Windows Authentication
Windows authentication is available only when the optional hard disk is installed.
Specify this authentication when using the Windows domain controller to authenticate users who have their accounts on the directory server. Users cannot be authenticated if they do not have their accounts in the directory server. Under Windows authentication, you can specify the access limit for each group registered in the directory server. The Address Book stored in the directory server can be registered to the machine, enabling user authentication without first using the machine to register individual settings in the Address Book.
The first time you access the machine, you can use the functions available to your group. If you are not registered in a group, you can use the functions available under "*Default Group". To limit functions that are available only to certain users, first make settings in the Address Book.
To automatically register user information under Windows authentication, it is recommended to encrypt communication between the machine and domain controller by using SSL. To do this, you must create a server certificate for the domain controller. For details about creating a server certificate, see Creating the Server Certificate.
If you use Windows authentication, user information registered in the directory server, such as the login user name, is automatically registered machine's address book. Even if the user information automatically registered in the machine's address book is edited on the machine it is overwritten by the information from the directory server when authentication is performed.
Users managed in other domains are subject to user authentication, but they cannot obtain items such as the login user name.
If you created a new user in the domain controller and selected "User must change password at next logon" at password configuration, first log on to the computer and change the password.
If the authenticating server only supports NTLM when Kerberos authentication is selected on the machine, the authenticating method will automatically switch to NTLM.
If the "Guest" account on the Windows server is enabled, users not registered in the domain controller can be authenticated. When this account is enabled, users are registered in the Address Book and can use the functions available under "*Default Group".
Windows authentication can be performed using one of two authentication methods: NTLM or Kerberos authentication. The operational requirements for both methods are listed below:
Operational requirements for NTLM authentication
To specify NTLM authentication, the following requirements must be met:
This machine supports NTLMv1 authentication and NTLMv2 authentication.
Set up a domain controller in the domain you want to use.
This function is supported by the operating systems listed below. To obtain user information when Active Directory is running, use LDAP. If you are using LDAP, we recommend you use SSL to encrypt communication between the machine and the LDAP server. SSL encryption is possible only if the LDAP server supports TLSv1 or SSLv3.
Windows Server 2008/2008 R2
Windows Server 2012/2012 R2
Windows Server 2016
Windows Server 2019
Operational requirements for Kerberos authentication
To specify Kerberos authentication, the following requirements must be met:
Set up a domain controller in the domain you want to use.
The operating system must support KDC (Key Distribution Center). To obtain user information when Active Directory is running, use LDAP. If you are using LDAP, we recommend you use SSL to encrypt communication between the machine and the LDAP server. SSL encryption is possible only if the LDAP server supports TLSv1 or SSLv3. Compatible operating systems are listed below:
Windows Server 2008/2008 R2
Windows Server 2012/2012 R2
Windows Server 2016
Windows Server 2019
To use Kerberos authentication under Windows Server 2008, install Service Pack 2 or later.
Data transmission between the machine and the KDC server is encrypted if Kerberos authentication is enabled. For details about specifying encrypted transmission, see Kerberos Authentication Encryption Setting.
For the characters that can be used for login user names and passwords, see Usable characters for user names and passwords.
When accessing the machine subsequently, you can use all the functions available to your group and to you as an individual user.
Users who are registered in multiple groups can use all functions available to those groups.
Under Windows Authentication, you do not need to create a server certificate unless you want to automatically register user information such as user names using SSL.