5.4 Third-Party Domain Authentication

For third-party domain authentication, the clients are members of a third-party domain such as Windows. A Windows domain controller performs the user authentication. The user name and password on the domain controller must match the user name and password used to log in to the Windows workstation.

Ensure that you understand and meet the following prerequisites before setting up third-party authentication:

IMPORTANT:Domain pass-through authentication is supported for backward compatibility only. When authentication mode is changed to Third party authentication, CIFS will support only the SMB1 protocol.

5.4.1 Prerequisites

Prerequisites for the Windows Primary Domain Controller

  • Ensure that the Primary Domain Controller (PDC) is up and reachable by using the NETBIOS name of the PDC from the CIFS server. For example, WINPDC_W.

  • Disable the autodisconnect feature in the PDC to avoid resetting connection from the PDC to the CIFS server. You can do this by configuring the timeout value (in minutes) for idle sessions through the autodisconnect parameter.

    The valid value range is -1 to 65535. Setting the timeout period value to -1 completely disables the auto-disconnect of the idle sessions feature.

    net config server /autodisconnect:-1

  • Set the value of registry key AllowLegacySrvCall to 1 to allow legacy service calls.

    1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press ENTER.

    2. Locate and then right-click the following registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

    3. On the Edit menu, point to New, and then click DWORD (32-bit) Value.

    4. Type AllowLegacySrvCall, and then press ENTER.

    5. Right-click AllowLegacySrvCall, and then click Modify.

    6. Type 1 in the Value data box, and then click OK.

    7. Exit Registry Editor.

    For more information, see Microsoft Knowledge Base.

  • Disable SMB signing

    Modify the values of registry keys EnableSecuritySignature and RequireSecuritySignature to 0.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters 

    Value Name: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)
    Value Name: RequireSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)

    For more information, see Microsoft documentation.

  • Set Lmcompatibilitylevel on Windows 7 and Windows 8 Clients.

    1. Click Start, type secpol.msc in the Start Search box, and then press ENTER.

    2. On the left pane, select Local Policies > Security Options.

    3. On the right pane, scroll down and double-click Network Security: LAN Manager authentication level.

    4. Change the setting from Send NTLMv2 Response only to Send LM & NTLM - use NTLMv2 session security if negotiated.

  • Restrict NTLM authentication.

    1. Click Start, type gpedit.msc in the Start Search box, and then press ENTER.

    2. On the left pane, select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    To enable NTLM Pass-through Authentication,

    1. On the right pane, modify the following policies:

      Network security: Restrict NTLM: Incoming NTLM traffic. Set this to Allow all

      Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Set this to Allow all.

      Network security: Restrict NTLM: Audit NTLM authentication in this domain. Set this to Enable all.

      Network security: Restrict NTLM: Audit Incoming NTLM Traffic. Set this to Enable auditing for all accounts.

    2. Close the Policy Editor.

    3. At the command prompt, run gpupdate /force.

    To disable restrictions on NTLM authentication,

    1. Network security: Restrict NTLM: Incoming NTLM traffic. Set this to Allow all.

    2. Close the Policy Editor.

    3. At the command prompt, run gpupdate /force.

  • The desktop user or the user that has joined the domain must be the same as the CIFS user.

  • For Windows 2008 Server and later versions, apply the changes as indicated in the Microsoft Knowledge Base article.

NOTE:To access the CIFS shares when you are using third-party authentication, the Windows client might be required to log in as the same user with the same password.

Prerequisites for the CIFS Server

  • Ensure that SMB signing is disabled on the CIFS server. For details, see Enabling and Disabling SMB Signing.

  • Set the dialect to SMB v1 using the command novcifs --dialect=SMB.

5.4.2 Using iManager to Enable Third-Party Authentication

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html

    For example:

    http://192.168.0.1/nps/iManager.html

  2. At the login prompt, specify the server administrator user name, password, tree name, or IP address of the tree, then click Next.

    For more information on iManager administration, see the NetIQ iManager Administration Guide.

  3. In the iManager application left frame, click File Protocols > CIFS.

    The default CIFS parameters page is displayed. Use this page to configure and manage CIFS.

  4. Select the CIFS server you want to manage.

  5. Select General > Authentication.

  6. Select Third party Domain as the mode of authentication.

  7. Specify the Work Group/Domain Name of the Windows environment.

  8. Specify the LMCompatibility level. For details, see Table 5-2, CIFS Authentication Page Parameters.

  9. Specify the name of the Primary Domain Controller. Ensure that the name does not exceed 15 characters.

  10. Specify the IP address of the Primary Domain Controller.

  11. Click OK to save the changes in the CIFS properties.

  12. For the changes to take effect, you must restart the CIFS service.

    systemctl restart novell-cifs.service