共用方式為


Configuring NT Domain authentication

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure an NT Domain authentication server on Forefront Unified Access Gateway (UAG).

When using NT Domain authentication, open these destination ports to your corporate domain controllers:

  • RPC services: 1025-5000 (TCP)

  • RPC portmapper listener: 135 (TCP)

  • RPC in NT 4.0: 139 (TCP)

Make sure that the server is configured to enable users to change their password while authenticating against the NT Domain authentication server, if required.

To configure an NT Domain authentication server

  1. In the Forefront UAG Management console, on the Admin menu, click Authentication and Authorization Servers.

  2. On the Authentication and Authorization Servers dialog box, click Add.

  3. In the Server type list, click NT Domain.

  4. On the Add Authentication Server dialog box, configure the following server settings:

    Note

    On the Add Authentication Server dialog box, you can also define the local computer Windows Local Users and Groups manager as an authentication server, or for portal trunks, define the authorization user/group repository.

    • Server name—Name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG. It is also displayed to end users when they are prompted to select a server during authentication.

    • NT Domain—Name of the NT domain, or if you are defining the local computer, the name of the local computer. The name you enter here is used by default as the user’s login domain name.

    • Level of nested groups—Defines whether to search for the user in additional groups to which the user belongs, and the number of nested groups in which to search:

      • Using the default value, which is 0, the search includes only the groups to which the user belongs directly. For example, if the user John is a member of group QA, the search includes the group QA, but not any of the groups to which QA belongs.

      • If you enter a value other than 0 in this field, it defines the number of nested groups included in the search. In the above example, if you enter 1, and QA is a member of the R&D group, the search includes both the QA group and the R&D group.

      • If you leave this field empty, the number of nested groups is unlimited. The search includes all the groups to which the user belongs, both directly and indirectly.

    • Server access credentials—The credentials you enter here are used to access the NT Domain server, and perform Server access functions such as retrieving the users/groups lists, retrieving user information, and changing passwords. If you enter access credentials, make sure you fill in all the Server access credentials fields.

      Note

      If you are defining the local computer, select the Anonymous logon check box to disable the Server access credentials fields and enable anonymous access to the Windows Local Users and Groups Manager.

      • User—User name that is used to access the NT Domain server. The user you assign must have Read permissions (or higher) on this server.

      • Password—Type the password of the user you defined in User.

      • Confirm password—Type the password again for confirmation.

      • Domain—Type the domain of the user you defined in User.

      • Anonymous logon—Select this check box to disable the Server access credentials fields and allow anonymous users to access the server (or if you are defining the local computer, to the Windows Local Users and Groups console), and perform the Server access functions.

  5. On the Add Authentication Server dialog box, click OK, and then on the Authentication and Authorization Servers dialog box, click Close.