Overview
Kerio Control supports automatic user authentication by the NTLM method (NT LAN Manager authentication from web browsers). Once authenticated for the domain, users do not need to enter their usernames and passwords.
The Kerio Control NTLM authentication requires a specific configuration on the Kerio Control Administration side and on the supported client browsers itself. The browsers supported are Internet Explorer, Mozilla Firefox, Google Chrome, and modern Edge (Chromium-based).
Prerequisites
Please ensure meeting the following requirements:
- Connect Kerio Control with the Microsoft Active Directory domain using a valid DNS name as a Kerio Control server name. For additional information, refer to the article about Connecting Kerio Control to Directory Services.
- Connect the client hosts with the domain.
- Install a valid SSL Certificate for the web interface and configure it correctly in Kerio Control. For more information about this process, refer to the article about Configuring SSL certificates in Kerio Control.
Note: SSL certificates can be configured and distributed using Group Policy Settings. This process is highlighted in the article about Deploying Kerio Control Certificate via the Microsoft Active Directory. - Configure the web browsers to trust the Kerio Control hostname, if necessary.
Solution
Configuring NTLM in Kerio Control
- In the administration interface, go to Configuration > Domains and User Login.
- Go to the Authentication Options tab.
- (Optional) Check the option Always require users to be authenticated when accessing web pages.
- Check Enable automatic authentication using NTLM.
- Click Apply.
Note: Rejoin the domain and restart the Kerio Control installation to clear the NTLM cache for troubleshooting purposes.
Configuring Microsoft Internet Explorer Settings
In Internet Explorer, you must enable integrated Windows authentication, and add the Kerio Control server name to trusted servers by following these steps:
- Open Internet Explorer.
- Click Tools > Internet Options.
- Click the Advanced tab.
- Check Enable integrated Windows Authentication.
- Restart Internet Explorer.
Internet Explorer should now be correctly configured, and NTLM authentication should work. This means that the users do not have to authenticate with Kerio Control credentials.
If NTLM does not work, you may have problems with Kerio Control server name. In this case, follow these steps:
- Go to Tools > Internet Options.
- Click the Security tab.
- Click Local Intranet.
- Click Sites.
- In the Local Intranet dialog box, click Advanced.
- Add the Kerio Control server name to the list of trusted servers. For increased security, enter the server name in this format:
https://server.company.com
Configuring Mozilla Firefox Settings
- Open Mozilla Firefox.
- Enter
about:config
in the address bar. - Confirm the security warning by clicking Accept the Risk and Continue.
- Use the filter to search for
network.automatic-ntlm-auth.trusted-uris
. - Double-click the item.
- In the dialog box, add the Kerio Control server name. For increased security, enter the server name in this format:
https://server.company.com
Mozilla Firefox should now be correctly configured, and NTLM authentication should work. This means that the users do not need to authenticate with Kerio Control credentials.
Configuring Google Chrome and Edge Settings
Chrome/Edge uses Internet Explorer's Security Configuration, so one way to configure Chrome's settings is to configure Internet Explorer. Google Chrome adopts the same settings so that NTLM authentication will work.
For command-line options, you can use the following command:
Chrome:
Chrome.exe –auth-server-whitelist=”MYSERVER.DOMAIN.COM” –auth-negotiate-delegatewhitelist=”MYSERVER.DOMAIN.COM” –auth-schemes=”digest,ntlm,negotiate”
Edge:
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" –auth-server-whitelist=”MYSERVER.DOMAIN.COM” –auth-negotiate-delegatewhitelist=”MYSERVER.DOMAIN.COM” –auth-schemes=”digest,ntlm,negotiate”
For more information, please refer to the 3rd-party article about configuring Chrome/Firefox integrated authentication.