Secure Mobile Access 12.4 Administration Guide

Download PDF

Technical Documentation > Secure Mobile Access 12.4 Administration Guide > Authentication > Network and Authentication Configuration > Managing User Authentication > Configuring Microsoft Active Directory Servers > Configuring Active Directory with Username and Password

Configuring Active Directory with Username and Password

If you are using Active Directory with digital certificates, you must configure AD as an LDAP realm. See Configuring LDAP to Authenticate Against Active Directory.
If your AD authentication server has subordinate (child) domains, see Configuring Multiple Active Directory (Advanced) for more information.

To configure an Active Directory authentication server with username/password validation

In the AMC, navigate to System Configuration > Authentication Servers.
Click New and select Microsoft Active Directory (Basic).
In the Name field, type a name for the authentication server.
In the Primary domain controller field, type the IP address or host name of the AD domain controller. If you are using a failover server (optional), specify its address in the Secondary domain controller field.

If the AD server is listening on a something other than the well-known port (389 for unencrypted connections, or 636 for SSL connections), specify a port number as a colon-delimited suffix (for example, ad.example.com:1300).
To specify a particular AD domain, type it in the Active Directory domain name field. This should be the domain that you want to use as the search base (in other words, the domain that contains the appropriate cn=users container). For example, if you want to search a single domain such as marketing, type marketing.example.com. If you want to search your entire company’s domain, type example.com. If you do not specify a domain, the appliance searches the first available default naming context on the domain controller.
To perform AD searches, the appliance must log in to Active Directory (unless you have configured AD to allow anonymous searches). In the Login name field, type the username or sAMAccountname attribute used to log in to the Windows domain (such as jdoe or jdoe@example.com).

The login should be for a user who has privileges to perform searches and view user records, such as the administrator on that domain controller. You may also specify a non-administrator user who has these privileges.

If you specify an AD domain, the appliance searches that domain for users. If you do not specify a domain, the appliance searches the first available default naming context on the domain controller. If the user information is not stored in either of these locations, you need to configure this realm as an LDAP realm. See Configuring LDAP to Authenticate Against Active Directory.
Type the Password that corresponds to the Login name. After you’ve entered credentials, you can click the Test button for each server you specified in order to test the connection.
Complete the information listed under Group lookup:
- To enable group checking on this server, select the Use this authentication server to check group membership checkbox. When this box is unchecked, the nested controls are disabled because they apply only to group checking behavior. This checkbox, when unselected, allows an authentication server for LDAP, AD, or AD-Tree to be configured without enabling it for authorization checks. This improves efficiency by allowing better stacked/affinity authentication support.
- To specify the depth of the search (how many sub-groups to include in it), enter a number in the Nested group lookup checkbox. Be aware that this type of search can take some time because it requires searching the entire Active Directory tree; enabling Cache group checking is highly recommended.
- To reduce the load on your directory and get better performance, cache the attribute group or static group search results. Select the Cache group checking checkbox and then specify a Cache lifetime, in seconds. The default value is 1800 seconds (30 minutes).
To secure the AD connection with SSL, expand the Active Directory over SSL area, and the configure the following settings:
1. Select the Use SSL to secure directory server connection checkbox.
2. To view your certificate details and to verify that the root certificate can be used by the appliance, click the SSL Settings link. This list should show the name of the CA (or CAs) that issued the client certificates and the SSL certificates. If your AD server’s CA is not listed in the file, or if you use a self-signed certificate, you must add your certificate to this file. See Importing CA Certificates for details.
3. To have the appliance verify that the AD domain controller host name is the same as the name in the certificate presented by the Active Directory server, select the Match Active Directory domain controller certificate checkbox. Typically, your server name will match the name specified in its digital certificate. If this is the case with your server, SonicWall recommends enabling this option in a production environment. This makes it more difficult for an unauthorized server to masquerade as your AD server if your digital certificate or DNS server is compromised.
In the Advanced area, you can specify a username attribute, set up custom prompts, enable users to be notified of expiring Active Directory passwords, configure NTLM authentication forwarding options, and set up one-time passwords.
Type the Username attribute you want to use to match user names. In most AD implementations, sAMAccountName matches the user ID (for example, jdoe). You can use cn instead, but that would require the user to authenticate with his full name (John Doe) instead of his user ID (jdoe).
To change the prompts and other text that Windows users see when they log in to the authentication server, select the Customize authentication server prompts checkbox. If users should log in using an employee ID, for example, you could change the text for the Identity prompt from Username: to Employee ID. (If you plan to use chained authentication, customized password prompts are especially useful so that users can differentiate between them.)
If the connection between the appliance and the authentication server is secured with SSL (Use SSL to secure Active Directory connection is enabled), you can allow users to change their passwords in WorkPlace by selecting Enable user-initiated password change.

