How to enable NTLMv2 Single Sign-On in AD360?

NTLMv2 is a protocol supported by Microsoft to overcome the security issues of NTLMv1 when it comes to enabling single sign-on. This document will explain in detail how you can implement NTLMv2 SSO in AD360.

How does NTLMv2 protocol work?

When a service wants to initiate single sign-on, a secure connection has to be built with the domain controller. Once the secure connection is created, it will be used by the service for all further authentication requests through Active Directory. In a multi-domain environment, the service will create a secure connection with only one domain controller and that domain controller will authenticate the users of the other domains using the trust relationship between domains.

How is NTLMv2 SSO implemented in AD360?

AD360 has implemented the secure connect to Active Directory using the NETLOGON service via a computer account. NetLogon service is the internal communication channel of Microsoft. A computer account creates a unique identity in the domain and assigns a random password for further communications within the domain. When a user tries to login to AD360, the user's computer account will provide its identity to AD and authenticates the user without having to enter their credentials.

How to enable NTLMv2 Single Sign-On in AD360

Steps to enable NTLMv2 single sign-on to AD360

  1. Navigate to Admin tab >Administration > Logon Settings > Single Sign-On.
  2. Mark the checkbox against Enable Single Sign-On.
  3. Select the NTLMv2 Authentication radio button.
  4. Note: To enable NTLMv2 SSO for ManageEngine AD360 and the integrated components in builds 4309 and above, you will have to download the Jespa JAR file and add it to the product's lib folder. For more information, click here. If you have already enabled NTLMv2 SSO, you can continue using the feature and no further actions are needed.
  5. Select the products for which you wish to enable single sign-on from the Select Components drop-down box.
  6. Note: The product will be displayed only if it supports single sign-on.
  7. Select the domains from the Select Domains drop-down box. These are the domains that contain the user accounts used to access AD360 and the components.
  8. Click Save Settings.
Note: If AD360 is installed as a service, modify the Log On settings by following the steps listed below.
  1. Click Start > Run > Services.msc.
  2. Locate the Manageengine AD360 service.
  3. Right-click the service and select Properties, then Log On.
  4. Select This account and provide the credentials of a service account with domain admin privileges.
  5. Click Apply.

NTLMv2 SSO is now configured. If you face any issues setting up NTLMv2 SSO, follow this link to find out the frequent errors and their troubleshooting steps.