15 Configuring the Windows NT Authentication Provider

The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and to permit Windows NT users and groups to be listed in the Oracle WebLogic Server Administration Console.

This chapter includes the following sections:

About the Windows NT Authentication Provider

To use the Windows NT Authentication provider, create the provider in the WebLogic Server Administration Console. n most cases, you should not need to do anything more to configure this Authentication provider. Depending on how your Windows NT domains are configured, you may want to set the Domain Controllers and Domain Controller List attributes, which control how the Windows NT Authentication provider interacts with the Windows NT domain.

Note:

The Windows NT Authentication provider is deprecated as of WebLogic Server 10.0. Use one or more other supported authentication providers instead.

Domain Controller Settings

Usernames in a Windows NT domain can take several different forms. You may need to configure the Windows NT Authentication provider to match the form of usernames you expect your users to sign on with. A simple username is one that gives no indication of the domain, such as smith. Compound usernames combine a username with a domain name and may take a form like domain\smith or smith@domain.

If the local machine is not part of a Microsoft domain, then no changes to the Domain Controllers and Domain Controller List attributes are needed. On a stand-alone machine, the users and groups to be authenticated are defined only on that machine.

If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the Domain Controller List attribute. Users defined on the local machine and the domain are the same in this case, so you can use the default Domain Controllers setting.

If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following:

  • Do you want to prevent the users and groups from the local machine from being displayed in the Console when the local machine is part of a Microsoft domain?

  • Do you want users from the local machine to be found and authenticated when a simple username is entered?

If the answer to either question is yes, then set the Domain Controller attribute to DOMAIN.

If you have multiple trusted domains, you may need to set the Domain Controller attribute to LIST and specify a Domain Controller List. Do this if:

  • You require the users and groups for other trusted domains to be visible in the Console, or

  • You expect that your users will be entering simple usernames and expect them to be located in the trusted domains (that is, users will sign on with a simple username like smith, not smith@domain or domain\Smith).

If either of these situations is the case, then set the Domain Controllers attribute to LIST and specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute:

  • [Local]

  • [LocalAndDomain]

  • [Domain]

LogonType Setting

The proper value of the LogonType attribute in the Windows NT Authentication provider depends on the Windows NT logon rights of the users that you want to be able to authenticate.

  • If users have the "logon locally" right assigned to them on the machines that will run WebLogic Server, then use the default value, interactive.

  • If users have the "Access this computer from the Network" right assigned to them, then change the LogonType attribute to network.

You must assign one of these rights to users in the Windows NT domain or else the Windows NT Authentication provider will not be able to authenticate any users.

UPN Names Settings

A User Principal Name (UPN) style username can take the form user@domain. You can configure how the Windows NT Authentication provider handles usernames that include the @ character, but which may not be UPN names, by setting the mapUPNNames attribute in the Windows NT Authentication provider.

If none of your Windows NT domains or local machines have usernames that contain the @ character other than UPN usernames, then you can use the default value of the mapUPNNames attribute, FIRST. However, you may want to consider changing the setting to ALWAYS in order to reduce the amount of time it takes to detect authentication failures. This is especially true if you have specified a long domain controller list.

If your Windows NT domains do permit non-UPN usernames with the @ character in them, then:

  • If a username with the @ character is more likely to be a UPN username than a simple username, set the mapUPNNames attribute to FIRST.

  • If a username with the @ character is more likely to be a simple username than a UPN username, set the mapUPNNames attribute to LAST.

  • If a username is never in UPN format, set the mapUPNNames attribute to NEVER.