Configuring CA SAM authentication using single sign-on via NTLM on Windows as per the documentation may not validate users correctly.

Document ID : KB000008697
Last Modified Date : 14/02/2018
Show Technical Document Details

After configuring CA SAM authentication as single sign-on via NTLM on Windows, users aren't automatically logging in and are being presented with the login screen.


There are several parameters which are used to enable NTLM authentication in Windows:

security_ntlm_server_var - key of the $_SERVER variable the user credential is found in if not set defaults to LOGON_USER.
security_ntlm_authenticate_against - column name of table users the string found in security_ntlm_server_var is matched against if not set defaults to login
security_ntlm_user_search - search for this string/regular expression in content of server var. The documentation uses [A-Z0-9]+\\([a-zA-Z0-9]+)as an example. This will match any string consisting of uppercase characters and numbers. followed by a slash character and then a string consisting of uppercase characters, lowercase characters and numbers.
security_ntlm_user_replace - replace matches with this string/expression. The documentation uses \1, which means the contents of the first capturing group.

When a user tries to access CA SAM, the following steps are followed:

  1. The value of security_ntlm_server_var is used to locate the string which is used as the incoming user. This would normally be DOMAIN/user.
  2. This is then parsed by the contents of the security_ntlm_user_search parameter to find the capturing groups.
  3. The security_ntlm_user_replace parameter is then used to produce the final user string for authentication
  4. This is then compared to the values in the database column specified in the security_ntlm_authenticate_against parameter.

Using the settings from the documentation, an example of this is:

  1. The incoming LOGON_USER string is TESTDOMAIN\UserOne
  2. The regular expression [A-Z0-9]+\\([a-zA-Z0-9]+) is applied. The first capturing group is TESTDOMAIN. The second capturing group is UserOne.
  3. The replace parameter is then used, the user string is set to the first capture string, TESTDOMAIN.
  4. This is then compared to the value in the database column and there is no match, as there is no used called TESTDOMAIN.

This means that the user cannot be authenticated, so the logon fails.


When the LOGON_USER string is used as the incoming Windows user, it will normally contain domain\username. In this situation the security_ntlm_user_replace parameter should be set to \2 rather than \1, so that the replacement uses the second capture string (which is the username), rather than the first capture string (which is the domain name). The username will then be validated against the database and if there is a match, the user will be logged in successfully.


Additional Information:

The security_ntlm_user_search parameter may need further modification depending on your system configuration and usernames which are in use. The value suggested in the documentation, [A-Z0-9]+\\([a-zA-Z0-9]+) will match DOMAIN\username. It will not match TEST-DOMAIN\username (because of the hyphen character in the domain name), domain\username (because of the lower case domain name), or DOMAIN\usernàme (because of the accented character in the username).

The hyphen character is a valid character in a domain name, so if your domain name includes a hyphen characters, you will need to modify the security_ntlm_user_search so that the domain name includes a hyphen character. The correct regular expression for this would then be [A-Z0-9\-]+\\([a-zA-Z0-9]+).

For other situations which arise, please investigate the best regular expression to use to successfully match the LOGON_USER value.