Configure Windows Single Sign-on (without LDAP)

Use these settings to configure Windows Single Sign-on authentication without using LDAP authorization.

(If instead you want to use LDAP, click Cancel. Click Use LDAP to restrict access to sessions, click +Add and proceed with Use LDAP to restrict access to Single Sign-on sessions.)

  1. Enter the settings to Add or Edit an NTLM server for Single Sign-on through Windows Authentication:

    1. Choose and enter either

      • Domain Controller DNS name or IP address

        IP address or DNS name of the Active Directory Domain Controller.

        NetBIOS hostname of domain controller

        The first 15 characters of the domain controller’s host name, for example, myComputer.

        Note: The term NetBIOS is called pre-Windows 2000 in some Windows utilities.

        — or —

      • DNS domain

    2. NetBIOS domain name

      The first 15 characters of the left-most label in the DNS domain name.

      Example: For the DNS domain name mydomain.mycompany.com, enter the NetBIOS domain value mydomain.

      HINT:To obtain the NetBIOS name for a domain on Windows Server 2000 or higher:

      1. Open the Active Directory Domains and Trusts snap-in (domain.msc).

      2. In the console tree, right-click the domain and select Properties.

      3. The Domain name (pre-Windows 2000) field displays the NetBIOS name.

      On Windows Server 2008 or higher, you can also use the Active Directory module for Windows PowerShell to find the NetBIOS name of a domain in Active Directory Domain Services.

      On Windows Server 2008 only, if the Active Directory module is not available, you may need to install it first, using this PowerShell command:

      import-module activedirectory

      This example demonstrates how to find the NetBIOS name of the domain called mydomain.com:

      Get-ADDomain -Identity mydomain.com | findstr /I NetBIOSName

    3. Computer account (for servicing)

      A computer account in the Active Directory domain. A computer account is different than a user account. The computer account should not be associated with an actual physical or virtual computer.

      To specify the Computer account for servicing

      A computer account's syntax is the pre-Windows 2000 computer name, followed by a $ sign, followed by the @ symbol, and then the DNS domain name.

      Syntax: <Computer name (pre-Windows 2000)>$@<DNS domain name>

      For example, if the Computer name is ReflServiceAccount, the pre-Windows 2000 Computer name is REFLSERVICEACCO and the computer account is: REFLSERVICEACCO$@mydomain.com

    4. Computer account password

      If the password of the computer account is not already known, it must be explicitly reset in Active Directory. You can reset a computer account’s password using a simple VBScript, or the ADSI Edit tool.

  2. Click Test Connection.

    This action checks the NTLMv2 connection to be sure the server is listening and is in fact a domain controller. The test attempts to authenticate to the server using the IP address or alias for the domain controller, the NetBIOS hostname, computer account, and password.

    Note: The Domain is not tested and could still be a cause for error later in the authentication process.

    If the result is Success, click OK.

    If Test Connection fails, check the logs and resolve the issue before continuing.

  3. To add another server, see Adding Another Server for Single Sign-on Through Windows.

Related Topics