MailEnable Enterprise Guide
Appendix / Overview of NTLM authentication
In This Topic
    Overview of NTLM authentication
    In This Topic

    When MailEnable is configured to provide NTLM authentication, mail users with Outlook or Outlook Express will be able to select the option to use Secure Password Authentication when authenticating against the MailEnable Server. This provides a higher level of password encryption when clients authenticate.

    NTLM is an authentication protocol used primarily by Microsoft applications to securely authenticate over a network. MailEnable provides NTLM support for the IMAP, POP, and SMTP, allowing NTLM capable mail clients to securely negotiate credentials when authenticating.

    Microsoft Outlook and Outlook Express refer to the NTLM protocol as “Secure Password Authentication”. Generally speaking, unless the backend mail server can negotiate NTLM authentication, it is not possible to use the Secure Password Authentication feature of the mail client.

    When the Secure Password Authentication feature is enabled within the mail client, the mail client will encrypt and send the currently logged in Windows username to the MailEnable server. The MailEnable server then looks up the user and verifies that they exist, and assuming so, will send down an encrypted password hash that can be used by the client to validate the password for that user.

    This authentication mechanism, is well suited in environments where single sign-on is required or desirable. Using NTLM, once the user has logged in to Windows, they do not necessarily need to specify or configure the mail client with a designated username or password.

    If the username of the currently logged in user cannot be validated against MailEnable, most mail clients will then use any credentials that have been associated with the account.

    NTLM can be enabled/disabled at a service level. There are no other parameters that need to be configured other than whether it is enabled for the service or not.



    Enable NTLMv1

    If this feature is enabled then secure authentication between the server and the supported client is enabled.  This will allow the server to accept requests from the client to use secure transmissions for the authentication method.  The client also has to be enabled use this secure authentication. E.g. in Outlook the feature is called SPA – Secure Password Authentication. 

    Configuring NTLM on the mail client

    The Secure Password Authentication (SPA) feature in Outlook/Outlook Express is found under Tools > Accounts menu option when either creating or editing an email account.

    Figure 14‑1 Secure Password Authentication in Outlook