The SMS server supports using Active Directory to authenticate login requests and map users to AD groups for authorization requests. When configuring the Active Directory server for authentication on the SMS, you specify Active Directory Global Group Mapping. Before you configure an Active Directory server for user authentication, the SMS must be able to resolve the server's IP address. The Domain Name System (DNS) must be configured and enabled on the Active Directory server, and all domain clients must use the AD server as their primary DNS server.
When the SMS server authenticates login requests with Active Directory, you may want to secure the information passed between the two servers by encrypting the information. This is accomplished by enabling SSL-based encrypted communications between an Active Directory authentication server and the SMS server and importing an SSL security certificate from the Active Directory server onto the SMS Server. The SMS server accepts RSA X.509 certificates. The certificate file can be in either PEM or DER format. The Active Directory SSL Certification area displays the certificate information and allows you to import a certificate.
Allowing remote users with Active Directory authentication
When the SMS is configured to allow Active Directory (AD) users to log in without an SMS account and the Mapping Failure Action is set to Reject Authentication, users must be mapped to a local SMS resource group through an AD group membership or the AD account Telephone Notes field. If no member of an AD group is mapped to a local SMS Resource group, the user will receive an error when they attempt to log in.
When using this authentication model, users are not added directly to an SMS resource group. The mapped AD group controls membership for the local resource group. Another option is to include the mapped AD group name in the Telephone Notes section of a user’s AD account. Choose which method to use when you configure your AD authentication.
Procedure
- Log in to the SMS from a client.
- On the SMS toolbar, navigate to the Admin menu and expand the Authentication and Authorization option.
- Select Authentication.
- Select the Active Directory tab in the Authentication Configuration area.
- Click Edit. The Active Directory Server Configuration dialog box opens.
- Configure the Active Directory server options, referring to the following table for descriptions:
| Active Directory Server Options | |
| Setting | Description |
| IP Address | The IP address of the Active Directory server. |
| Enable SSL | Enabling this feature ensures SSL-based encrypted communications between the Active Directory authentication server and the SMS server. If enabled, you need to import an Active Directory SSL certificate. |
| Port | The port on the Active Directory server that listens for authentication requests. The default non-SSL port is 369 and the default port if SSL is enabled is 636. |
| Timeout | Timeout, in seconds, for communication with the Active Directory server; the default value is 30 seconds. |
| Search Base | Top-level distinguished name in the Active Directory hierarchical structure where the authentication request begins. Example: DC=adomain, DC=example, DC=com |
| Admin Name/DN | Identifies the account on the Active Directory server permitted to search the LDAP directory within the defined search base. This is the bind user on the Active Directory server that enables the SMS to query the LDAP directory and authenticate users. Example: Administrator@DOMAINNAME |
| Admin Password | The Active Directory administrative password set by the Active Directory server administrator, to be used by each Active Directory client, including the SMS server. |
- Click Test to test the configuration.
- Click OK to return to the Authentication screen.
Reference: SMS User Guide