June 22, 2010
03 - Windows Tab
SubTopics → Joining iPrism to a Windows Domain Controller | About Auto-Login | Advanced Button | Bottom
The Users → Windows tab lets you "join" (integrate with) a Windows Domain Controller to leverage user directory information that already exists for your network. When joined, outside of establishing a 'machine account' on the domain controller to identify itself, iPrism acts strictly as an authentication client, querying for user and group memberships.
Joining a Domain Controller is the first (1st) of several steps necessary for enabling authentication services for the iPrism user community, and is straightforward. Basically, you need to identify a domain controller (recommend you get both name and IP address information) and have a privileged Username/Password so the join operation can write a machine account to the Domain Controller to identify iPrism and setup a secret handshake supporting future query requests from iPrism (note that all domain member workstations have a machine account, so this isn't unusual).
From Users → Windows, check Enable Windows Authentication to activate the screen.
ADM113a - Windows Tab
Select NT4 Domain (typically Windows 2000 server), or Active Directory (typically Windows 2003 server or later) and enter the domain or domain controller name respectively.
For NT4 Domain enter a single NT domain name in which iPrism will participate. See the on-screen naming example.
Note: All NT ”r;trust” domains associated with the NT domain listed here will be detected and provided as selectable domains in all iPrism authentication screens. All NT groups from this domain and the trusted domains will be available for mapping to access profiles and admin privileges.
For Active Directory enter the DNS name of the Domain Controller. See the on-screen naming example. The name is not case-sensitive.
In the Machine Account field, accept the iPrism machine account name, i.e., iprism_serial, or specify your own unique machine account name that does not yet exist on the Domain Controller. The creation of the machine account identifies iPrism within the domain, and is simply an object with properties residing in the Active Directory Computers folder of the domain controller, viewable when using the AD management tools.
ADM113b - Machine Accounts
Once created, this account must remain for the duration of iPrism's participation within the domain. If an event occurs on either the Domain or iPrism that causes the shared encryption key to be lost, the join must be done again. You will have to re-join if:
The machine account is deleted from the domain.
The domain controller fails and all machines must rejoin the domain.
A replacement iPrism is deployed and re-configured from scratch.
Enter the User name and Password of the Windows administrator account which will be used for the join operation. The user must have the authority to perform the join operation.
Click Join, a progress indicator will display; when successfully joined you will get an initial message 'Created machine account...' and you will see a permanent persistent on-screen message of 'Connected to [Domain\MachineAccont]'.
ADM113k - 'Created machine account...'
ADM113c - 'Connected to ...'
If successful, you may now map groups to profiles and enable authentication, see:
Profile Mapping Tab
If not successful, the machine account is not created yet and you will get diagnostic messages as follows:
Scenario: A good AD name (that doesn't resolve) and there is no IP address specified (see Advanced button), username and password are good. Basically, name is good but IP is needed.
ADM113j - No domain controllers located
Scenario: A non-existent or incorrect username, but a good AD name, IP address, and password. Basically, a bogus user.
ADM113i - Client not found in Kerberos database
Scenario: Account exists (username/password), good AD name, and IP address. Basically, a valid account without sufficient privileges.
ADM113l - Unable to find a suitable domain controller
Scenario: A bad AD name (forgot the extension of .COM), but a good IP address (Advanced button), username, and password. Basically a mismatch between AD name and the specified IP.
ADM113g - Cannot resolve network address for KDC in requested realm
Scenario: A bad password, but a good AD name, IP address (Advanced button), and username.
ADM113h - Preauthentication failed
If you intend to use Auto-Login (typically the last authentication feature enabled), then you must specify a redirect method. This defines how iPrism will verify that users are logged in to a trusted domain. Select the desired method from the Auto-Login redirection settings frame (only pertains to Transparent Mode Auto-Login). Tip: This setting can be determined later, before you enable Auto-Login, it is not critical to joining the Domain Controller at this point.
IP Address (default) - To use this method, the IP address of iPrism (i.e. not the DNS name or WINS name) must be in the local Intranet zone of the browser. This can be done ”r;network wide” by configuring the domain controller, or by manually configuring each workstation.
DNS - To use this method, the browser must be able to resolve iPrism’s host name to an IP address. This can be done ”r;network wide” by configuring your local DNS zone[s] to contain an A record for iPrism.
Note: Depending on the redirection setting you choose, you will need to configure either your browser/workstation, domain controller, or the DNS server (as appropriate) to support that choice.
Auto-Login login scripts that authenticate users to iPrism at login time can be generated by iPrism using the Advanced button. For more information see 'Auto-Login Script Generator' below.
The Users → Windows → Advanced button brings up a Windows authentication settings dialogue that may prove beneficial in some environments, including:
Identification of Domain Controllers by IP address
NetBIOS, LMHosts, and WINS support
Support for Logon/Logoff scripts that immediately authenticate to iPrism on login
ADM113d - Advanced Windows Authentication Options
The Domain Controllers field lets you specify the IP addresses of the domain controllers you wish to use. (Comma separated data.)
If your network is configured to use NetBIOS protocol, then check Enable NetBIOS.
The LMHosts file provides a mapping between IP address and NETBIOS computer names for networks without WINS Servers (or networks with broken WINS Servers). If you have a LMHosts file on your workstation you can transfer it to the iPrism using the Import button and selecting the LMHosts file from the window that appears. You can also edit this file manually by clicking the Edit button which brings up an editing window as shown in Figure 60. Check Enable LMHosts to use the file.
ADM113e - Edit LMHosts
If you are using WINS services, enter the IP addresses of your WINS servers in the WINS Servers field.
The Auto-Login Script Generator frame allows the generation of the logon/logoff scripts for deployment to users. Bridge (transparent) mode filtering configurations can benefit from the client-side logon/logoff scripts. They support immediate Windows authentication to iPrism when users logon to their workstations. This provides up-front user identification without requiring web browsing to establish the authenticated session with iPrism, providing timelier authentication for Bridge (transparent) mode users.
For example, a user can be profiled/reported-on by username for an IM/P2P application without the user browsing the Internet first to establish an authenticated iPrism session. Another benefit is that the first browsed web site may now be an HTTPS (secure) web site, which will be profiled by username, instead of IP address. Basic requirements for successfully using these scripts are as follows:
- Windows Authentication and Bridge (transparent) mode Auto-Login working.
- Transparent Auto-Login Timeout compatibility check.
- Script generation using iPrism.
Select whether to Generate Login Script or Generate Logoff Script.
If the Auto-Login redirection setting is configured to resolve iPrism’s IP address using DNS, a iPrism DNS Name should be displayed. If the settings is configured using an IP address, an iPrism IP Address should be displayed.
The iPrism Port Number defaults to 80. If you are using a different port number for HTTP, you may change this value.
The Script Loop Delay (minutes) determines the frequency of user authentication by the iPrism logon script.
Note: The Script Loop Delay should be less than the value used for the Fixed Duration Timeout or Inactivity Timeout options for the Transparent Auto-Login Timeout setting in the Network tab. The Fixed Hourly style should not be used, otherwise users could generate IM/P2P traffic without username recognition. See ”r;Using Auto-Login in Transparent Mode” on page 126.
Click Create to generate the Auto Login Script and a notice appears for confirmation. Click OK to save the script using the Autologin VPSscript File Location window that follows.
Click OK in the Advanced window to save these settings or Cancel to discard them.