If Active Directory over SSL is not enabled, passwords are transmitted in the clear to the AD server. If the internal network is not trusted, you should enable SSL. Your AD server must also be enabled to use SSL. See the Microsoft AD documentation for details.
- The Login name and Password fields are not always required to connect to an Active Directory server. However, if they are not provided (or you don’t specify a password) the appliance will bind anonymously. In this case, if you have not configured Active Directory to allow anonymous searches, the search will fail.
- Users must have permission on the AD server to change their passwords during the password notification period, and the administrator must have permission to change user passwords after they expire. For security reasons, both of these operations replace passwords rather than reset them.
- If you define multiple Active Directory with SSL servers, you should specify the same Match certificate CN against Active Directory domain controller setting for each server. (SonicWall recommends enabling this option for a production environment.) Although AMC allows you to configure this setting on a per-realm basis, the appliance actually uses the setting specified in the last loaded ADS realm. For example, if you select this checkbox for three ADS realms, but clear it for a fourth, the functionality would be disabled for all four realms.
To allow the Active Directory server to notify users that their passwords are going to expire, select the Notify user before password expires checkbox. Indicate when the advance notice should begin (the default is 14 days, and the maximum is 30 days). The password prompt users see is controlled by the AD server.
To allow users to manage their own passwords, select the Allow user to change password when notified checkbox. This setting can be changed only if the Use SSL to secure Active Directory connection checkbox in the Active Directory over SSL area is selected. Password management is available only to users with Web access and those who are using Connect Tunnel.
To enable NTLM authentication forwarding, click one of the NTLM authentication forwarding options. For more information, see NTLM Authentication Forwarding.
To configure authentication that includes an OTP, enable Use one-time passwords with this authentication server.
1. To send OTP through Email/SMTP, you must configure the SMTP service. For more details, see Configuring SMTP to Deliver One-Time Passwords.
- Enter the number of characters for the OTP in the Password contains field. The default length is 6, the minimum is 4, and the maximum is 20.
- • Select the type of characters in the OTP from the drop-down menu. Select Alphabetic and numeric, or Numeric.
- In the From address field, enter the email address from which the OTP will be sent.
- In the Primary email address attribute field, enter the directory attribute for the email address to which one-time passwords will be sent. If the primary attribute exists on the authentication server, it is used.
- The Secondary email address attribute, if specified, is used in addition to the primary email address. The OTP is sent to both addresses.
  
  To have OTPs sent as a text message (instead of an email message), enter the corresponding attribute name (for example, SMSphone instead of Mail or primaryEmail). See Configuring the AD or LDAP Directory Server for more information.
- In the Subject field, customize the subject line of the OTP email. You can use the replacement variable {password} to indicate a position in the subject line where the actual password will display.
- In the Body field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
- To test delivery of an OTP to a user, enter the email address of the user who will receive the OTP into the Email address field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMTP server, or errors communicating with the AD/LDAP server or looking up the specified user on the AD/LDAP server.
You can configure OTP to be delivered through SMS and Email or only through SMS or only through Email. Same OTP will be delivered through both the channels.
1. To send OTP through SMS, you must configure the SMS service. For more details, see Configuring an Authentication Server for email-basedOne-Time Passwords
- Enable Send password via text message using SMS option.
- Enter the number of characters for the OTP in the Password field. The default length is 6, the minimum is 4, and the maximum is 20.
- Select the type of characters in the OTP from the drop-down menu. Select Alphabetic, Alphabetic and numeric, or Numeric.
- Choose masking level of user phone number shown on authentication page after sending OTP. This helps the user to know to which number the OTP is being sent.
  - Choose Partial if only part of phone number should be displayed.
  - Choose None if whole phone number should be displayed.
  - Choose Full if no phone number should be displayed.
- In the Phone number attribute field, enter the directory attribute for the phone number to which one-time passwords will be sent.
- In the Message field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
- To test delivery of an OTP to a user, enter the phone number of the user who will receive the OTP into the Phone number field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMS gateway server.
- To use Time based OTP, you must enable “Use the configured TOTP service” under Authentication servers. For more details, see Configuring Time-Based One-Time Passwords Settings.
When you are upgrading from prior versions of SMA to 12.4, TOTP service and the configuration information is automatically moved from global configuration to authentication server.
- Select Use the configured TOTP service option. Password will be generated by the user on their application.
- In the Service name field, you can configure an individual name for authentication servers. This optional name will be displayed in the application along with the account name to differentiate the service from others that also use TOTP.
- If you want the user to deregister account, enable Allow user to deregister account. This will provide an option on CT and Workplace for user to deregister their account.
- Backup codes can be used when the user does not have access to their application. Available codes are displayed in CT and WorkPlace. User can generate new codes when needed only once in 24 hours. To provide back up code option to users, enable Use back-up codes.
- You can configure list of networks where you can restrict registration of users from unauthenticated networks. Click + icon to configure the trusted networks that should be used by the users for the application based TOTP registration.
- Export/Import of TOTP configuration containing registered user data is supported (on full import).
If you have not configured any trusted networks, TOTP account registration is allowed from any network.
Click Save.