Configuring Active Directory Authentication

Overview

This article focuses on configuring authentication for users logging into the Login Enterprise web interface. This is distinct from Test Users, which are used specifically for running Tests within the Virtual Appliance.

To enhance user access to the Login Enterprise Virtual Appliance, administrators can integrate it with Active Directory (AD). This integration allows for more granular control over permissions within the organization, moving away from the reliance on local administrator credentials.

The Virtual Appliance provides two permission levels:

  • Login Enterprise Administrator: Grants full, unrestricted access to the appliance, allowing users to modify settings and configurations as needed.
  • Login Enterprise Read-Only: Restricts access to viewing the Dashboard, Charting, Events, and exporting data, without permitting any changes to the system.

If a user is a member of both permission groups, they will inherit the higher-level access. For example, a user belonging to both the Administrator and Read-Only groups will receive Administrator permissions.

Starting with Login Enterprise 5.6, administrators can also specify an Active Directory LDAP Authentication timeout. This feature addresses scenarios in larger, more complex domains where the default timeout of 55 seconds may be insufficient for successful authentication.

Configuring Active Directory

To set up Active Directory integration, follow these steps:

  1. In the Login Enterprise sidebar menu, scroll down and find Other > Access Control.

Frame 81.png

For simplified access control, we recommend establishing distinct 'Administrators' and 'Read-Only' groups.

2. In Access Control, provide the following information:

Field

Value

AD Domain FQDN

The fully qualified domain name (FQDN) of the domain used for authentication.

Domain controller

The domain controller responsible for processing the requests. As of Login Enterprise 5.10, you can configure up to 5 Domain Controllers for LDAP authentication.

Port

The port utilized for LDAP.

SSL/TLS Settings

  • Select Enable SSL for the Login Enterprise to use SSL/TLS encryption to establish a secure connection with the AD server. This is the recommended choice to enhance security and protect sensitive information during authentication.
  • Select Ignore SSL errors to instruct the Login Enterprise to bypass SSL certificate validation errors that may occur during the connection process. While this option can be useful in certain situations, e.g. dealing with self-signed certificates, it also introduces potential security risks by allowing connections to proceed without proper certificate validation.

AD Timeout

The Active Directory controller's response time. As of Login Enterprise 5.6, you can extend the default 60-second AD timeout up to 180 seconds.

Admin Group

The group name for users granted administrator access to the Login Enterprise.

Read-Only Group

The group names of users granted read-only permissions to the Login Enterprise.

Frame 227.png

3. Click Save Changes to apply your AD authentication integration. Following this, you can log out and log back in using your domain account.

Multi-domain controller in LDAP

The support for multiple domain controllers allows the configuration of up to five domain controllers for LDAP authentication. This ensures that if the primary domain controller becomes unavailable, the system will automatically attempt to connect with the next available controller in the list. The feature enhances the system’s availability and reliability by enabling a fail-over mechanism across multiple domain controllers (DC).

To configure and utilize it, as a Login Enterprise administrator, you need to have administrative access to the Login Enterprise.

Configuring multi-domain controllers

1. Access the Access Control panel: Navigate to the LDAP settings in your system’s administration console.

2. Update Domain Controllers list: Input the domain controllers in the order of priority in the field Domain controller as a semicolon-separated list. For example: devqadc1.internal.cloudapp.net; qadevdc2.internal.cloudapp.net; devqadc3.internal.cloudapp.net; devqadc4.internal.cloudapp.net; devqadc5.internal.cloudapp.net

a. All DCs must be available and the configured port (389) must be open.

b. Otherwise, the application throws an error message with incorrect DCs:

Frame 226.png

3. Save and apply changes: Confirm the settings and apply them to enable the feature.

4. Log off and log in again.

Using multi-domain controllers

Once configured, the system will handle authentication requests across the specified domain controllers without further user intervention.

1. In case one of the DCs is unavailable (stopped) the corresponding info is logged to the IdentitySerever container log:

[19:34:28 INF] Attempting to connect to LDAP server
[19:34:28 INF] Connecting to devqadc5.internal.cloudapp.net:389 (ssl: False)
[19:34:28 ERR] Connection failed to ldap://devqadc5.internal.cloudapp.net:389: Connect Error (Ldap result #91 Connect Error)
LdapException: Unable to connect to server devqadc5.internal.cloudapp.net:389 (91) Connect Error
System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (00000005, 0xFFFDFFFF): Name or service not known
[19:34:28 INF] Connecting to devqadc1.internal.cloudapp.net:389 (ssl: False)
[19:34:28 INF] Connected to LDAP server
[19:34:28 INF] Attempting to bind to LDAP server with username: LEAdminAcct@czdemo.ad
[19:34:28 INF] Binding user credentials
[19:34:28 INF] Bind succeeded, authentication DN: LEAdminAcct@czdemo.ad

2. The same if the port is closed:

[09:50:45 INF] Connecting to devqadc5.internal.cloudapp.net:389 (ssl: False)
[09:50:45 INF] Checking if port 389 is open
[09:50:45 INF] Connecting to 10.0.0.9:389
[09:50:50 ERR] Connection failed to ldap://devqadc5.internal.cloudapp.net:389 due to configured timeout of 5 sec for port open check.
[09:50:50 INF] Connecting to devqadc1.internal.cloudapp.net:389 (ssl: False)
[09:50:50 INF] Checking if port 389 is open
[09:50:50 INF] Connecting to 10.0.0.5:389
[09:50:50 INF] Port 389 is open
[09:50:50 INF] Connected to LDAP server
[09:50:50 INF] Attempting to bind to LDAP server with username: LEAdminAcct@czdemo.ad
[09:50:50 INF] Binding user credentials
[09:50:50 INF] Bind succeeded, authentication DN: LEAdminAcct@czdemo.ad
[09:50:50 INF] Successfully bound to LDAP server

Security requirements

The minimum requirements for secure AD Authentication / LDAPS (port 636) are:

  • Protocol TLS 1.2
  • 2048-bit certificate

Multi-domain environment configuration

As of Login Enterprise 4.4, multi-domain configurations are also supported. This setup requires a different configuration of the above AD Authentication parameters.

Because the Group name is not guaranteed to be unique across multiple domains, the Group's distinguished name is required. Thus, the configuration will look more like the example below:

Frame 202.png

Login VSI has tested and supports using a single parent domain with two direct subdomains. Resources from any domain can be used in this configuration. Users can reside in a subdomain while the domain controller and groups are used from the top-level domain. 

When you have multiple domains and need to specify groups using their Distinguished Names, you need to log in with UPN name format: either just the username or username@domainname.dom. You can’t use domainname\username format. It will report an authentication failure.

Additional resources

  • For troubleshooting login problems with LDAP/Active Directory, see Login problems with LDAP/Active Directory (Note that this is a workaround/temporary solution if you’re using Login Enterprise 5.6, or higher).