3.1 Configuring the Mandatory Settings

Perform one of the following to set up an interaction between the Windows Client and the Advanced Authentication server:

Prerequisite for Advanced Authentication Server discovery

Ensure that the DNS is configured appropriately for Advanced Authentication server discovery (see Setting a DNS for Advanced Authentication Server Discovery) or a specific Advanced Authentication server must be specified in the configuration file.

3.1.1 Using a Specific Advanced Authentication Server in a Non-DNS Mode

You can achieve the following requirements with this setting:

  • To enforce a connection to a specific workstation where the DNS is not available.

  • To override a DNS based entry for a specific workstation and use the settings specified in the config.properties file.

In the C:\ProgramData\NetIQ\Windows Client\config.properties file, configure discovery.host: <IP_address|domain_name>.

For example, discovery.host: or discovery.host: auth2.mycompany.local.

You can specify multiple Advanced Authentication servers separated by a semicolon (;):

discovery.hosts: aaf-1.domain.com;aaf-2.domain.com;....;aaf-n.domain.com

You can specify a port number (optional parameter) for the client-server interaction: discovery.port: <portnumber>.

NOTE:For Windows logon event, select the OS Logon (local) Event type if you want to use Windows Client on the non-DNS joined workstations.

3.1.2 Setting a DNS for Advanced Authentication Server Discovery

You can configure a DNS to allow the Windows Client to connect with the Advanced Authentication server through the DNS.

To configure the DNS for server discovery, perform the following tasks:

Adding a Host to DNS

  1. Open the DNS Manager. To open the DNS Manager, click Start > Administrative Tools > DNS.

  2. Add the A or AAAA host record and a PTR record:

    1. Right-click your domain name, then click New Host (A or AAAA) under Forward LookupZone in the console tree.

    2. Specify a DNS name for the Advanced Authentication Server in Name.

    3. Specify the IP address for the Advanced Authentication Server in IP address.

      You can specify the address in IP version 4 (IPv4) format (to add a host (A) resource record) or IP version 6 (IPv6) format (to add a host (AAAA) resource record).

    4. Select Create associated pointer (PTR) record to create an additional pointer (PTR) resource record in a reverse zone for this host, based on the information that you have provided in Name and IP address.

Adding an SRV Record

For best load balancing, it is recommended to perform the following actions only for Advanced Authentication web servers.You need not create the records for Global Master, DB Master, and DB servers.

NOTE:Ensure that the LDAP SRV record exists at DNS server. If the record is not available, you must add it manually.

Adding an SRV Record from a Primary Advanced Authentication Site

To add an SRV record for the Advanced Authentication servers from a primary Advanced Authentication site (a site with the Global Master server), perform the following steps:

  1. Right-click on a node with the domain name and click Other New Records in the Forward Lookup Zones of the console tree.

  2. Select Service Location (SRV) from Select a resource record type.

  3. Click Create Record.

  4. Specify _aav6 in Service of the New Resource Record window.

  5. Specify _tcp in Protocol.

  6. Specify 443 in Port Number.

  7. Specify the Fully Qualified Domain Name (FQDN) of the server that is added in Host offering this service. For example, authsrv.mycompany.com.service.

  8. Click OK.

Adding an SRV Record from Other Advanced Authentication Sites

  1. Expand the preferred domain name node and select _sites in the Forward Lookup Zones of the console tree.

  2. Right-click on the preferred site name and click Other New Records.

  3. Select Service Location (SRV) from Select a resource record type.

  4. Click Create Record.

  5. Specify _aav6 in Service of New Resource Record window.

  6. Specify _tcp in Protocol.

  7. Specify 443 in Port Number.

  8. Specify the FQDN of the server that is added in Host offering this service. For example, authsrv.mycompany.com.

  9. Click OK.

You must add a host and SRV records in DNS for all the authentication servers. The Priority and Weight values for different servers may vary. For best load balancing, you must have records only for the Advanced Authentication web servers instead of records for Global Master, DB Master, and DB servers.

DNS Server Entries

The DNS server contains the following elements in an SRV record: SRV entries _service._proto.name TTL class SRV priority weight port target. The following table defines these elements present in an SRV record:




Domain name for which this record is valid. It ends with a dot.


Symbolic name of an applicable service.


Transport protocol of an applicable service. Typically, TCP or UDP.


Priority of the target host. Lower the value, higher the priority.


A relative weight for records with the same priority. Higher the value, higher the priority.

Port number

TCP or UDP port on which the service is located.

Target (Host offering this service)

Canonical hostname of the machine providing the service. It ends with a dot.

Authentication Server Discovery Flow

The following diagram illustrates the server discovery workflow.

Configuring Authentication Server Discovery in Client

You can configure server discovery in the Windows Client by using the following parameters in the config.properties file:




DNS name of the domain. For Windows Client, this value is used if the workstation is not connected to the domain.


Option to specify the port number for the client-server interaction.


Option to specify the DNS name or the IP address of an Advanced Authentication server.


Lists additional sub domains separated by a semicolon.


Set the value to True to use the local site (Windows Client only).


Set time out for the DNS queries. The default value is 3 seconds.


Time out for the Advanced Authentication server response. The default value is 2 seconds.


Set the value to False to skip resolving the DNS. By default, the value is set to False for Windows Client.


Timeout after the operating system starts or resumes from sleep. The default value is 10 seconds.


A delay for which the Windows Client stops searching the server after an unsuccessful search attempt. The default value is 5 minutes after which the Client switches to the online mode.

During background operations (for example, policy updates) if the cache determines that the server is available, then the set period can be reduced.