Kerio Control supports automatic user authentication by the NTLM method (NT LAN Manager, authentication from web browsers). Once they are authenticated for the domain, users do not need to enter their usernames and passwords.
This article provides detailed conditions and configuration settings for the correct functioning of NTLM.
- Join Kerio Control to the Microsoft Active Directory domain with a valid DNS name as a Kerio Control server name. For additional information refer to Connecting Kerio Control to Directory Services
- Join client hosts to the domain.
- Install a valid SSL Certificate for the web interface and configure it correctly in Kerio Control. For more information about this process, refer to Configuring SSL certificates in Kerio Control. SSL certificates can be configured and distributed using Group Policy Settings, this process is highlighted in Deploying Kerio Control Certificate Via Microsoft Active Directory.
- Configure browsers to trust the Kerio Control hostname, if necessary.
Configuring NTLM in Kerio Control
- In the administration interface, go to Configuration > Domains and User Login.
- (Optional) Go to the Authentication Options tab and check Always require users to be authenticated when accessing web pages.
- Check Enable automatic authentication using NTLM.
- Click Apply.
Note: For troubleshooting purposes, in order to clear the NTLM cache, it's recommended to rejoin the domain and restart the Kerio Control installation.
Kerio Control is now configured properly to use the NTLM authentication. The next step is to configure browsers on client hosts.
For proper functioning of NTLM, only use browsers that support this method:
- Microsoft Internet Explorer
- Mozilla Firefox
- Google Chrome
Note: Edge does not support NTLM yet.
Setting Microsoft Internet Explorer
In Internet Explorer, you must enable integrated Windows authentication and add the Kerio Control server name to trusted servers in its security settings:
- Open Internet Explorer.
- Click Tools > Internet Options.
- Click the Advanced tab.
- Check Enable integrated Windows Authentication.
- Restart Internet Explorer.
Internet Explorer is now properly configured and NTLM authentication should work. Users do not have to authenticate with Kerio Control credentials.
If NTLM does not work, you may have problems with Kerio Control server name. In this case:
- Go to Tools > Internet Options.
- Click the Security tab.
- Click Local Intranet.
- Click Sites.
- In the Local Intranet dialog box, click Advanced.
- Add the Kerio Control server name to the list of trusted servers. For increased security, enter the server name in this format:
Setting Mozilla Firefox
- Open Mozilla Firefox.
about:configin the address bar.
- Use the filter to search for
- Double-click the item.
- In the dialog box, add the Kerio Control server name. For increased security, enter the server name in this format:
Mozilla Firefox is now properly configured and NTLM authentication works. Users do not need to authenticate with Kerio Control credentials.
Setting Google Chrome
Chrome uses Internet Explorer's Security Configuration, so one way to configure Chrome's settings is to configure Internet Explorer. Google Chrome adopts the same settings, so NTLM authentication will work.