3.3 Managing User Authentication

User authentication ensures that a console user logs on to Secure Configuration Manager using valid credentials. Credentials represent a combination of user name and password to provide a user the authorization to log on to a computer. When Secure Configuration Manager authenticates a console user account, Secure Configuration Manager validates the account credentials against either the Secure Configuration Manager database or an external database that is LDAP compliant, such as Active Directory. You can configure a console user account for console authentication or external authentication. To successfully implement external authentication, identify an available LDAP server, such as a Windows 2012 or later domain controller or a Sun ONE Directory Server version 5.2 running on a Windows 2012 Server computer.

Secure Configuration Manager supports the following authentication settings:

Console Authentication

When a console user logs on to Secure Configuration Manager, Secure Configuration Manager validates the specified user name and password against encrypted credentials stored in the Secure Configuration Manager database.

External Authentication

When a console user logs on to Secure Configuration Manager, Secure Configuration Manager connects to the external authentication source associated with this account and validates the specified user name and password against credentials stored in the external authentication source. For example, if a console user account belongs to a Windows 2012 or later domain, Secure Configuration Manager validates the account user name and password against the credentials stored in Active Directory on the domain controller for that domain. External authentication allows you to leverage your existing authentication settings.

You can add, modify, verify, and delete authentication sources and the properties of each source. Before you associate console user accounts with an external authentication source, configure Secure Configuration Manager to support external authentication. For more information, see Section 3.3.1, Implementing External Authentication. You can verify an authentication source to ensure that the specified LDAP server is available and the authentication credentials are valid. When you modify the authentication source properties, ensure that the specified LDAP server is available and the authentication credentials are valid.

Before you delete an authentication source from the Secure Configuration Manager database, ensure that no console users associated with this source are logged on to the Secure Configuration Manager console.

WARNING:Deleting an external authentication source prevents Secure Configuration Manager from validating the associated user accounts. When you delete an authentication source, assign another authentication source to the affected console users. For more information, see Section 3.7, Managing Console Users.

3.3.1 Implementing External Authentication

You can configure Secure Configuration Manager to authenticate a console user using credentials stored in an external database. For example, Secure Configuration Manager can authenticate a console user account using credentials stored on a specific Active Directory domain controller.

To implement external authentication:

  1. In the left pane, click Console Permissions.

  2. In the Console Permissions tree pane, right-click Authentication Sources, and then click New Authentication Source.

  3. On the General tab, specify the external authentication source by completing the following steps:

    1. Under Source Identification, type the source name in the Source Name field (for example, Active Directory).

    2. In the LDAP Server URL field, type the fully qualified URL of the appropriate LDAP server. Use either of the following formats:

      ldap://server_name:port_number
      ldap://domain_controller.DNS_suffix
      

      NOTE:You can search for the correct LDAP server using the browse button, and enter specifics in the LDAP Server URL window. To change the LDAP root path, click Change and enter the credentials used to access the specified Active Directory domain indicated in the LDAP Path.

    3. Type the distinguished name of the container or organizational unit to which this LDAP server adds new user accounts in the User Base DN field. Use the following format:

      CN=users,DC=DomainComponent1,DC=DomainComponent2
      
    4. Type the name of an LDAP attribute (such as displayname) that the LDAP server uses to uniquely identify this user account in the Username Attribute field. To map to the logon ID, use the attribute SAMAccountName.

  4. Specify the authentication credentials Secure Configuration Manager should use to connect to this source.

    1. (Optional) To allow anonymous access, under Binding Credentials select Use Anonymous Binding. To fully implement anonymous binding for Active Directory, configure the appropriate domain controller to support anonymous authentication. Anonymous binding allows console users to authenticate without specifying their Active Directory credentials.

    2. In the Username field, type the full distinguished name of the account that Secure Configuration Manager should use when binding to the server. Use the following format:

      CN=AccountName,OU=Users,DC=DomainComponent1,DC=DomainComponent2
      

      NOTE:Active Directory credentials are case-sensitive. Ensure that you enter the information in the Username and Password fields in the appropriate case. For example, if the Active Directory account name is JMcNetIQ, the console user name must also be JMcNetIQ.

    3. In the Password and Confirm Password fields, type the password used to log on to the LDAP server.

  5. To ensure that the specified LDAP server is available and the authentication credentials are valid, click Verify.

  6. Click OK.

3.3.2 Configuring a Secure LDAP Authentication Source

You can configure a secure LDAP authentication source, but you must first have a public key infrastructure running in your environment. For more information about setting up a Windows-based PKI, including issuing a certificate for your secure LDAP service and exporting your root certificate authority, see the Microsoft Windows Server 2003 Technology Center Web site.

To configure a secure LDAP authentication source:

  1. On your Secure

    Configuration Manager Core Services computer, use the following command to add the CA root certificate to the cacerts keystore: keytool -import -trustcacerts -alias rootca -file rootca.cer -keystore "Secure Configuration Manager Installation Folder\Core Services\jre\lib\security\cacerts"

  2. Use the procedure described in Section 3.3.1, Implementing External Authentication, and enter ldaps://ldap server:636 as the LDAP Server URL value in Step 3.