The SMS server supports using Active Directory to authenticate logon requests as well as mapping users to AD groups for authorization requests. You specify Active Directory Global Group Mapping when you configure the Active Directory server for authentication on the SMS. Before you configure an Active Directory server for user authentication, the SMS must be able to resolve the IP address of the server. The Domain Name System (DNS) must be configured and enabled on the Active Directory server, and all domain clients must use the AD server as their primary DNS server.
Note: When using an Active Directory server for user authentication on the SMS, the User ID is case sensitive. You must type the User ID on Active Directory exactly as it was entered on the SMS.
Note: If you experience a problem with the DNS configuration on Active Directory, contact customer support (TAC) for assistance.
Note: When the SMS is configured to operate in HA mode and the authentication source is Active Directory, the SMS HA cluster must use the shared virtual management IP address. In addition, the shared virtual management IP address must be configured on the Active Directory server as a location from which to accept authentication requests.
When the SMS server authenticates login requests with Active Directory, you may want to secure the information passed between the two servers by encrypting the information. This is accomplished by enabling SSL-based encrypted communications between an Active Directory authentication server and the SMS server along with importing an SSL security certificate from the Active Directory server onto the SMS Server. The SMS server accepts RSA X.509 certificates. The certificate file can be in either PEM or DER format. The Active Directory SSL Certification area displays the certificate information and allows you to import a certificate.
Allowing remote users with Active Directory authentication
When the SMS is configured to allow Active Directory (AD) users to log in without an SMS account and the Mapping Failure Action is set to Reject Authentication, users must be mapped to a local SMS resource group through an AD group membership or the AD account Telephone Notes field. If there is not a member of an AD group that is mapped to a local SMS Resource group, the user will receive an error when they attempt to log in.
When using this authentication model, users are not added directly to an SMS resource group. Membership for the local resource group is controlled by the mapped AD group. Another option is to include the mapped AD group name in the Telephone Notes section of a user’s AD account. Choose which method to use when you configure your AD authentication.
1. Log in to the SMS from a client.
2. On the SMS toolbar, navigate to the Admin menu and expand the Authentication and Authorization option.
3. Select Authentication.
4. Select the Active Directory tab in the Authentication Configuration area.
5. Click Edit. The Active Directory Server Configuration dialog box opens.
6. Configure the Active Directory server options, referring to the following table for descriptions:
Active Directory Server Options Setting Description IP Address The IP address of the Active Directory server. Enable SSL Enabling this feature ensures SSL-based encrypted communications between the Active Directory authentication server and the SMS server. If enabled, you need to import an Active Directory SSL certificate. Port The port on the Active Directory server that listens for authentication requests. The default non-SSL port is 369 and the default port if SSL is enabled is 636. Timeout Timeout, in seconds, for communication with the Active Directory server; the default value is 30 seconds. Search Base Top-level distinguished name in the Active Directory hierarchical structure where the authentication request begins.
Example: DC=adomain, DC=example, DC=com
Admin Name/DN Identifies the account on the Active Directory server that is permitted to search the LDAP directory within the defined search base. This is the bind user on the Active Directory server that enables the SMS to query the LDAP directory and authenticate users.
Admin Password The Active Directory administrative password set by the Active Directory server administrator, to be used by each Active Directory client, including the SMS server.
7. Click Test to test the configuration.
8. Click OK to return to the Authentication screen.
Reference: SMS User Guide