Skip to main content

Connecting to Active Directory via NTLM Pass-Through (Netlogon)

In production systems, AtScale can communicate with Active Directory to authenticate users. For security reasons, sometimes Active Directory is configured to use channel binding via the LdapEnforceChannelBinding registry setting. Here you can find information how to configure the communication between AtScale and Active Directory in such situations.

There are two main steps, described in the sections below:

  1. Create a computer account for AtScale.
  2. Enable NTLM pass-through authentication.

Before you begin

Before beginning this procedure, ensure that:

note

Note: If Active Directory is configured to use channel binding, it is safe to use NTML with Netlogon.

Creating a computer account for AtScale

Perform the following steps on the Active Directory system:

  1. Log in to the system using an account that has the required privileges.

  2. Go to Control Panel and choose System and Security > Administrative Tools > Active Directory Users and Computers.

  3. In the console tree, right-click Computers and choose New > Computer in the context menu.

  4. Enter the computer name for the AtScale system and save your changes.

    You can use any name that is less than 15 characters and meets the naming conventions for Active Directory. For the examples in this procedure, it is assumed that the name is atscale-node.

  5. Create a password for the computer account:

    1. Start PowerShell and execute the following command: Set-ADAccountPassword -Reset -Identity atscale-node$

      Note that the computer account name is like the computer name, with '$' character added at the end. For example, atscale-node$.

    2. Enter the password.

      For the examples shown in this document, it is assumed that the password is @scaledummy.

Remember the computer account name and password you set, as you will need them when configuring AtScale.

Enabling NTLM pass-through authentication via Netlogon

Log in to AtScale as administrator, go to Settings > Engine, and configure the following settings:

  • Enable AUTH.NETLOGON.ENABLED.

    This is the main setting for enabling NTLM pass-through via the Netlogon protocol. When enabled, it takes precedence over the AUTH.NTLM.ENABLED setting used for configuring Windows Authentication.

  • Set AUTH.NETLOGON.COMPUTER.NAME to the computer account created in Active Directory.

  • Set AUTH.NETLOGON.DOMAIN to the domain name of the Active Directory server.

  • Set AUTH.NETLOGON.DOMAINCONTROLLER to the hostname (FQDN) of the Active Directory server.

  • Set AUTH.NETLOGON.COMPUTER.PASSWORD to the password created for the computer account.

  • Set AUTH.NETLOGON.NETBIOS.DOMAIN to the first part of the domain of the Active Directory server.

Be sure to restart the AtScale engine after making your changes.

More information