How Pass Through Authentication Works

How Pass Through Authentication Works

NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus.

What's the protocol defines?

When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the ActiveDirectory. In a multi-domain environment, the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.

ServiceDesk Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogonservice that computer account requires a password.

NetLogonservice is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to log in, the computer will produce its identity to the AD and then it tries to authenticate the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for NETLOGON. Since the password is generated randomly at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.

ServiceDesk Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means, then that information can be used by the ServiceDesk Plus for Pass-through-authentication.

From 7600 version, ServiceDesk Plus Pass-through authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service and NTLMV1 will no more be supported. When you do an upgrade from 7514 to 7600 version, PassThrough Authentication will be automatically disabled and you may have to reconfigure it, which requires a New computer account creation in theActive Directory. Further, the authentication of the Active Directory credentials is going to be authorized through this Computer Account.

          • Related Articles

          • How to configuring Pass-Through Authentication ( SSO) in ServiceDesk Plus ?

            Note: If the login page is customized, Pass-Through authentication will not work as it can't make use of the session variables set in login.jsp file The following instructions will help you to configure Pass-through authentication under Admin – ...
          • SSL server authentication and SSL Handshake

            The Standard SSL Handshake The following is a standard SSL handshake when RSA key exchange algorithm is used: 1.  Client Hello Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher ...
          • Problem while creating the computer account for SSO

            Once the SSO configurations are done. It will try to create the computer account in Domain controller using the VBScript. If the script execution is being blocked. We need to copy and execute the same under DC. To Create and set password for a new ...
          • How to set computer password for a computer account created under a Child OU.

            Creating computer account in Active Directory is one of the requirements of configuring Pass-through Authentication. As this computer account will be used for validating credentials with NetLogon services in DC. However, few customer environments do ...
          • How to reset administrator password in ServiceDesk Plus.

            1. Access your ServiceDesk Plus server and browse to [your drive]:\ManageEngine\ServiceDesk\bin. 2. Click changeDBServer.bat. Information on the configured database will be displayed.   If the database is MSSQL, go to the SQL Management Studio, go to ...