You can use an external authentication directory service (also called an enterprise directory or authentication login domain) to provide a single sign-on for groups of users instead of maintaining individual local login accounts. Each user in a group is assigned the same role (for example, Infrastructure administrator). An example of an authentication directory service is a corporate directory that uses LDAP (Lightweight Directory Access Protocol).
After the directory service is configured, any user in the group can log in to the appliance. On the login window, a user:
In the Session control, (
) the user is identified by their name preceded by the authentication directory service. For example:
CorpDir\pat
![[IMPORTANT: ]](images/important.gif)
Authenticating users
When you add an authentication directory service to the appliance, you provide location criteria so that the appliance can find the group.
For more information on the search criteria, see Add/Edit Directory screen details.
Adding a directory server
If you replicate the authentication directory service for high availability or disaster tolerance, add the replicated directory service as a separate directory service.
After configuring and adding a directory server, you can designate it as the default directory service.
After you add an authentication directory service and server
-
Add a group, which had already been defined in the directory service, so that all its members can login on the appliance.
-
Allow both local logins and logins for user accounts authenticated by the directory service.
-
Disable local logins so that only users whose accounts are authenticated by the directory service can log in. Local accounts are prevented from logging in.
Considerations for configuring a Microsoft Active Directory directory service
-
The following maps the Active Directory attribute to the LDAP property:
LDAP property Active Directory attribute cnCommon-Name
uidUID
userPrincipalNameUser-Principal-Name
sAMAccountNameSAM-Account-Name
If the
user namedoes not contain either an@character (to denote a UPN) or a\character (to denote adomain\login), then these logins are attempted in this order: -
If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.
Specify the following components of the user’s name, displayed here with the corresponding attribute:
The field labeled
Full Namedefaults to this format and this string is assigned to thecnattribute (Common Name).givenName.initials.
givenName.initial.snIn the New Object – user dialog box, you are also required to specify a User logon name. This, in combination with the DNS domain name, becomes the
userPrincipalName.The
userPrincipalNameis an alternative name that the user can use for logging in. It is in the form:LogonName@DNSDomainJoeUser@exampledomain.example.com
-
Finally, as you enter the User logon name, the first twenty characters are automatically filled in in the pre-Windows 2000 logon name field, which becomes the
sAMAccountNameattribute. -
CN-logins for built-in Active Directory user accounts, like
Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.