Technical FAQ

To add an   Active Directory external authentication service:

1. Click the Users tab.

2. Click Authentication Services in the top navigation bar. The User Authentication Services window will open.

3. Click Add. The Add Authentication Service Wizard will appear.

4. The Provide Authentication Service Name and Type window will open.

a. Type a name for the external authentication service.

b. Select Active Directory from the menu.

c. Click Next.

5. The Specify Active Directory Connection Settings window will open.

a. Type the Active Directory domain name for the domain you wish to add in the AD

Domain Name field.

b. In the User Container field, specify the name of the container to search for user accounts.

This will limit the search scope to that container. The name may be entered in several

forms, optionally including a sub-domain. Valid forms are explained below by example.

Assume an Active Directory domain name of “sunrise.mycompany.com” with users in

subfolder “sun/myusers.” The User Container field may be entered as:

Example 1 (no sub-domain): “sun.myusers”

Example 2 (no sub-domain): “ou=myusers,ou=sun”

If users are contained in a sub-domain such as “mktg.sunrise.mycompany.com”, valid forms are:

Example 1 (with sub-domain): “mktg.sunrise.mycompany.com/sun/myusers”

Example 2 (with sub-domain and no container specified):

“mktg.sunrise.mycompany.com/”

Example 3 (with sub-domain):

“ou=myusers,ou=sun,dc=mktg,dc=sunrise,dc=mycompany,dc=com”

c. In the Group Container field, specify the name of the container to search for user groups.

This will limit the search scope to that container. The name may be entered in several

forms, optionally including a sub-domain. Valid forms are explained in step 5b above.

d. In the Username Type menu, select the type of username. Each choice in the menu

contains an example.

A Full Windows 2000 username is specified as username@domain.

Chapter 6: Authentication Services 83

A Partial Windows 2000 username is specified as username.

A Full Pre-Windows 2000 username is specified as domain\username.

A Partial Pre-Windows 2000 username is specified as username.

This option may only be configured for new authentication servers; it cannot be modified.

Existing authentication servers are set to the Partial Windows 2000 Username type for

compatibility.

e. Specify a Secure Socket Layer (SSL) encryption mode:

• Click Do Not Use SSL to have authentication performed using unencrypted clear text

instead of SSL encryption. This method is the least secure.

• Click Use SSL in Trust All Mode to use SSL encryption for data transmission. All

server certificates will be trusted and automatically accepted by the DSView 3

software for transmitting data. This SSL method provides medium security.

This encryption mode is not recommended for wide area networks (WANs).

• Click Use SSL in Certificate-based Trust Mode to use SSL encryption for data

transmission. The DSView 3 management software will approve the server and then

the certificate before transmitting data. This SSL method provides maximum security.

f. Click Use Kerberos for User Authentication to use the Kerberos protocol for

authentication requests, including the browsing. If enabled, you must use DES encryption

types for this account. If an account was created prior to Active Directory, the user’s

password must be changed after this setting is changed. In addition, the Active Directory

server addresses must be resolvable to their host names via DNS.

When this is not checked, the LDAP protocol will be used.

g. Click Enable Chasing of Referrals to allow the Active Directory server to refer DSView 3

software clients to additional directory servers.

h. Click Use an Active Directory Global Catalog to have the AD service access the global

catalog for the specified domain name.

i. Click Allow users and groups from newly discovered trusted forests to allow logins by

users that belong to the authentication service forest or its discovered trusted forests. If

enabled, the DSView 3 will discover all trusted forests in the Active Directory service.

j. Click Next.

If you selected Use SSL in Certificate-based Trust Mode, go to step 6.

If you selected Do Not Use SSL or Use SSL in Trust All Mode, go to step 8.

6. The DSView 3 server will try to find a server that has a trusted certificate chain (see System

certificate policy and trust store on page 47). If no trusted certificate chain is found, then the

Accept Certificate window will open and list all servers that belong to the domain. It will also

list the reasons for rejection of the certificate chain.

7. Click Next to accept the certificate.

8. The Select Browsing Method window will open.

Click Browse Anonymously to browse users on the external Active Directory authentication

server.

-or-

Click Browse with user credentials to browse users on the external Active Directory

authentication based on credentials configured on the server. If this option is selected, do the

following:

a. Type the username for an Active Directory account that has browse rights in the User

Name field. The login ID must be entered in case sensitive text if the Active Directory

server is set up to use Kerberos. When using Kerberos, the browse account cannot be

specified in the Full Pre-Windows 2000 Username form (domain\username). If the

username is in a sub-domain of the Active Directory domain (specified in step 3a), then

the username should be specified as @.

b. Type the password for an Active Directory account that has browse rights in the Password

field.

c. Click Next.

9. The Establish Connection with Authentication Service window will open briefly. If the

external authentication service is added successfully, the Completed Successful window will

open.

10. Click Finish. The User Authentication Services window will open with the new service listed.

NOTE: If the authentication service has trusted forests, the settings configured for the authentication service in

the Add Authentication Service Wizard will be applied to the discovered trusted forests. However, the settings for

each trusted forest can later be changed in the Authentication Service Connection Settings window.