NT User Database used as a DAF Data Store

For an overview of this feature, please refer to this page.

To configure DAF to use an NT User Database as a DAF User Database:

  • Launch the DAF Configuration Tool
  • As for any other DAF User Database store, enable the DAF protection for a web site via its Filter Properties (HTML Login form, IP Filters...).
  • On the main window of the DAF Configuration Tool,
    expand your [local computer],
    expand [IIS Sites Security Handlers],
    right click on a web site,
    in the contextual menu, choose item [Properties], then [User DB]

Make sure to Enable session state option in User DB properties tab [Session]

Users requesting protected resources are prompted for credentials. They may specify the validating domain in the "User name" field (MYDOMAIN\login):

If no validating NT Domain is provided the Default NT Domain will be used, if an NT Domain is provided, the Default NT Domain is ignored but the domain provided must be allowed in the [Allowed NT Domains] field.

If a remote domain controller may be queried the NT account executing the request must be allowed to query the domain controller. The NT account used to execute the query is:
- by default, the related IIS application pool identity
- or, the NT account defined in [User DB properties/NT Accounts/Data source Login NT Account]

  • [Default NT Domain]

    This option define the NT User Database against which web client credentials should verified. It affect the authentication process only if the user did not include an NT Domain in the "User name" field, otherwise it is ignored.

    [Local Computer NT User Database]

    If this option is selected, credentials are checked against the local NT User Database.

    [NT Domain User Database below]

    If this option is selected, credentials are checked against the NT domain User  Database specified in field [NT Domain]. When a default NT domain is defined, a web client may use a dot (".") to refer to the local user database (i.e. ".\john")

    For exemple, with "MYDOMAIN1" specified as the NT Domain User Database, if a web client types in "john" as his user name, his credentials will be validated against the domain controller of MYDOMAIN1, however, if he types in "MYDOMAIN2\john", the Default NT Domain defined here has no effect.

  • [Allowed NT Domains]

    This option define a list of allowed NT Domains. If an NT domain is provided by the web client, the domain in question must be found in the list defined here. Use a star ("*") to allow all domains, a dot (".") to allow the local user database, and leave the field empty to refuse all domains. The default NT domain defined above is always accepted.

    For exemple, with this Allowed NT Domains string

        - ".",MYDOMAIN1,MYDOMAIN2

    the following user names would be accepted (if the password is valid)

        - ".\john"
        - "MYDOMAIN1\john"
        - "MYDOMAIN2\john"

    and these rejected (even if the password is valid):

        - "MYDOMAIN3\john"

  • [NT Groups mapping]

    When these options are checked, the local and global NT groups to which the user belong are read as DAF Groups.

  • [NT account mapping]

    When credentials are found valid by DAF, they may or may not be forwarded to NT/IIS.

    [Forward credentials to NT/IIS]

    If this option is Enabled, the credentials provided by the web client are frowarded to NT/IIS and therefore the HTTP query is executed with its associated rights.

    If this option is Disabled, the HTTP query is executed with the NT rights of the default mapped NT account defined in tab [NT accounts]. If no default mapped NT account is defined, the HTTP query is executed with the NT rights of the default IIS account (IUSR_XXXX.)