How Pass Through Authentication Works
NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus.
What's the protocol defines?
When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the ActiveDirectory. In a multi-domain environment, the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.
ServiceDesk Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogonservice that computer account requires a password.
NetLogonservice is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to log in, the computer will produce its identity to the AD and then it tries to authenticate the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for NETLOGON. Since the password is generated randomly at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.
ServiceDesk Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means, then that information can be used by the ServiceDesk Plus for Pass-through-authentication.
From 7600 version, ServiceDesk Plus Pass-through authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service and NTLMV1 will no more be supported. When you do an upgrade from 7514 to 7600 version, PassThrough Authentication will be automatically disabled and you may have to reconfigure it, which requires a New computer account creation in theActive Directory. Further, the authentication of the Active Directory credentials is going to be authorized through this Computer Account.
New to ADSelfService Plus?
Related Articles
SSL server authentication and SSL Handshake
The Standard SSL Handshake The following is a standard SSL handshake when RSA key exchange algorithm is used: 1. Client Hello Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher ...Host ServiceDesk Plus on the Internet
In order to make ServiceDesk Plus available for users on Internet, let us assume the following scenarios. Scenario 1: ServiceDesk Plus is installed in LAN and should be available in LAN and WAN: Assume ServiceDesk Plus is installed on a server in the ...How to redirect ServiceDesk Plus URL from HTTP to HTTPS
Follow the steps given below to set up the redirection from HTTP to HTTPS, For version 9.4 and above Step 1: Go to the below location and open the file 'server.xml' with a word pad and add the below entry in the file as shown in the image. ...How to migrate ServiceDesk Plus from one server to another
Following are the steps to move data from the existing server to a new server, Step 1: Stop ManageEngine ServiceDesk Plus service. Step 2: Kindly Upgrade ServiceDesk Plus if required. Refer to the link below to check if you are in the latest version, ...Problem while creating the computer account for SSO
Once the SSO configurations are done. It will try to create the computer account in Domain controller using the VBScript. If the script execution is being blocked. We need to copy and execute the same under DC. To Create and set password for a new ...