For third-party domain authentication, the clients are members of a third-party domain such as Windows. A Windows domain controller performs the user authentication. The user name and password on the domain controller must match the user name and password used to log in to the Windows workstation.
Ensure that you understand and meet the following prerequisites before setting up third-party authentication:
Ensure that the Primary Domain Controller (PDC) is up and reachable by using the NETBIOS name of the PDC from the CIFS server. For example, WINPDC_W.
Disable the autodisconnect feature in the PDC to avoid resetting connection from the PDC to the CIFS server. You can do this by configuring the timeout value (in minutes) for idle sessions through the autodisconnect parameter.
The valid value range is -1 to 65535. Setting the timeout period value to -1 completely disables the auto-disconnect of the idle sessions feature.
net config server /autodisconnect:-1
For more information about how to configure the timeout period (autodisconnect parameter), see How Autodisconnect Works in Windows NT and Windows 2000
.
Disable SMB signing
Modify the values of registry keys EnableSecuritySignature and RequireSecuritySignature to 0.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
Value Name: EnableSecuritySignature Data Type: REG_DWORD Data: 0 (disable), 1 (enable)
Value Name: RequireSecuritySignature Data Type: REG_DWORD Data: 0 (disable), 1 (enable)
For more information, see Overview of Server Message Block Signing
.
Set Lmcompatibilitylevel on Windows 7 and Windows 8 Clients.
Click Start, type secpol.msc in the Start Search box, and then press ENTER.
On the left pane, select Local Policies > Security Options.
On the right pane, scroll down and double-click Network Security: LAN Manager authentication level.
Change the setting from Send NTLMv2 Response only to Send LM & NTLM - use NTLMv2 session security if negotiated.
For more information, see How do I check the NTLM authentication Settings?
Restrict NTLM authentication.
Click Start, type gpedit.msc in the Start Search box, and then press ENTER.
On the left pane, select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
To enable NTLM Pass-through Authentication,
On the right pane, modify the following policies:
Network security: Restrict NTLM: Incoming NTLM traffic. Set this to Allow all
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Set this to Allow all.
Network security: Restrict NTLM: Audit NTLM authentication in this domain. Set this to Enable all.
Network security: Restrict NTLM: Audit Incoming NTLM Traffic. Set this to Enable auditing for all accounts.
Close the Policy Editor.
At the command prompt, run gpupdate /force.
To disable restrictions on NTLM authentication,
Network security: Restrict NTLM: Incoming NTLM traffic. Set this to Allow all.
Close the Policy Editor.
At the command prompt, run gpupdate /force.
For more information, see NTLM and Pass-through Authentication
.
The desktop user or the user that has joined the domain must be the same as the CIFS user.
For Windows 2008 Server and later versions, apply the changes as indicated in the Microsoft Knowledge Base article.
NOTE:To access the CIFS shares when you are using third-party authentication, the Windows client might be required to log in as the same user with the same password.
Ensure that SMB signing is disabled on the CIFS server. For details, see Enabling and Disabling SMB Signing.
In a Web browser, specify the following in the address (URL) field:
http://server_IP_address/nps/iManager.html
For example:
http://192.168.0.1/nps/iManager.html
At the login prompt, specify the server administrator user name, password, tree name, or IP address of the tree, then click Login.
For more information on iManager administration, see the NetIQ® iManager Administration Guide.
In the iManager application left frame, click File Protocols > CIFS.
The default CIFS parameters page is displayed. Use this page to configure and manage CIFS.
Select the CIFS server you want to manage.
Select General > Authentication.
Select Third party Domain as the mode of authentication.
Specify the Work Group/Domain Name of the Windows environment.
Specify the LMCompatibility level. For details, see Table 6-2, CIFS Authentication Page Parameters.
Specify the name of the Primary Domain Controller. Ensure that the name does not exceed 15 characters.
Specify the IP address of the Primary Domain Controller.
Click OK to save the changes in the CIFS properties.