Active Directory Authentication

 


In Active Directory (AD) authentication mode, the server uses NTLM v2 and LDAP protocols to authenticate users residing in Active Directory. The login procedure is a five step process:

1. ArcTitan authenticates with Active Directory user using a service computer account (you’ll see later how this computer account is created).

2. ArcTitan searches for the login user in Active Directory using the login name.

3. ArcTitan binds (authenticates) with the login user using the supplied password.

4. ArcTitan assigns a role to the user based on the defined role assignments.

5. ArcTitan extracts the user’s email addresses from the mail LDAP attribute for use in search filtering.

*If you are upgrading from earlier versions of ArcTitan, you should know that ArcTitan’s authentication mechanism has changed from Kerberos to NTLM v2 authentication.
NTLM v2 authentication requires that the service account is a computer account, not a normal user account. Thus, to upgrade, you will need to create a computer account in AD, set a password on the computer password using the scripts provided, and change the service account to service$@business.local. Note the dollar ($) sign in the service account UPN is used to denote a computer account (as opposed to a user account in Active Directory).

Field

Description

Example

DNS IP Address

IP address of your DNS server

192.168.0.1

Active Directory Address

The fully qualified domain name of Active Directory

active.business.local

Base DN

The distinguished name of the location in AD where ArcTitan should start

dc=company,dc=com

Service Account Login

The FQDN of the service computer in AD.

service$@business.local

Service Account Password

The service computer password


Mail Attribute

The mail attribute where the user’s email addresses are obtained

proxyAddresses

Email Value

The regular expression used to extract the email value from the mail attribute.

SMTP:(.*)

Primary Mail Attribute

The mail attribute where the user’s primary email address must be obtained.

mail

Primary Email Value

The regular expression used to extract the email value from the primary mail attribute.

(.*)

Bind Attribute

The attribute used to search for the user using login username in AD’s LDAP. Leave this as is, unless you want users to be able to login using email address, or some other attribute.

SAMAccountName

UPN Attribute

The user principal name attribute in AD.

userPrincipalName

UPN Value

The regular expression used to extract the UPN value from the UPN attribute.

(.*)

NTLM Authentication

When NTLM authentication is enabled, ArcTitan will perform single-sign-on authentication with the users session.

Disabled

In order to authenticate with Active Directory, ArcTitan requires that a new computer account is created in Active Directory and that a password to the account is set. While it is possible to create a new Computer using Active Directory Users And Computers, there is currently no way from the GUI to set passwords on Computer accounts. For this purpose, a VBS script called ADSetupWizard.vbs is included with the server distributable. The script, when executed with Domain Administrator privileges, will automatically create a Computer in Active Directory and set a password on the Computer account. It will also output the AD configuration settings that are appropriate for your setup.

The procedure for configuring Active Directory authentication is as follows:

1. Included with the ArcTitan server distributable is VBS script called ADSetupWizard.vbs. This script can be downloaded from the following location:
[program dir]/server/ADSetupWizard.vbs (Linux)

2. Login to any computer nearby to (and including..) the ArcTitan server as a Domain Administrator. Copy the ADSetupWizard.vbs script from the above location to the local machine and run it.

3. Follow the Wizard instructions to create new “service” Compute account in Active Directory and a set a password on the service account.

4. When the Wizard completes, take note of the settings needed to define the AD settings in ArcTitan.

5. Open the ArcTitan console, click Configuration menu at the top, thereafter select the Login menu on the left. Choose Active Directory authentication and enter the settings outputted by the AD Wizard.

6. Next, click the New Role Assignment button to create a mapping between a role in ArcTitan and an Active Directory attribute.

*1. If the ADSetupWizard.vbs script generates the error “AccessDenied 80070005”, it may be necessary to temporarily disable Windows UAC on the machine where the script is executed.
2. If you experience problems running the ADSetupWizard.vbs script, as an alternative, you can create a computer manually in using Active Directory Users and Computers. Thereafter, run the SetComputerPassword.vbs script (located in the same location as ADSetupWizard script) to set the computer password.
3. Microsoft requires that the user assigned the impersonation rights should not also have administrator rights assigned.
When assigning roles to Active Directory users, it is necessary to select a role, select an LDAP attribute and enter a match criterion.

Field

Description

Role

Role to be assigned

LDAP Attribute

LDAP attribute to use for the role assignment.

