-
Title
Recommendations on configuring and using LDAP for User Authentication -
Description
Single Sign On enables users who are logged on to the domain to access the SMA (Systems Management Appliance) Administrator Console and User Console without having to re-enter their credentials on the SMA login page. Use, as an recommendation, Active Directory groups to simplify SMA user authentication and administration. Using AD groups will provide a better focus on a specific set of users with their relevant roles or function.
This procedure has been tested with Internet Explorer and Google Chrome. This procedure contains example references (which are displayed in Italic font), which can be altered to reflect the actual Active Directory environment.
-
Resolution
Preparation
This process takes about (or a minimum of) 30 minutes, depending on the amount of groups and users, to finish.
- Create and configure Active Directory groups
- Create GPO to configure Internet Explorer security zone sites
- Create SMA Roles
- Configure Active Directory as the Single Sign On method (page 65 of the Admin Guide)
- Create, enable and/or configure LDAP Authentication
- Testing the User Authentication for Single Sign On (SSO)
Procedure
Create and configure Active Directory groups
The K1000 appliance has, by default, three LDAP Server definitions configured: Administrator Server, Read Only Administrator Server and User Server. The example corporation, called Contoso, has an dedicated Service Desk Staff for which User Authentication needs to be enabled. Create the following AD groups and add the users into these AD groups.
LDAP Server AD Group Administrator Server AdministratorRole Read Only Administrator Server ReadOnlyAdministratorRole User Server UserConsoleRole Service Desk Staff ServiceDeskStaffRole Create GPO to configure Internet Explorer security zone sites
- Create a new GPO, at Domain level, called: IE Security Zone GPO
- Navigate to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page
- Double click on the “Site to Zone Assignment List”
- Check the “Enable” option and click on the “Show...” button
- Type the FQDN URL (e.g., http://k1000.corp.contoso.com) in the Value Name field and the zone number 1, select twice OK to confirm
- Navigate to User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page | Intranet Zone
- Double click on the "Logon Options"
- Check the “Enable” option and select the “Automatic logon with current user name and password” from the drop down list, select OK to confirm
- Either reboot the client machine(s) or execute the following command, to enforce the GPO changes: GPUPDATE /FORCE
INTERNET EXPLORER GROUP POLICY ZONE NUMBER MAPPING
Zone Number Zone Name 1 Intranet Zone 2 Trusted Sites Zone 3 Internet Zone 4 Restricted Sites Zone Create SMA Roles
The K1000 appliance has, by default, four system defined roles for user access: Administrator, Read Only Administrator, User Console Only and No Access. Create the following role for the Service Desk Staff, according to the procedure mentioned on page 162 of the Admin Guide (Create a Service Desk staff role).Configure Active Directory as the Single Sign On method
Follow up on the procedure on page 65 of the Admin Guide, to enable Single Sign On.- Go to the appliance Control Panel:
- If the Organization component is not enabled on the appliance, log in to the SMA adminui, http://SMA_hostname/admin, then click Settings.
- If the Organization component is enabled on the appliance, log in to the SMA systemui, http://SMA_hostname/system, or select System in the drop-down list in the top-right corner of the page, then click Settings.
- Click Security Settings to display the Security Settings page.
Create, enable and/or configure LDAP Authentication
Follow up on the procedure on page 123, to configure a new LDAP Server definition with the following search filters.
LDAP Server Name Advanced Search Administrator Server (&(sAMAccountName=KBOX_USER)(memberOf=CN=AdministratorRole,OU=Groups,OU=Department,DC=corp,DC=contoso,DC=com)) Read Only Administrator Server (&(sAMAccountName=KBOX_USER)(memberOf=CN=ReadOnlyAdministratorRole,OU=Groups,OU=Department,DC=corp,DC=contoso,DC=com)) User Server (&(sAMAccountName=KBOX_USER)(memberOf=CN=UserConsoleRole,OU=Groups,OU=Department,DC=corp,DC=contoso,DC=com)) Service Desk Staff (&(sAMAccountName=KBOX_USER)(memberOf=CN=ServiceDeskStaffRole,OU=Groups,OU=Department,DC=corp,DC=contoso,DC=com)) Testing the User Authentication for Single Sign On (SSO)
During the test, it was shown that the Single Sign On only worked when it was first used with Internet Explorer. After that, the Single Sign On worked without any issue with Google Chrome or any other browser.