name is like the computer name, with '$' character added at the end. For example,
atscale-node$
. -
Enter the password.
For the examples shown in this document, it is assumed that the password is
@scaledummy
.
-
Remember the computer account name and password you set, as you will need them when configuring AtScale.
Enabling NTLM pass-through authentication via Netlogon
Log in to AtScale as administrator, go to Settings > Engine, and configure the following settings:
-
Enable
AUTH.NETLOGON.ENABLED
.This is the main setting for enabling NTLM pass-through via the Netlogon protocol. When enabled, it takes precedence over the
AUTH.NTLM.ENABLED
setting used for configuring Windows Authentication. -
Set
AUTH.NETLOGON.COMPUTER.NAME
to the computer account created in Active Directory. -
Set
AUTH.NETLOGON.DOMAIN
to the domain name of the Active Directory server. -
Set
AUTH.NETLOGON.DOMAINCONTROLLER
to the hostname (FQDN) of the Active Directory server. -
Set
AUTH.NETLOGON.COMPUTER.PASSWORD
to the password created for the computer account. -
Set
AUTH.NETLOGON.NETBIOS.DOMAIN
to the first part of the domain of the Active Directory server.
Be sure to restart the AtScale engine after making your changes.