There are several parameters which are used to enable NTLM authentication in Windows:
security_ntlm_server_var - key of the $_SERVER variable the user credential is found in if not set defaults to LOGON_USER.
security_ntlm_authenticate_against - column name of table users the string found in security_ntlm_server_var is matched against if not set defaults to login
security_ntlm_user_search - search for this string/regular expression in content of server var. The documentation uses [A-Z0-9]+\\([a-zA-Z0-9]+)as an example. This will match any string consisting of uppercase characters and numbers. followed by a slash character and then a string consisting of uppercase characters, lowercase characters and numbers.
security_ntlm_user_replace - replace matches with this string/expression. The documentation uses \1, which means the contents of the first capturing group.
When a user tries to access CA SAM, the following steps are followed:
- The value of security_ntlm_server_var is used to locate the string which is used as the incoming user. This would normally be DOMAIN/user.
- This is then parsed by the contents of the security_ntlm_user_search parameter to find the capturing groups.
- The security_ntlm_user_replace parameter is then used to produce the final user string for authentication
- This is then compared to the values in the database column specified in the security_ntlm_authenticate_against parameter.
Using the settings from the documentation, an example of this is:
- The incoming LOGON_USER string is TESTDOMAIN\UserOne
- The regular expression [A-Z0-9]+\\([a-zA-Z0-9]+) is applied. The first capturing group is TESTDOMAIN. The second capturing group is UserOne.
- The replace parameter is then used, the user string is set to the first capture string, TESTDOMAIN.
- This is then compared to the value in the database column and there is no match, as there is no used called TESTDOMAIN.
This means that the user cannot be authenticated, so the logon fails.