How the NTLM authentication protocol works

If the user attempts to log in to the system using the domain credentials, the following authentication algorithm is performed:

1. A user authentication check within the domain is performed.

2. If the domain username and the password are stored in a cookie, they will be retrieved from this cookie. Otherwise, a browser window will be displayed to enter the user credential.

Further algorithm steps depend on the user synchronization with the LDAP directory.

a. If the user is not synchronized with LDAP:

• User authentication check is performed through the comparison of the username and the password from the cookie and the corresponding credentials of the bpm’online account. Thus, it is required to specify the same username and password that are used in the domain to enable NTML authentication for the users who are not synchronized with LDAP.

• Based on the check results, if the data matches and the user account is licensed, the user authorization will be performed.

b. If the user is synchronized with LDAP:

• The browser sends a request to the Active Directory service to authenticate the user.

• The query returns the credentials of the current domain user that are compared with the username and the password details stored in the cookie.

• If the data matches and the user account is licensed, the user authorization will be performed.

Note

User authentication is performed either for the users of the main application or for the self-service portal users. You can set the check order in the Web.config file of the loader application.