Single Sign On (NTLMv2)
Single Sign On for Windows in XELOS is achieved by using the NTLMv2 Protocol. This Auth Method can be activated in the advanced configuration:
This should be your domain - required for successful NTLM Authentication
Restrict NTLM to IP
Restrict the SingleSignOn feature to certain IPs. It's recommended to use Single Sign On for internal environments and exclude external users. (In most cases external users do not have the required settings [see below] and will feel annoyed be the auth-dialog)
Restrict NTLM to Clients
Users which are not able to use the Single Sign On (e.g. external users who are not members of your domain or have not added the site to the trusted zone) might feel that the auth-dialog is nagging. It's recommended to use NTLM only if the client is likely to make use of the feature. If you choose "WebDAV Clients", you can still use the SSO in your browser by adding the ?a_sso=1 parameter to the URL. It's recommend to set the startpage for properly configured clients with this param.
Use the same credentials
Please make sure that clients are using the same login / password in XELOS as they are using on their workstations. (For clients using an Active Directory, it is advisably to use Single Sign On in combination with the Active Directory Auth Method).
Trust your intranet site
Add the site to your trusted zone or local intranet sites:
Please make sure that the security setting allow credentials to be sent to the specified zone (by default this is allowed for local intranet sites):
Please note that if those settings have not been correct you may need to restart the browser completely for changes to take effect, maybe even a full system restart is required.
For further information you can read up on this task here: https://technet.microsoft.com/en-us/library/dd883248%28v=ws.10%20%29.aspx#addintranetsites
You can also deploy this setting by using a group policy:
- Create a new Group Policy in a Operational Unit which includes the users you want the policy to apply to.
In User Configuration > Preferences > Windows Settings > Registry create the following Registry keys located at:
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Internet Settings > ZoneMap > Domains > "example.com" > *
Then add DWORDS for the protocols you want to add to the Local Intranet Zone and set the value of the keys to 1.
Using SSO for WebDAV ? Add site to trusted sites
For the webclient to recognize the intranet as trusted you will need to add this site to the "AuthForwardServerList" as well. This can be done through the registry editor or by changing a group policy. For more information: http://support.microsoft.com/kb/943280/
A: Change Registry
Add REG_MULTI_SZ (Multi-String Value) "AuthForwardServerList" if no param is present yet:
B: Push via Group Policy
Login at least once
Every user needs to login in through conventional means, before the SSO is working. This is required for the system to pre-calculate the required NTLM Hashes. This also applies if credentials are changed on the client or domain, otherwise Single-Sign-On will not work.