The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and to permit Windows NT users and groups to be listed in the Oracle WebLogic Server Administration Console.
This chapter includes the following sections:
About the Windows NT Authentication Provider
The Windows NT Authentication provider is deprecated as of WebLogic Server 10.0. Use one or more other supported authentication providers instead.
Domain Controller Settings
smith. Compound usernames combine a username with a domain name and may take a form like
If the local machine is not part of a Microsoft domain, then no changes to the Domain Controllers and Domain Controller List attributes are needed. On a stand-alone machine, the users and groups to be authenticated are defined only on that machine.
If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the Domain Controller List attribute. Users defined on the local machine and the domain are the same in this case, so you can use the default Domain Controllers setting.
If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following:
Do you want to prevent the users and groups from the local machine from being displayed in the Console when the local machine is part of a Microsoft domain?
Do you want users from the local machine to be found and authenticated when a simple username is entered?
If the answer to either question is yes, then set the Domain Controller attribute to
If you have multiple trusted domains, you may need to set the Domain Controller attribute to
LIST and specify a Domain Controller List. Do this if:
You require the users and groups for other trusted domains to be visible in the Console, or
You expect that your users will be entering simple usernames and expect them to be located in the trusted domains (that is, users will sign on with a simple username like
If either of these situations is the case, then set the Domain Controllers attribute to
LIST and specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute:
The proper value of the
LogonType attribute in the Windows NT Authentication provider depends on the Windows NT logon rights of the users that you want to be able to authenticate.
If users have the "logon locally" right assigned to them on the machines that will run WebLogic Server, then use the default value,
If users have the "Access this computer from the Network" right assigned to them, then change the LogonType attribute to
You must assign one of these rights to users in the Windows NT domain or else the Windows NT Authentication provider will not be able to authenticate any users.
UPN Names Settings
user@domain. You can configure how the Windows NT Authentication provider handles usernames that include the @ character, but which may not be UPN names, by setting the
mapUPNNamesattribute in the Windows NT Authentication provider.
If none of your Windows NT domains or local machines have usernames that contain the @ character other than UPN usernames, then you can use the default value of the
FIRST. However, you may want to consider changing the setting to
ALWAYS in order to reduce the amount of time it takes to detect authentication failures. This is especially true if you have specified a long domain controller list.
If your Windows NT domains do permit non-UPN usernames with the @ character in them, then:
If a username with the @ character is more likely to be a UPN username than a simple username, set the
If a username with the @ character is more likely to be a simple username than a UPN username, set the
If a username is never in UPN format, set the