Configure authentication servers

About this task

An authentication server manages and validates user accounts. The system supports the following types of authentication servers:

• Lightweight Directory Access Protocol (LDAP) server—LDAP is an open protocol for accessing directory information services. The LDAP directories are organized in a tree structure. The root of the tree typically defines a country (c=CN) or domain name (dc=com), and organizations or organization units (OUs) are under the root. An OU might include user, computer, and printer information. As a unified authentication solution, LDAP can rapidly provide user search results. It is applicable to scenarios with high concurrency of authentication requests.

• Microsoft Active Directory (AD)—AD is an application entity of LDAP, including the LDAP server and LDAP application (Windows domain server). The Windows domain server, which stores Active Directory, is a database containing user accounts, passwords, and computers in domains. A user can use a username and password to access all the resources that are allowed in a domain. Once the user changes the password, the entire domain can synchronize the new password.

Application scenarios

Authentication servers are applicable to scenarios with high network security and unified user management.

Configuration workflow

1. Create an authentication server—Associate the actual deployed authentication servers with Space Console.

2. Synchronize OU configurations—Synchronize user information from the authentication server.

Prerequisites

Deploy Microsoft AD or generic LDAP servers on the network and configure users on the servers.

Restrictions and guidelines

For domain users that use cloud desktops in a desktop pool to be added to a domain, assign the desktop pool to domain users and specify an OU for the pool. Local LDAP users are not required to join a domain.

Authentication servers of type Microsoft AD are not supported by the ARM architecture.

Create an authentication server

·          The system supports multiple Microsoft AD servers and generic LDAP servers. ·          A Microsoft AD server does not support subdomains. ·          If an authentication server is specified by its domain name, the cloud disk feature cannot synchronize domain configuration with the authentication server.

 

1. From the navigation pane, select System > Advanced Settings > Servers > Authentication Servers.

2. Click Create Authentication Server.

3. Configure the authentication server parameters as described in "Parameters."

4. Click Connectivity Test to verify that the server is reachable.

5. Click Save.

Parameters

• Server Address: Specify the IP address or domain name of an authentication server. Make sure Space Console can reach the authentication server. If the Microsoft AD server is deployed in primary/secondary mode or load balancing mode, you must specify the domain name of the Microsoft AD server. A violation might cause primary/secondary server switchover or load balancing fails.

• Server Type: Specify the type of the authentication server. Options include Generic LDAP Server and Microsoft Active Directory.

• NETBIOS: Configure the NetBIOS information of the authentication server. This parameter is available only for the Microsoft AD server. If the Microsoft AD server runs operating system earlier than Windows 2000, you must configure this parameter so that cloud desktops can correctly join domains.

• Server Version: Specify the version of the authentication server. Options include 2 and 3. The default is 3.

• User Naming Attribute: Configure the user naming attribute.

• If you select Generic LDAP Server for the Server Type parameter, the default user naming attribute is cn.

• If you select Microsoft Active Directory for the Server Type parameter, the default user naming attribute is sAMAccountName.

• Security Control: Configure security control for the authentication server. Options include:

• Allow Server Data Update: Allow administrators to manage domain users or user groups on Space Console. If you do not select this parameter, administrators do not have the privileges to manage (such as create, edit, and delete) domain users, domain user groups, LDAP users, or LDAP user groups.

• Enable Secure Connection: Use SSL to secure connections to the domain server.

• Auth Password Encryption Algorithm: Select an encryption algorithm for the user authentication password when creating or editing LDAP users on Space Console. You can select only MD5 or SHA.

• Port Number: Specify the port number of the authentication server. The default is 389 if security control is disabled and 636 if security control is enabled.

• Base DN: Specify the base DN used for communication with the authentication server. To configure the system to automatically populate this field, click Click to Obtain Base DN after you specify the IP address of the authentication server.

• Admin DN: Specify the administrator DN used for communication with the authentication server.

• Current Admin Password: Specify the administrator password used for communication with the authentication server.

• Login Name Attribute Name: Configure the login name attribute.

• If you select Generic LDAP Server for the Server Type parameter, the default login name attribute is cn.

• If you select Microsoft Active Directory for the Server Type parameter, the default login name attribute is sAMAccountName.

• User Name Attribute Name: Configure the user name attribute for obtaining the user information from the LDAP server.

• E-mail Attribute Name: Configure the e-mail attribute for obtaining the user information from the LDAP server.

• Telephone Attribute Name: Configure the telephone attribute for obtaining the user information from the LDAP server.

• Password Attribute Name: Configure the password attribute for obtaining the user information from the LDAP server.

• Sync User Group: Configure whether to allow user groups on the LDAP server and local LDAP user groups on Space Console to synchronize with each other. This parameter is available only for the generic LDAP server.

• If you select Enabled, the system will synchronize users and user groups from the LDAP server to Space Console. Additionally, changes to the users and user groups on Space Console will also be synchronized to the LDAP server.

• If you select Disabled, the system will synchronize only users from the LDAP server to Space Console. It will not synchronize user groups from the LDAP server to Space Console or changes to users or user groups on Space Console to the LDAP server.

• Unique Identifier Attribute Name: Customize the unique identifier attribute for users on the LDAP server.

• User Filtering Rules: Specify filtering rules for Space Console to obtain users from the LDAP server. After you configure these rules, only the users matching the filtering rules can be obtained.

• User Group Filtering Rules: Specify filtering rules for Space Console to obtain user groups from the LDAP server. After you configure these rules, only the user groups matching the filtering rules can be obtained.

• Domain Tree Configuration: Select whether to enable domain tree configuration. The default is Disabled. If you select Enabled, configure the following parameters for the domain tree:

• Domain Tree IP: Enter an IP address or domain name of the domain tree authentication server. Make sure that the current Space Console server is reachable to the configured IP address or domain name.

• Domain Tree Base DN: Specify the base DN used for communication with the domain tree authentication server. To configure the system to automatically populate this field, click Click to Obtain Base DN after you specify the IP address of the authentication server.

• Domain Tree Server Version: Specify the version of the domain tree authentication server. Options include 2 and 3. The default is 3.

• Domain Tree Port: Specify the port number of the domain tree authentication server. The default is 389 if security control is disabled and 636 if security control is enabled.

A domain tree includes domains and subdomains. After you configure a domain tree that trusts the root domain to form a domain forest, desktops can be assigned to any domain of the domain forest. If you do not specify a desktop OU when creating or editing a desktop pool, the system will automatically select the domain tree OU when you deploy the desktops.

Edit an authentication server

1. From the navigation pane, select System > Advanced Settings > Servers > Authentication Servers.

2. Click Edit from the Actions column of an authentication server, and edit parameters as described in "Parameters."

3. Click Connectivity Test to verify that the server is reachable.

4. Click Save.

Delete an authentication server

1. From the navigation pane, select System > Advanced Settings > Servers > Authentication Servers.

2. Click Delete from the Actions column of an authentication server to be deleted.

3. In the dialog box that opens, click OK.