• No results found

Active Directory Synchronization Agent for CRYPTO-MAS1.7

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Active Directory Synchronization Agent for CRYPTO-MAS1.7"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Active Directory Synchronization Agent for

CRYPTO-MAS1.7

(2)

Revision History

Version Date Description Product

Rev 1 2009.04.24 Initial Publication CRYPTO-MAS v1.7

Rev 2 2009.12.21 Updated for new functionality CRYPTO-MAS v1.7 Rev 3 2010.10.20 Updated for supported characters CRYPTO-MAS v1.7

Minimum System Requirements Item Minimum Size/Performance

Microsoft .Net Framework 2.0 SP1

(3)

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 [email protected]

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com

Copyright

Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks

(4)

Table of Contents

Purpose... 1

Operation... 1

Usage Considerations ... 1

User Creation and Deletion ... 2

Security Features ... 3

Limitations ... 3

Configuration... 3

Company Setup in CRYPTO-MAP... 4

Token Allocation ... 4

Activation Code and CRYPTO-MAS URL ... 4

Synchronization Agent Installation (Customer Site) ... 4

Active Directory Tab ... 5

Services Tab ... 7

Notification Tab ... 8

Template Tab... 9

(5)

Purpose

The Active Directory Synchronization Agent has been developed to simplify the task of user creation in CRYPTO-MAS. Without the agent, the administrator must manually input user information including logon ID via the CRYPTO-MAP interface. Once installed, the agent monitors a specified Active Directory group for membership changes and updates user information in CRYPTO-MAS to reflect these changes.

Operation

The agent is a Windows® application that must be installed and configured at the customer site. When enabled, the agent monitors user membership to a specified Active Directory group. Users that are added or removed from the group are correspondingly added or removed from CRYPTO-MAS. In addition, if a user’s Active Directory account becomes locked or suspended, the Agent will cause the token assigned to the user to be suspended at the next synchronization interval. Likewise, a suspended account will be reactivated during synchronization if the

account is no longer locked or suspended in Active Directory. If a user is removed from the monitored group, the user will be removed from CRYPTO-MAS at the next synchronization interval and the assigned token will be returned to the pool.

Usage Considerations

• This Agent can only be used with Active Directory. All other LDAP servers are not supported.

(6)

• The Agent does not monitor the entire Directory. It only monitors for changes in

membership to a specified group. This allows the Agent to differentiate between users that should and should not be synchronized.

• No schema changes are required and nothing is written to Active Directory.

• A user account and password must be available for use by the Agent to allow connection to the directory.

• Connections between the Agent and Active Directory can be over SSL. Data passed between the Agent and CRYPTO-MAS is limited to the UserID, First Name, Last Name, Address, Telephone / Mobile numbers and the Active Directory GUID for each account. • The GUID is a unique number generated by the directory and maintain for the user

regardless of changes to the user account, including changes to the UserID. CRYPTO-MAS utilises the GUID to maintain account synchronization and the association of tokens to users instead of the UserID. This means that UserID’s can change in Active Directory without breaking the relationship between the User and tokens in CRYPTO-MAP.

• TCP Port 443 must be open to allow the Agent to transmit to CRYPTO-MAS.

User Creation and Deletion

• The number of tokens allocated to the CRYPTO-MAS account determines the maximum number of users that can be imported by the agent. For example, if the organization has an allocation of 10 tokens and 100 users in the monitored Active Directory group, only 10 users will be imported into CRYPTO-MAS.

• Users within the Microsoft group must have the First Name, Last Name, Username and Email address defined or they will not be created in CRYPTO-MAS.

• The Agent does not support the characters “&”, “<” and “>” in the First Name, Last Name, Username or Email address of a user account. If found, the synchronization process will be deferred until the user account has been removed or corrected.

• CRYPTO-MAS admin users (operators) will not be deleted if they are removed from the Microsoft Group until their CRYPTO-MAS admin privilege has been revoked.

(7)

• If a user is removed from the monitored group, the user will be removed and the token returned to the pool at the next synchronization interval.

• If a user account in the Microsoft group is suspended, the account in CRYPTO-MAS will become suspended at the next synchronization interval. The token will remain assigned to the user.

Security Features

• Connections between the Agent and Active Directory can be configured to use SSL.

• The data passed between the Agent and CRYPTO-MAS is limited to the UserID, First Name, Last Name, Address, Telephone / Mobile numbers and the Active Directory GUID for each account.

• All data transmitted between the Agent and CRYPTO-MAS is encrypted using AES256 then sent over SSL (default) or http (optional). The encryption key is generated in the CRYPTO-MAP interface (Activation Key) and is unique for every client.

• The Agent configuration file which contains the account and password and other

configuration information used by the Agent to connect to Active Directory and CRYPTO-MAS is encrypted. It can only be read or modified by the Agent Synchronization Manager application.

Limitations

If the agent is used, CRYPTO-MAP cannot be used to create userID’s. This is to prevent

contradictions between manual CRYPTO-MAP user creation and the Agent. In addition, all User accounts created by any other means will be automatically deleted during synchronization, even if the manually created UserIDs are identical to those in Active Directory.

Configuration

(8)

Company Setup in CRYPTO-MAP

Create a new company in MAP in the usual way. Check the Use LDAP checkbox under User Storage to generate an Activation Code and prepare this account for Active Directory synchronization.

