NT Gatekeeper: Accepting NTLM-Based Authentication for Telnet Servers

Q: The Telnet server that ships with Windows Services for UNIX (SFU) 2.0 supports two authentication methods: One method sends plaintext user IDs and passwords to the Telnet server; the more secure method is based on the Windows NT LAN Manager (NTLM) challenge-response authentication protocol. Can I force my NT 4.0 Telnet servers to accept only NTLM-based authentication and reject any Telnet client attempts to authenticate through the insecure plaintext method?

You can set the Windows SFU 2.0 Telnet server's authentication options from the Microsoft Management Console (MMC) Services for UNIX Administration snap-in or by executing the tnadmin.exe command from the command prompt. In the Services For UNIX Administration console, click the Authentication tab, select the NTLM authentication check box, and clear the Plaintext Authentication check box, as Figure 1 shows. Click Apply.

To set NTLM authentication and disable plaintext authentication from the command prompt, type

tnadmin \servername config  sec=+ntlm-passwd

where servername is the Telnet server name. The +ntlm switch enables the NTLM authentication protocol, and the -passwd switch disables the plaintext authentication option. To make sure that the authentication changes are applied, double-check the Telnet server's configuration options by typing

tnadmin

at the command prompt. If your server is configured properly, NTLM should appear in the Authentication Mechanism configuration entry, as Figure 2 shows.

To use the NTLM authentication protocol from the Telnet client, use the Telnet client that comes with Windows SFU 2.0. The default Telnet client that ships with NT 4.0 doesn't support NTLM authentication. To configure your Telnet client to use only NTLM authentication, type

set ntlm

and press Enter. If you've installed the correct Telnet client, you'll receive the message Will auth(ntlm Authentication). From that moment on, users who are authenticated to the Telnet server that's part of the Windows domain won't be prompted for credentials; they'll automatically be logged on to the Telnet server with the credentials from their Windows logon sessions.

Using NTLM to log on to a Telnet server will fail if the NT user account has the User Must Change Password at Next Log On option selected. The user must first log on to Windows, change his or her password, then log on to the Telnet server. Because the NTLM authentication protocol doesn't support credential forwarding, Telnet users can't authenticate to another resource server from the Telnet session without providing their user IDs and passwords again.