adclient.ntlm.domains

This configuration parameter allows you to manually map Active Directory domain names to NTLM domains. This parameter is useful in cases where you need to use NTLM authentication because firewalls prevent Kerberos authentication and when firewall constraints prevent the automatic discovery of Active Directory to NTLM domain mapping.

You can specify the parameter’s value as one or more domain name pairs, separated by a colon (:), or using the file: keyword and a file location. For example, you can set the parameter value using the format ActiveDirectory_DomainName:NTLM_DomainName to specify a list of domain name pairs:

adclient.ntlm.domains: AJAX.ORG:AJAX FIREFLY.COM:FIREFLY

To specify a file that contains a list of colon-separated values in the form of ActiveDirectory_DomainName:NTLM_DomainName, you can set the parameter value using the file: keyword and a file location:

adclient.ntlm.domains: file:/etc/centrifydc/domains.conf

Keep in mind that you must manually define how Active Directory domains map to NTML domains. If you define this information in a separate file, such as domains.conf, the file should consist of entries similar to the following:

AJAX.ORG:AJAX

FIREFLY.COM:FIREFLY

HR1.FIREFLY.COM:HR1

After you have manually defined the mapping of Active Directory domains to NTLM domains, you can use the pam.ntlm.auth.domains parameter to specify the list of domains that should use NTLM authentication instead of Kerberos authentication. For more information about defining the domains that should use Kerberos authentication, see pam.ntlm.auth.domains.

Alternatively, you can set the group policy, Computer Configuration >Delinea Settings > DirectControl Settings > Network and Cache Settings > Specify AD to NTLM domain mappings.