This chapter includes the following sections:
The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and to permit Windows NT users and groups to be listed in the WebLogic Server Administration Console.
To use the Windows NT Authentication provider, create the provider in the WebLogic Server Administration Console. In most cases, you should not need to do anything more to configure this Authentication provider. Depending on how your Windows NT domains are configured, you may want to set the Domain Controllers and Domain Controller List attributes, which control how the Windows NT Authentication provider interacts with the Windows NT domain.
The Windows NT Authentication provider is deprecated as of WebLogic Server 10.0. Use one or more other supported authentication providers instead.
Usernames in a Windows NT domain can take several different forms. You may need to configure the Windows NT Authentication provider to match the form of usernames you expect your users to sign on with. A simple username is one that gives no indication of the domain, such as
smith. Compound usernames combine a username with a domain name and may take a form like
If the local machine is not part of a Microsoft domain, then no changes to the Domain Controllers and Domain Controller List attributes are needed. On a stand-alone machine, the users and groups to be authenticated are defined only on that machine.
If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the Domain Controller List attribute. Users defined on the local machine and the domain are the same in this case, so you can use the default Domain Controllers setting.
If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following:
Do you want to prevent the users and groups from the local machine from being displayed in the Console when the local machine is part of a Microsoft domain?
Do you want users from the local machine to be found and authenticated when a simple username is entered?
If the answer to either question is yes, then set the Domain Controller attribute to
If you have multiple trusted domains, you may need to set the Domain Controller attribute to
LIST and specify a Domain Controller List. Do this if:
You require the users and groups for other trusted domains to be visible in the Console, or
You expect that your users will be entering simple usernames and expect them to be located in the trusted domains (that is, users will sign on with a simple username like
If either of these situations is the case, then set the Domain Controllers attribute to
LIST and specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute:
The proper value of the
LogonType attribute in the Windows NT Authentication provider depends on the Windows NT logon rights of the users that you want to be able to authenticate:
If users have the "logon locally" right assigned to them on the machines that will run WebLogic Server, then use the default value,
If users have the "Access this computer from the Network" right assigned to them, then change the LogonType attribute to
You must assign one of these rights to users in the Windows NT domain or else the Windows NT Authentication provider will not be able to authenticate any users.
UPN style usernames can take the form
user@domain. You can configure how the Windows NT Authentication provider handles usernames that include the @ character, but which may not be UPN names, by setting the
mapUPNNames attribute in the Windows NT Authentication provider.
If none of your Windows NT domains or local machines have usernames that contain the @ character other than UPN usernames, then you can use the default value of the
FIRST. However, you may want to consider changing the setting to
ALWAYS in order to reduce the amount of time it takes to detect authentication failures. This is especially true if you have specified a long domain controller list.
If your Windows NT domains do permit non-UPN usernames with the @ character in them, then:
If a username with the @ character is more likely to be a UPN username than a simple username, set the
mapUPNNames attribute to
If a username with the @ character is more likely to be a simple username than a UPN username, set the
mapUPNNames attribute to
If a username is never in UPN format, set the
mapUPNNames attribute to