Figure 1

Token Allocation

Ensure that the number of tokens allocated is equal to or greater than the number of users that will be in the monitored Active Directory group. If the allocation is insufficient the

synchronization will fail. If the token count cannot be determined then the synchronization will be deferred and an error reported in the log.

Activation Code and CRYPTO-MAS URL

Note the Activation Code as this will be required during configuration of the Agent.

Synchronization Agent Installation (Customer Site)

1. Download the CRYPTO-MAS LDAP Service.exe file.

(9)

3. The agent is configured post installation by launching the “Manager” application. The default location is Program Files/CRYPTOCard/CRYPTO-MAS/Manager.

4. Populate the Primary Active Directory information in the Active Directory tab and then click Apply. Do not start the agent until the Services tab is also populated.

Active Directory Tab

Use the Active Directory tab to configure the agent connection to Active Directory

Figure 2

Where:

• Hostname: is the IP address or FQDN of Active Directory • Port Number: is the connection port number. Default: 389

(10)

• UserDN: is the account that will be used by the agent to connect to Active Directory. The entry should be entered in an email format

Example: The BaseDN in figure 2 is dc=ts, DC=cryptocard, DC=com. So the user “ccldap” could be defined in UserDN as [email protected].

• GroupDN: is the group to which the member must belong for synchronization with CRYPTO-MAS. As shown in Figure 3, only the members of the CRYPTOMAS group will be

synchronized with CRYPTO-MAS.

An example of the CRYPTOCard Microsoft group entry would be CN=CRYPTOCard, CN=Users, DC=ts, DC=cryptocard, DC=com.

• Test Group: allows the GroupDN entry to be tested for erroneous characters. Results of the test are shown as an OK or Failed message.

(11)

Services Tab

The services tab is used to configure the agent connection to CRYPTO-MAS.

Figure 4

Where:

• CRYPTO-MAS AuthID: is the AuthID assigned to the CRYPTO-MAS subscriber organization and displayed in the Home Tab within CRYPTO-MAP. The Auth ID was selected during the signup process.

• Activation Code: is a unique code generated and displayed in CRYPTO-MAP-MAS for this organization.

• Primary URL: this is the primary location to which the agent will attempt to synchronize with CRYPTO-MAS.

• Secondary URL: this is the secondary location to which the agent will attempt to synchronize with CRYPTO-MAS if a connection to the primary location fails.

(12)

Notification Tab

The notification tab is used to configure the agent to send an email notification in the event that the connection between the Agent and Active Directory fails.

Figure 5

Where:

• SMTP Server/Host: is the SMTP server where all notification will be sent.

• User: is the username required to send email through the SMTP Server (optional). • Password: is the password required to send email through the SMTP Server (optional). • Send Active Directory down: will notify if there are connection issues with Active Directory. • Send Resync group not found: will notify if the Microsoft Group can no longer be found. • Added user to list: will notify when a user has been added to CRYPTO-MAS.

(13)

• Removed user and deassigned token list: will notify when a user has been removed from CRYPTO-MAS along with which token was deassigned (if applicable).

Template Tab

The template tab allows you to customize each notification email alert.that was selected in the Notification Tab.

Figure 6

Where:

• Notification name: allows for the customization of the particular notification.

• From: enter the email address of the recipient who is sending the message. This field will only accept a single email address.

• To: enter the email address of the recipient(s) into this field. If multiple entries are required, a semi-colon must be used.

(14)

• BCC: enter the email address of the recipient(s) into this field. If multiple entries are required, a semi-colon must be used.

• Subject: enter the subject of the current notification.

• Message: a default message that will provide an explanation of the current notification. The content can be edited but the <LIST/> argument cannot be removed from the message.

Troubleshooting

To troubleshoot any issues with the Agent detailed logging is done to the file:

References

Download now ( PDF - 14 Page - 0.92 MB )

Related documents

Special Attention of NOTICE H All Multifamily Hub Directors Issued: October 5, 2015 All Multifamily Program Center Directors

of an automated payroll review process via a subscription to a web-based service for federally funded or assisted construction projects receiving HUD grants, loans, loan

Special Strength Training

PREFACE OF YURI VERKHOSHANSKY Dear reader, the Special Strength Training presented in this manual is mainly addressed to coaches of Olympic sports athletes; it is also useful

Achieve more with less

With Connector for Microsoft Exchange, synchronization between Fax Server and Active Directory links user accounts in Active Directory to corresponding user

PUT TITLE Special HEREducation Funding. Overview. May 2010

• The logistic regression Special Education Statistical Prediction Model drew from 2007–08 Ontario Ministry of Education anonymized student data (most recent available), merged

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

 Audit Changes to Active Directory Using Directory Service Changes Auditing After completing this module, students will be able to:.  Delegate

Microemulsion and Optimal Formulation Occurrence in pH-Dependent Systems as Found in Alkaline-Enhanced Oil Recovery

At a sodium carbonate concentration of 500 ppm in the aqueous phase, the concentration of hydroxyl ions is high enough to promote the ionization of

User Service and Directory Agent: Configuration Best Practices and Troubleshooting

Directory Agent deployment best practices Directory Agent configuration best practices Troubleshooting User Service issues.. Troubleshooting Directory

Palo Alto Networks Administrator's Guide. Release 3.1

The User-ID Agent interfaces with Active Directory to communicate user group, user, and IP address information to the firewall for visibility only or visibility and