With Microsoft Active Directory there are two possibilities:
If only a single domain controller with one domain is in use, the Back-End Server record can be registered on the IDENTIKEY Appliance. This record will be used to retrieve the Back-End Server during User Authentications.
Instructions are explained in section 10.3.3 Single Domain with Single Domain Controller.
If multiple domains and/or multiple domain controllers are in use, Back-End Server records can be searched for using the Global Catalog Server. This requires the Global Catalog Server settings to be configured in the IDENTIKEY Appliance, as explained in section 10.3.4 Multiple domains: Global Catalog Server Setup.
For conceptual information on both setups, please refer to the IDENTIKEY Appliance Product Guide.
10.3.1 Active Directory Back-End Authentication via LDAP
When the Active Directory back-end is to be authenticated via the LDAP protocol, the LDAP back-end needs to be configured. The following steps necessary for this configuration:
After setting up SSL on the LDAP back-end, export the CA Certificate accordingly:
1. Launch the Windows Certification Authority application. This is typically launched via Start >
Administrative Tools > Certification Authority on most Windows servers.
2. Select a certification authority, right-click it, and select Properties.
3. In the Properties window, click the View Certificate button.
4. In the Certificate window, select the Details tab and click the Copy to File button. Doing so will launch the Certificate Export Wizard.
5. In the Certificate Export Wizard, click Next.
6. Select Base-64 encoded X.509 and click Next.
7. Specify the path and name of the CA Certificate file and click Next.
Back-End Authentication
10.3.2 Enable Microsoft Active Directory Back-End Authentication
After exporting the certificate, you will need to enable Microsoft Active Directory back-end authentication and upload the exported certificate. To do so:
1. Navigate to IDENTIKEY Authentication Server > Authentication Back-Ends.
2. Toggle the Enabled check box in the Microsoft Active Directory section. [Optional – applies, if the Active Directory back-end is to be authenticated via the LDAP protocol.]
3. Doing so will enable the Upload AD SSL Certificate field. Use the Browse button to navigate to the exported CA Certificate file.
4. Click Save.
Image 41: Enabling Microsoft Active Directory
10.3.3 Single Domain with Single Domain Controller
A single domain controller setup requires:
Activate Microsoft Back-End Authentication in the IDENTIKEY Appliance Configuration Tool Configure the IDENTIKEY Appliance DNS Server in the IDENTIKEY Appliance Configuration Tool Add a Microsoft Active Directory Back-End Server Record in the IDENTIKEY Authentication Server Administration Web Interface
Adjust Authentication Policy Settings in the IDENTIKEY Authentication Server Administration Web Interface
Configure a Client Record and assigning the Policy in the IDENTIKEY Authentication Server Administration Web Interface
Configuring the IDENTIKEY Appliance DNS Server
Caution
Although not mandatory, VASCO recommends using the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information on aspects requiring attention when configuring this setup, please refer to section 24.5 LDAP Back-End Authentication Setup Issues.
Additional configuration is needed when the IDENTIKEY Appliance cannot directly connect to the IP address of the AD domain controller (for example with NAT). For more information, refer to section 24 Troubleshooting.
To configure the AD domain controller (with the DNS Server role) as the DNS server for the IDENTIKEY Appliance in the IDENTIKEY Appliance Configuration Tool:
1. Navigate to Settings > Network.
2. Complete the DNS server(s) field.
3. Click on Save.
Image 42: Configuration Tool > Network
Back-End Authentication
Add a Microsoft Active Directory Back-End Server RecordCaution: Security Principal ID
If Enable SSL is used, the format for the Security Principal ID is the DN, e.g.
cn=Administrator, cn=Users, dc=vasco, dc=com
If Enable SSL is not used, the format for the Security Principal ID is the sAM Account Name, e.g.
Administrator
To add an Active Directory Back-End server record in the IDENTIKEY Authentication Server Administration Web Interface:
1. Select the Back-End > Register Active Directory Back-End . 2. Complete the necessary fields.
Location is the IP address of the Active Directory server Please note that the Timeout field is mandatory
For more information on these settings, please refer to the IDENTIKEY Appliance Administrator Reference Guide.
3. Click on Create to finish.
Image 43: Administration Web Interface > Back-Ends > Register Active Directory Back-End
Adjust Authentication Policy Settings
Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Microsoft Active Directory instead of RADIUS for the Back-End Protocol field.
Create a Client Record and Assigning the Policy
Follow the instructions under 10.1 Create a Client Record and Assign the Policy for creating a Client Record and assigning a Policy for Active Directory Back-End authentication.
10.3.4 Multiple domains: Global Catalog Server Setup
In this setup, multiple domain controllers are present. Instead of creating Back-End records for each server, a simpler method is used to configure the Global Catalog Server settings in the IDENTIKEY Authentication Server Administration Web Interface. This setup requires:
Activate Microsoft Back-End Authentication in the Configuration Tool Configure the IDENTIKEY Appliance DNS Server in the Configuration Tool Configure the Global Catalog Server settings
Configure the Authentication Policy Settings Configure a Client Record and assigning the Policy
Note:
When using the Global Server Catalog, a Back-End Server Record in the IDENTIKEY Authentication Server Administration Web Interface is not necessary.
For more information on the Global Catalog Server setup, please refer to the IDENTIKEY Appliance Product Guide, Back-End Authentication section.
Enable Microsoft Active Directory Back-End Authentication
To activate Microsoft Active Directory Back-End server authentication in the IDENTIKEY Appliance Configuration Tool, please follow the instructions under 10.3.2 Enable Microsoft Active Directory Back-End Authentication.
Configure the IDENTIKEY Appliance DNS Server
To configure the AD domain controller (with the DNS Server role) as the DNS server for the IDENTIKEY Appliance in the IDENTIKEY Appliance Configuration Tool, please follow the instructions above under 10.3.3 Configuring the IDENTIKEY Appliance DNS Server.
Back-End Authentication
Caution
Although not mandatory, VASCO recommends using the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information on aspects requiring attention when configuring this setup, please refer to section 24.5 LDAP Back-End Authentication Setup Issues ..
Configure Global Catalog Server Settings
The following configuration enables the IDENTIKEY Appliance to use information in the Global Catalog Server to retrieve the correct domain controller whenever LDAP AD Back-End Authentication is required.
For further information on setting up a Global Catalog Server, please refer to the Microsoft documentation.
To configure the Global Catalog Server on the IDENTIKEY Appliance:
1. Navigate to Back-End > Settings.
Image 44: Administration Web Interface > Back-Ends
2. Enter the settings as shown in the image below. Please note that:
The Global Catalog Location is the IP address or DNS name of the domain controller acting as the Global Catalog Server
The Global Catalog Port is 3268 by default, but may need adapting for your setup
Principal ID and Principal Password are credentials with read access in the Global Catalog Server 3. Click on Create to finish.
Image 45: Administration Web Interface > Back-Ends > Settings
Adjusting Authentication Policy Settings
Follow the instructions provided under 10.1 Adjusting Authentication Policy Settings for adjusting Policy settings to configure Back-End Authentication, using Microsoft Active Directory instead of RADIUS for the Back-End Protocol field.
Creating a Client Record and Assigning the Policy