How Pass Through Authentication Works

How Pass Through Authentication Works

NTLMV2 is a protocol supported by Microsoft in order to overcome the security issues of NTLMV1 and the same is implemented in ServiceDesk Plus.

What's the protocol defines?

When a service wants to initiate the Single-sign-on, first a secure channel has to be built with the domain controller and the same has to be used by the service for further authentication process with the ActiveDirectory. In a multi-domain environment, the service will have the secure connection with only one domain controller and the same will authenticate the users of the other domains using the trust relationship with that domain.

ServiceDesk Plus has implemented the secure channel to the Active Directory using the NETLOGON service via a computer account. For enabling a NetLogonservice that computer account requires a password.

NetLogonservice is the internal communication channel of Microsoft. One computer will create a unique identity in the domain and create some random password for the further communications within the domain. For eg, When the user tries to log in, the computer will produce its identity to the AD and then it tries to authenticate the user. The user accounts are used for access privileges and it cannot communicate with AD directly so we are using the computer account for NETLOGON. Since the password is generated randomly at the time of registering a computer under a domain and the same is not required to expose there is no option to reset password in the AD.

ServiceDesk Plus uses the VBScript to create a computer account and set the password for the same. If the same can be achieved by any other means, then that information can be used by the ServiceDesk Plus for Pass-through-authentication.

From 7600 version, ServiceDesk Plus Pass-through authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service and NTLMV1 will no more be supported. When you do an upgrade from 7514 to 7600 version, PassThrough Authentication will be automatically disabled and you may have to reconfigure it, which requires a New computer account creation in theActive Directory. Further, the authentication of the Active Directory credentials is going to be authorized through this Computer Account.

          • Related Articles

          • How to configuring Pass-Through Authentication ( SSO) in ServiceDesk Plus ?

            Note: If the login page is customized, Pass-Through authentication will not work as it can't make use of the session variables set in login.jsp file The following instructions will help you to configure Pass-through authentication under Admin – ...
          • SSL server authentication and SSL Handshake

            The Standard SSL Handshake The following is a standard SSL handshake when RSA key exchange algorithm is used: 1.  Client Hello Information that the server needs to communicate with the client using SSL. This includes the SSL version number, cipher ...
          • Problem while creating the computer account for SSO

            Once the SSO configurations are done. It will try to create the computer account in Domain controller using the VBScript. If the script execution is being blocked. We need to copy and execute the same under DC. To Create and set password for a new ...
          • Script to reset password and enable local authentication

            Purpose :       Interactive mode of resetting the password of a user by entering his username. Also, to enable local authentication in the application. This script can be used in builds on or above 9400 version How the script works ?      Invoking ...
          • SAML Auto Login with ADFS (in Intranet)

            Step 1: In the AD FS server, under Authentication Methods, make sure that Windows Authentication is selected. Step 2: Run the below powershell query to check if "Chrome" is present in the supported WIA agents: Get-AdfsProperties | Select ...