Secure Global Desktop Administration Guide > Users and authentication > The NT login authority

The NT login authority

Overview

The NT login authority allows users to log in to Secure Global Desktop if they belong to a specified Windows domain.

This login authority is disabled by default.

Logging in

The user types either a common name (for example "Indigo Jones"), a username (for example "indigo") or an email address (for example "indigo@indigo-insurance.com").

Authentication

This login authority searches ENS for a person object with a Name attribute matching what the user typed. If there's no match, the search is repeated on the Username attribute, and finally on the Email Address attribute.
If a person object is found, the Username attribute of the object is treated as the NT username.
If no person object is found, the name the user typed is used as the NT username.
The NT username and the password typed by the user are checked against the domain controller.
If the authentication fails, the next login authority is tried.
If the authentication succeeds, the user may log in unless:
- there was a matching person object; and
- the May Log In To Secure Global Desktop attribute for that person object is cleared.

User identity

If a person object was found in ENS, that object is used as the identity.

If no person object was found in ENS, the identity is .../_service/sco/tta/ntauth/NT-username.

Login profile

If a person object was found in ENS, that object is used as the login profile.

If no person object was found in ENS, the profile object o=Tarantella System Objects/cn=NT User Profile is used.

Emulator sessions and password cache entries

Emulator sessions and password cache entries belong to the NT user.

Related topics
Login authorities Secure Global Desktop Login properties (array-wide)