How Pass Through Authentication Works
NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus.
What's the protocol defines?
When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the ActiveDirectory. In a multi-domain environment, the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.
ServiceDesk Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogonservice that computer account requires a password.
NetLogonservice is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to log in, the computer will produce its identity to the AD and then it tries to authenticate the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for NETLOGON. Since the password is generated randomly at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.
ServiceDesk Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means, then that information can be used by the ServiceDesk Plus for Pass-through-authentication.
From 7600 version, ServiceDesk Plus Pass-through authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service and NTLMV1 will no more be supported. When you do an upgrade from 7514 to 7600 version, PassThrough Authentication will be automatically disabled and you may have to reconfigure it, which requires a New computer account creation in theActive Directory. Further, the authentication of the Active Directory credentials is going to be authorized through this Computer Account.
New to ADSelfService Plus?
Related Articles
SSO - Single Sign on pass through - An illustrated config manual_NOT IN USE
NTLM SSO is discontinued. Only SAML SSO is supported. Refer here. Access Requirements: Direct access to the Domain Controller. Direct access to the ServiceDesk Plus server. Procedure: (As a best practice, I recommend you to do this activity directly ...How to redirect ServiceDesk Plus URL from HTTP to HTTPS
Follow the steps given below to set up the redirection from HTTP to HTTPS, For version 9.4 and above Step 1: Go to the below location and open the file 'server.xml' with a word pad and add the below entry in the file as shown in the image. ...Host ServiceDesk Plus on the Internet
In order to make ServiceDesk Plus available for users on Internet, let us assume the following scenarios. Scenario 1: ServiceDesk Plus is installed in LAN and should be available in LAN and WAN: Assume ServiceDesk Plus is installed on a server in the ...Implementing secure gateway server for ServiceDesk Plus
As per the RBI guidelines, FOS and Secure Gateway Server features are mandatory for all hosted software used in the banking domain. We can achieve a service gateway server in the service desk plus by following the below steps: Steps to Integrate with ...SSL server authentication and SSL Handshake
The Standard SSL Handshake The following is a standard SSL handshake when RSA key exchange algorithm is used: 1. Client Hello Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher ...