NTLM authentication
Summarize
Summary of NTLM Authentication
NTLM (NT LAN Manager) is a proprietary authentication protocol by Microsoft, recognized for its complexity compared to other web authentication methods. It is now considered more secure than Digest authentication following improvements made in Windows NT 4. NTLM requires specific credentials management for successful authentication, utilizing NTCredentials for the domain name of the server.
Show less
Key Features
- Credentials Management: NTCredentials must be provided without domain prefixes (e.g., use 'adrian' instead of 'DOMAIN\adrian').
- Connection Authentication: NTLM authenticates connections rather than requests, necessitating re-authentication for each new connection.
- HttpClient Compatibility: NTLM integrates with HttpClient API, requiring NTCredentials instead of UsernamePasswordCredentials.
- Domain Name as Realm: The realm used for authentication is based on the server's domain name, which can complicate setups with multiple domain names.
- Proxy Usage Limitations: NTLM cannot be used for authentication with both proxy and web servers simultaneously and does not support HTTP 1.0 connections.
Key Outcomes
By understanding NTLM authentication, ServiceNow customers can effectively configure and troubleshoot authentication processes, ensuring secure and seamless interactions with web servers through proper credential handling and connection management. Properly setting system properties related to NTLM will enhance security and reduce authentication issues.
NTLM is the most complex of the authentication protocols supported by a basic web server.
NTLM is the most complex of the authentication protocols supported by a basic web server such as HttpClient. It is a proprietary protocol designed by Microsoft with no publicly available specification. Early versions of NTLM were less secure than Digest authentication due to faults in the design. However, these were fixed in a service pack for Windows NT 4 and the protocol is now considered more secure than Digest authentication.
- Correct: adrian
- Incorrect: DOMAIN\adrian
- NTLM authentication works almost exactly the same as any other form of authentication in terms of the HttpClient API. The only difference is that you need to supply NTCredentials instead of UsernamePasswordCredentials (NTCredentials actually extends UsernamePasswordCredentials so you can use NTCredentials right throughout your application, if needed).
- The realm for NTLM authentication is the domain name of the computer being connected. This can be troublesome because servers often have multiple domain names. Only the domain name that HttpClient connects to, as specified by the HostConfiguration, is used to look up the credentials. While initially testing NTLM authentication, it is best to pass the realm in as null, which is used as the default.
- NTLM authenticates a connection and not a request. So you need to authenticate every time a new connection is made and keeping the connection open during authentication is vital. For this reason, NTLM cannot be used to authenticate with both a proxy server and the web server, nor can NTLM be used with HTTP 1.0 connections or web servers that do not support HTTP keep-alives.
[sys_properties] table.| Property | Description | Examples |
|---|---|---|
| glide.http.proxy_ntusername | Specify the username used to authenticate the proxy server with NTLM authentication.
|
username |
| glide.http.proxy_ntpassword | Specify the password used to authenticate the proxy server with NTLM authentication.
|
password |
| glide.http.proxy_nthost | Specify the hostname used to authenticate the proxy server with NTLM authentication.
|
nthost |
| glide.http.proxy_ntdomain | Specify the domain used to authenticate the proxy server with NTLM authentication.
|
DOMAIN |