Access Control

Administrators can integrate Login Enterprise with Active Directory to provide more access to their organization. Rather than using the Virtual Appliance local administrator credentials, administrators can specify users who require access to only the results, and users who require access to the full platform. 

There are two permission levels within Login Enterprise:

  • Login Enterprise Administrator: full, unrestricted access to Login Enterprise
  • Login Enterprise Read-Only: restricts access to only results, reporting, and data exports

Note: Users who are members of both groups will inherit the higher-level access, i.e. a User who is a member of the Administrator and Read-Only groups will receive Administrator access authorization.

As of Login Enterprise 5.6, Administrators can now specify an Active Directory LDAP Authentication timeout. In larger, more complex domains, the current timeout of 55 seconds is not sufficient to successfully authenticate. This timeout can now be increased in such scenarios.  

Configuring Access Control

Within the Login Enterprise management console, the Access Control page provides an interface to specify parameters to authenticate with the domain controller. 

Authenticating with Active Directory requires the following input parameters to be specified:

  • AD Domain FQDN: FQDN of the domain we will use to authenticate against (e.g., contoso.com)
  • Domain controller: The DC that is responsible for handling the requests
  • Port: Port used for LDAP Authentication
  • SSL/TLS Settings: Enable SSL communications or Ignore SSL errors during Authentication
  • AD Timeout: Configurable LDAP authentication timeout (default is 60 sec) 
  • Login Enterprise Admin Group: Group name whose members will receive administrator access
  • Login Enterprise Read-Only Group: Group name whose members will have read-only access 
  • Username: Username for the account used to make the connection. (will not be saved)
  • Password: Password used for the account used to make the connection. (will not be saved)

Multi-Domain Environment Configuration

As of Login Enterprise 4.4, multi-domain configurations are also supported. This setup requires a different configuration of the above AD Authentication parameters.

Because the Group name is not guaranteed to be unique across multiple domains, the Group's distinguished name is required. Thus, configuration will look more like the below example:

Note: Login VSI has tested and supports using a single parent domain with two direct subdomains. Resources from any domain can be used in this configuration. That is, users can reside in a subdomain while the domain controller and groups are used from the top level domain. 

Accessing the Web Management Console

Once this information is configured, you can log out of the management console, and authenticate with your Active Directory credentials.

In a multi-domain configuration, ensure that UPN names are used to sign in, e.g. username@subdomain.contoso.com

Security Requirements

Minimum Requirements for secure Active Directory Authentication / LDAPS (port 636):

  • Protocol TLS 1.2
  • 2048 Bit Certificate