Specify AD to NTLM Domain Mappings

Use the Specify AD to NTLM domain mappings group policy to manually map Active Directory domain names to NTLM domains. This parameter is useful when you need to use NTLM authentication and:

  • firewalls prevent Kerberos authentication
  • firewall constraints prevent the automatic discovery of Active Directory to NTLM domain mapping

To set this group policy, select Computer Configuration > Delinea Settings > DirectControl Settings > Network and Cache Settings > Specify AD to NTLM domain mappings.

Provide the following information for the group policy:

  • One or more pairs with ActiveDirectory domain name and NTLM domain name.

  • Optionally, provide a file with a list of AD to NTLM domain name pairs. Include the file location. Use separate lines for each pair in the file. For example:

    AJAX.ORG:AJAXFIREFLY.COM:FIREFLY
    HR1.FIREFLY.COM:HR1

After you defined the mapping of Active Directory domains to NTLM domains, you can specify the list of domains that use NTLM authentication instead of Kerberos authentication. Use either the group policy, Specify NTLM authentication domains or the configuration parameter, pam.ntlm.auth.domains.

Alternative to using this group policy, Specify AD to NTLM domain mappings, you can use the adclient.ntlm.domains configuration parameter.