Enabling NTLM Authentication (Automatic Logon) in AD FS and browsers in InterScan Web Security as a Service (IWSaaS)

Trend Micro Web SecurityAll

Last updated: 2021/08/28

Solution ID: KA-0006113

Category: Configure , Troubleshoot

This article shows the procedure on how to enable the NTLM Authentication (Single Sign-On) in AD FS, Internet Explorer, Chrome and Firefox on IWSaaS.

For users to be transparently authenticated in AD FS SAML Integration, do the following:

Option I: Through Group Policy Object

Open the Group Policy Management Console. Create either a new Group Policy Object (GPO) or edit an existing GPO.
Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, expand Internet Explorer, expand Internet Control Panel, and then click Security Page.
In the details pane, double-click Site to Zone Assignment List.
In the Site to Zone Assignment List Properties dialog box, click Enabled.
In the Site to Zone Assignment List Properties dialog box, click Show.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, type the ADFS URL of SAML SSO service (for example, https://cwaserver.contoso.com) in the Enter the name of the item to be added box.
Type 1 (indicating the local intranet zone) in the Enter the value of the item to be added box, and then click OK.
In the Show Contents dialog box, click OK.
In the Site to Zone Assignment List dialog box, click OK.
In the Group Policy Management Editor, click Intranet Zone.
In the details pane, double-click Logon options.
In the Logon options Properties dialog box, click Enabled.
In the Logon options list, click Automatic logon only in Intranet zone, and then click OK.
Close the Group Policy Management Editor.

Option II: Through Internet Explorer Browser

Open the Internet Options dialog box by choosing Internet Options either from Control Panel or from the Tools menu in Internet Explorer.
In the Internet Options dialog box, on the Security tab, select Local intranet, and then click Custom Level.
In the Security Settings dialog box, under Logon, select Automatic logon only in Intranet zone, and then click OK.
In the Internet Options dialog box on the Security Settings tab with Local intranet still selected, click Sites.
In the Local intranet dialog box, click Advanced.
In the next dialog box (also titled Local intranet), type the URL of your Communicator Web Access site (for example, https://cwaserver.contoso.com) in the Add this Web site to the zone box, and then click Add.
In the Local intranet dialog, box click OK.
In the original Local intranet dialog box, click OK.
In the Internet Options dialog box, click OK.

Enable Windows Authentication for AD FS 3.0.

Refer to the following articles:
- Configuring authentication policies for AD FS
- Enabled Forms Based Authentication in ADFS 3.0
Disable Extended Protection Token Check.

Refer to the Microsoft KB article: Configuring Advanced Options for AD FS 2.0.
Configure/Set AD FS 3.0 Server as servicePrincipalName (SPN).

Refer to the following articles:
- Register the AD FS server as a service principal name (SPN)
- AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account
Use A Record for AD FS 3.0 (Optional).

Refer to the Microsoft forum topic: AD FS Windows Authentication Throws 400 Bad Request.

Was this article helpful?