2.1 Setting DNS for Server Discovery

  1. Open a DNS Manager. To open the DNS Manager, click Start, point to Administrative Tools, and click DNS.

  2. Add Host A or AAAA record and PTR record:

    1. In the console tree, right-click the forward lookup zone that includes your domain name and click New Host (A or AAAA).

    2. Specify a DNS name for the Advanced Authentication Server in Name.

    3. Specify the IP address for the Advanced Authentication Server in IP address. You can specify the address in IP version 4 (IPv4) format (to add a host (A) resource record) or IP version 6 (IPv6) format (to add a host (AAAA) resource record).

    4. Select Create associated pointer (PTR) record to create an additional pointer (PTR) resource record in a reverse zone for this host, based on the information that you provided in Name and IP address.

  3. Add an SRV record:

    NOTE:Ensure that the LDAP SRV record exists at DNS server. If the record is not available, you must add it manually.

    For best load balancing, you need to perform the following actions only for Advanced Authentication web servers.You need not create the records for Global Master, DB Master, and DB servers.

    1. For Advanced Authentication servers from a primary Advanced Authentication site (a site with Global Master server):

      1. In the console tree, locate Forward Lookup Zones and right-click on a node with domain name and click Other New Records.

      2. In the Select a resource record type list, click Service Location (SRV) and then click Create Record.

      3. Click Service and then specify _aav6.

      4. Click Protocol and then specify _tcp.

      5. Click Port Number and then specify 443.

      6. In Host offering this service, specify the FQDN of the server that is added. For example, authsrv.mycompany.com.

      7. Click OK.

    2. For Advanced Authentication servers from other Advanced Authentication sites:

      1. In the console tree, locate Forward Lookup Zones, switch to a node with domain name then to _sites node, right-click on an appropriate site name and click Other New Records.

      2. In the Select a resource record type list, click Service Location (SRV) and then click Create Record.

      3. Click Service and then specify _aav6.

      4. Click Protocol and then specify _tcp.

      5. Click Port Number and then specify 443.

      6. In Host offering this service, specify the FQDN of the server that is added. For example, authsrv.mycompany.com.

      7. Click OK.

Repeat Step 2 to Step 3 for all the authentication servers. The Priority and Weight values for different servers may vary. For best load balancing, you need to have records only for Advanced Authentication web servers and you do not need to have the records for Global Master, DB Master, and DB servers.

DNS server contains SRV entries _service._proto.name TTL class SRV priority weight port target. The following descriptions define the elements present in the DNS server:

  • Service: symbolic name of an applicable service.

  • Proto: transport protocol of an applicable service. Mostly, TCP or UDP.

  • Name: domain name for which this record is valid. It ends with a dot.

  • TTL: standard DNS time to live field.

  • Class: standard DNS class field (this is always IN).

  • Priority: priority of the target host. Lower value indicates that it is more preferable.

  • Weight: a relative weight for records with the same priority. Higher value indicates that it is more preferable.

  • Port: TCP or UDP port on which the service is located.

  • Target: host name of the machine providing the service. It ends with a dot.

Configuring Authentication Server Discovery on Client

You can use the following options for server discovery on the client side. You must add the parameters in the config.properties file.

  • discovery.Domain: DNS name of the domain. For Windows Client, this value is used if workstation is not connected to the domain.

  • discovery.subDomains: list of additional sub domains separated by a semicolon. You can use them on Mac OS X Client or Linux Client to list AD sites.

  • discovery.useOwnSite: Set the value to True to use the local site (Windows Client only).

  • discovery.dnsTimeout: Time out for the DNS queries. The default value is 3 seconds.

  • discovery.connectTimeout: Time out for the Advanced Authentication server response. The default value is 2 seconds.

  • discovery.resolveAddr: Set the value to False to skip resolving the DNS. By default the value is set to False for Windows and Linux Clients and True for Mac Client.

  • discovery.wakeupTimeout: Timeout after the system starts or resumes from sleep. The default value is 10 seconds.

Authentication Server Discovery Flow

Windows Client

The feature is not supported for Windows Client.

MacOS Client/ Linux PAM module

  1. Get servers from the sub domains listed in discovery.subDomain.

  2. Get servers from the domain specified in discovery.Domain (global list).

Path for the configuration file for MacOS Client and Linux PAM module is:

  • MacOS Client: /Library/Security/SecurityAgentPlugins/aucore_login.bundle/Contents/etc/aucore_login.conf.

  • Linux PAM module: /opt/pam_aucore/etc/pam_aucore.conf.

The following diagram illustrates the server discovery workflow.