Match Criterion

A value that is compared against a corresponding LDAP attribute in Active Directory for an authenticating use.

To complete the attribute and match criterion fields, it is useful to understand how roles are assigned to users during console authentication. A user in Active Directory has a set of LDAP attributes associated with it. These attributes are essentially properties about the user (e.g. account name, user group, etc.). During console authentication, once the user has been identified, the value of the attribute selection is retrieved from Active Directory. This value is compared against the value entered in the match criterion field. If there is a match, the selected role is assigned to the user.

To assign a role to a Windows user, select “SAMAccountName” as the LDAP attribute and enter the user’s name in the match criterion field. To assign a role to all users within a user group, select “memberOf” in the attribute field and enter the distinguished name of the user group in Active Directory (e.g. “CN=Enterprise Admins, CN=Users, DC=company, DC=com”).

*The match criterion field also accepts regular expressions for complex pattern matching requirements.

LDAP Attribute

Match Criterion Value

memberOf

Active Directory user group
CN=Enterprise Admins,CN=Users,DC=company,DC=com

userPrincipalName

jdoe@company.com

SAMaccountName

Jdoe

distinguishedName

CN=John Doe,CN=Users,DC=company,DC=com

In specifying the match criterion field, it is useful to lookup the LDAP attribute name and values associated with a user. This is done by clicking the Lookup button and entering a user’s username (e.g. admin@company.com) and a password. A list of possible attributes and their values will be shown. When clicking on an attribute value in the dialog, the match criterion field will be populated.

To illustrate, a common requirement is to assign all normal AD users the built-in User Role. This task is accomplished as follows:

1. In Configuration->Logins, create a new role assignment.

2. Assign the User Role.

3. Click the Lookup button.

4. In the popup dialog, enter the credentials of an existing AD user.

5. A list of LDAP attribute value pairs will appear.

6. Choose the LDAP attribute value pair that corresponds with “object class = user”.

7. Click Save and perform a Test Login.

*AD Lookup & Attribute Lookup – The AD Lookup dialog will not work with Internet Explorer Enhanced Security Configuration mode enabled. Either disable Internet Explorer Enhanced Security Configuration or alternatively use Chrome or Firefox browsers to perform the lookup. To disable Internet Explorer Enhanced Security Mode: In Windows Server 2003, uninstall the corresponding Windows Component in Add/Remove Programs. In Windows Server 2008, click on the root folder in Server Manager, scroll down to the Security Information Section and click “Configure IE ESC”. Switch off IE ESC for Administrators.

There is likely to be an error in your configuration if the Lookup dialog does not return any LDAP attribute values. Once all role assignments are configured, execute a Test Login to ensure that your Kereberos settings, LDAP settings and user roles have been configured correctly. If problems are encountered, please refer to Authentication Failed Steps.

*If you are unable to get AD authentication working in your environment, it is possible to authenticate with AD using password-based LDAP authentication instead. To do this, select LDAPauthentication, enter the mail attribute to be “proxyAddresses” and “SAMAccountName” to be the bind attribute. You will also need to clear out the default login name suffix in the Logins section. Refer to LDAP Authentication for more information.
Multi-Domain Authentication Tip – if your organization has multiple domains, ArcTitan must be configured to connect to AD’s Global Catalog Server running on port 3268. To do this, change your Active Directory server FQDN to the equivalent of company.com:3268. Set the base DN to be empty.

In addition to the AD properties editable in the GUI, additional advanced LDAP properties can be set directly by editing the ArcTitan server.conf file using a text editor such as Wordpad or Vi.

Field

Description

Server.conf Example

Alternate Email Address

Secondary location where the user’s emails can be found. ArcTitan will retrieve the user’s email addresses from both the mail attribute and the alternate email address.

authentication.alternateemailaddress.attribute=emai

Alternate Email Address Value

The regular expression pattern used to extract the email address. If you wish to take as is, use (. * ).
If you email addresses are in the format SMTP:joe@blog.com, then you would specify SMTP (. * ). Note position of brackets.

authentication.alternateemailaddress.value=(.*)

*Multidomain AuthenticationTrust relationships between forests must be configured. When performing an LDAP lookup, the global catalog server must be able to search entries from other forests. When configuring the Logins,
(a) set the bind DN to empty
(b) Set the AD server to the global catalog server (e.g. global.catalog:3268)
© bind attribute to userPrincipalName

*Experiencing AD authentication problems? Refer to Unable to Authenticate.