NTLM v2 Single Signon Authentication

The MailArchiva console supports single-sign-on authentication with Windows using NTLM authentication. With NTLM SSO authentication enabled, there is no need for a user to manually log in to MailArchiva. Users will be logged to the MailArchiva console automatically using their Windows credentials.


Before enabling NTLM authentication, ensure that standard AD authentication (without NTLM authentication) is working correctly.

There are few necessary measures to ensure the correct functioning of the NTLM authentication feature:

1. Enable NTLM SSO authentication in Configuration->Logins.

2. There must be a matching role assignment in MailArchiva for each Windows domain user where access to MailArchiva is intended.

3. From the connecting user’s client computer, the MailArchiva server must be addressable by fully qualified domain name (FQDN) (e.g. mailarchiva.smallbusiness.local)

4. The address containing the FQDN of the MailArchiva server must be added as a trusted site in Internet Explorer’s Local Intranet security zone.

To do this, click Tools->Internet Options->Security->Local Intranet->Sites->Advanced. Type in the address of the MailArchiva server (e.g. http://mailarchiva.smallbusiness.local).


Do not use the IP address of the server – it will not work!

For test purposes, the MailArchiva server’s FQDN can be added to hosts file of the client computer. On condition that all four of the above conditions are met, when entering the MailArchiva console URL, users will be logged in automatically.

When NTLM authentication is enabled, to explicitly login as the master user or another user, it is necessary to specify the URL equivalent of http://mailarchiva.smallbusiness.local/signonform.do

The easiest way to implement NTLM authentication on every workstation in the company is by adding the fully qualified domain name of the MailArchiva server to the following registry key in Microsoft’s Group Policy Editor:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains


5. Server Restart Required: After enabling NTLM in Configuration->Logins, a restart of the MailArchiva Server Service is required! Please restart the MailArchiva server service.


6. To access the search interface and experience SSO, open the browser and enter the equivalent of http://mailarchiva.smallbusiness.local/outlook.do in the browser. (note the outlook.do is required (will also be applied to \ in future versions)



If after completing the above steps, NTLM SSO authentication fails to work, please refer to NTLM Troubleshooting Steps.


© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.