is there a way to tell the client to use a specific domain for NTLM authentication?
Background: I now have a working rule set with Kerberos, fallback to NTLM (for non-domain-members) and fallback to local user database.
When a client falls back to NTLM authentication and asks for username and password, a domain is pre-set to the clients computer name. If I just provide username and password, authentication fails. It only succeeds, if I provide DOMAIN\username and password.
I would like the domain to default to the correct name. Under "NTLM specific parameters" is a field "Default NTLM domain", but that doesn't do what I hoped for.
I don't believe this is possible. Effectivley it would mean the MWG is modifying the realm information given by the client (in the NTLM messages). I don't believe MWG can do this.
The default domain field will only be used if the domain sent in the NTLM messages are empty (IE will use the hostname of the system if not joined to a domain, FF will not send one).