Advanced Authentication Server uses an HTTPS protocol. You should create a certificate file (PEM or CRT or PFX) and apply the existing SSL certificate on the server.
NOTE:The certificate must not contain any of the encrypted private keys.
IMPORTANT:Smartphone and Voice Call authentication providers work only with valid SSL certificate, self-signed certificate will not work.
To specify the protocol that will be used by Advanced Authentication Server, follow the steps:
Open the Server Options section.
Click the Choose File button and select a new SSL certificate. The file must contain the both certificate and private key.
Intermediate certificates should also be placed in the certificate file (PEM or CRT or PFX), if they are present.
Click Upload to upload the selected SSL certificate.
NOTE:A valid connection to Certification Authority is required to apply the certificate.
It's possible to set a custom login page background. It should be a JPEG or PNG image, a recommended resolution is 1920x774 px, 72 dpi. It's not recommended to use backgrounds which size exceeds 100KB. To apply a custom login page background, follow the steps:
Click Choose File in Login page background section.
Select the background file.
Click Upload to upload and apply the custom background.
If you want to revert the settings to original click the Revert to original button.
Strong Web Authentication is used for OAuth2 and SAML2 events. By default it is disabled to free some RAM. If you need to use OAuth2 or SAML, enable it.
To enable web authentication, perform the following steps:
Open the Server Options section.
Click Enable for WebAuth option.
Click OK.
NOTE:The changes done to WebAuth settings do not replicate to other servers.
The Keytab file option located in Server Options of Advanced Authentication - Administrative Portal allows you to upload a keytab file. The keytab file contains the encrypted files required for the Advanced Authentication Server to authenticate to the selected Active Directory using Kerberos.
Generate a keytab file for Kerberos authentication to the Advanced Authentication server on a Domain Controller. For information on generating a keytab file, see the website.
Sample command to create the keytab file: ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /map user aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv
Some information about the sample command:
HTTP in upper-case is mandatory in the parameter for keytab file. For more information, see the website.
"aas1" is a server name (according to record in DNS), the domain name is "netiq.loc"
"aas1srv" is a service account specially created in Active Directory for the Advanced Authentication Server, "Q1w2e3r4" is it's password.
The keytab file "keytab_aas1srv" will be created in C:\Temp
IMPORTANT:If there are multiple Advanced Authentication Servers in the cluster, then generate a keytab file for each Advanced Authentication Server. Please note that different users must be used for the keytab file generation for each server.
Click Upload to select and upload the keytab file.
NOTE:Keytab file can be removed only when an Active Directory repository is selected in Kerberos SSO Options policy.