立即与支持人员聊天
与支持团队交流

Change Auditor 7.4 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Introduction

The following section provides information on configuring and maintaining certificate authentication between the client and coordinator in environments where NTLM restrictions are in place.

* 
NOTE:  
When using certificate authentication for client / coordinator authentication, the option to use Active Directory Client Certificate Authentication for the client in the Client Authentication page is not available.
For information on connecting to a coordinator with certificate authentication using PowerShell refer to the Connect-CAClient, Find-CASuitableCoordinator, and Install-CALicenses commands in the Change Auditor PowerShell User Guide.

Installation settings

The default Change Auditor installation includes the following configuration:

Windows authentication for the connection between the Windows client and the coordinator.
Coordinator and agent services run with the local system computer account.

In environments with stringent security requirements, administrators can:
Restrict NTLM in their Active Directory domains by enabling and changing one or more of the following group policy settings:
Network security: Restrict NTLM: Incoming NTLM traffic.
Network security: Restrict NTLM: NTLM authentication in this domain.
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.
Configure the coordinator to run with an alternate service account.

When these security options are in place, the default Windows authentication cannot be used for client - coordinator communication; instead certificate authentication can be used.

Deployment

Certificates are required for both the coordinators and the clients that connect to them. In a default deployment, administrators can use:

Domain Certificate Services with default templates for user and computer certificates that manage deployment details such as certificate properties, deployment requests, and the certificate stores and folders.
Manual certificate deployment and manually-created self-signed certificates are also supported for evaluation or other low-security purposes.

When using certificate authentication, the following must be in place:
Each server that hosts a coordinator must have a valid, trusted certificate with at least the “Server authentication” and “Client authentication” purposes located in the Local Machine\Personal certificate store. The certificate must include the private key. The trust chain of the certificate must evaluate to a trusted root CA certificate in the “Trusted Root Certification Authorities” Certificates folder of the coordinator host and all client hosts. Peer (“Trusted People”) trusts are not supported.
Each client must have a valid, trusted certificate with at least the “Client authentication” purpose located in the User\Personal certificate store. The certificate must include the private key. The trust chain of the certificate must evaluate to a trusted root CA certificate in the “Trusted Root Certificate Authorities” Certificates folder of the client host and all coordinator hosts. Peer trusts are not supported. Active Directory or IIS certificate identity mapping of client certificates is not required, and is not used by Change Auditor if provided.
When self-signed certificates are used, Certificate Revocation List checking must be disabled as described in Coordinator configuration.

Coordinator configuration

To configure certificate authentication on a coordinator:
1
Ensure a valid Server authentication certificate is deployed on the host server.
2
Install the Change Auditor coordinator as described in the Change Auditor Installation Guide.
* 
NOTE: When specifying the Coordinator SQL Server information, connections using Windows authentication may fail if NTLM restrictions are in place and the SQL server specified is not excepted from the restrictions. In this case the use of SQL authentication is recommended.
3
Stop the coordinator, if it is running.
4
In the Coordinator installation folder (located by default in Program files\Quest\ChangeAuditor\Service). Make a backup copy of the ChangeAuditor.Service.exe.config file, then open the file using a text editor such as Notepad.exe.
5
Under the <configuration> <appSettings file=””> nodes, locate the <add key="WcfAuth" value="Windows" /> node and change the value from “Windows” to “Certificate”.
If you are using self-signed certificates (without Certificate Revocation List information), locate the <add key="DisableCrlCheck" value="false" /> node and change the value from “false” to “true”.
By default a suitable service certificate is selected from the Local Machine\Personal certificate store automatically. If an alternate certificate in the Local Machine\Personal certificate store is required, locate the <add key="ServiceCertificate" value="" /> node and change the value from “” (empty string) to the thumbprint string copied from a certificate found in the certlm.msc Certificate Manager for Local Machine applet in the User\Personal certificate store. Ensure that the certificate is trusted, is not expired, has a private key and at least the “Server Authentication” (“Ensures the identity of a remote computer”) purpose.
6
Save the changes to the file and restart the coordinator.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级