In LoadMaster firmware version 7.2.48.4 Long Term Support (LTS) and 7.2.53, a new NTLM Proxy Mode option was added to the LoadMaster. When upgrading from an older version of LoadMaster firmware to one of these versions (or above) the NTLM Proxy Mode option is not enabled by default. As a result, you must manually enable NTLM Proxy Mode after upgrading.

For all new deployments of LoadMasters after 7.2.48.4 LTS or 7.2.53 and above, NTLM Proxy Mode is enabled by default.

NTLM Proxy Mode increases the security of Client Authentication by proxying NTLM Authentication with the Real Server. Authentication is verified by validating that a successful NTLM handshake has taken place with the Real Server before performing the proceeding steps (such as performing the required Server Side Kerberos Authentication where the Server Side configuration is set to KCD). This requires that the Real Server support NTLM Authentication. The legacy “NTLM” user authentication mode verified user credentials through a configured LDAP endpoint. With NTLM Proxy Mode, the Client Side SSO configuration only requires an LDAP endpoint in the case where Permitted Groups or Steering Groups are in use.

For example, below is a diagram of a typical flow using NTLM Proxy Mode with Server Side Authentication of KCD.

Note: We highly recommend ensuring that NTLM Proxy Mode is enabled.

If you want to configure the following ESP fields, you must ensure KCD is set as the Server Authentication Mode and an LDAP End point is configured in the Client SSO configuration.:

  • Pre-Authorization Excluded Directories

  • Permitted Groups

  • Permitted Group SID(s)

  • Include Nested Groups

  • Steering Groups

For instructions on how to add these SSO domains on the LoadMaster, refer to the sections below.