Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I setup for Active Directory authentication on the SMS?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
Active Directory is a Microsoft-produced and Windows-centric method to authenticate user login requests. Authentication is performed on the Active Directory (AD) server; for SMS accounts, user role and access rights are maintained on the SMS server. If the AD server is unavailable, the SMS can authenticate local users if the Authentication Mode for the active group mapping is set to “Allow only users defined in the SMS to login.” If another mode has been configured, only users whose access privileges are maintained locally on the SMS are able to login. You cannot manage the SMS user account on the AD server; you can modify the user password only from the AD server.
Details
Public

The SMS server supports using Active Directory to authenticate logon requests as well as mapping users to AD groups for authorization requests. You specify Active Directory Global Group Mapping when you configure the Active Directory server for authentication on the SMS. Before you configure an Active Directory server for user authentication, the SMS must be able to resolve the IP address of the server. The Domain Name System (DNS) must be configured and enabled on the Active Directory server, and all domain clients must use the AD server as their primary DNS server.

Note: When using an Active Directory server for user authentication on the SMS, the User ID is case sensitive. You must type the User ID on Active Directory exactly as it was entered on the SMS.

Note: If you experience a problem with the DNS configuration on Active Directory, contact customer support (TAC) for assistance.

Note: When the SMS is configured to operate in HA mode and the authentication source is Active Directory, the SMS HA cluster must use the shared virtual management IP address. In addition, the shared virtual management IP address must be configured on the Active Directory server as a location from which to accept authentication requests.

When the SMS server authenticates login requests with Active Directory, you may want to secure the information passed between the two servers by encrypting the information. This is accomplished by enabling SSL-based encrypted communications between an Active Directory authentication server and the SMS server along with importing an SSL security certificate from the Active Directory server onto the SMS Server. The SMS server accepts RSA X.509 certificates. The certificate file can be in either PEM or DER format. The Active Directory SSL Certification area displays the certificate information and allows you to import a certificate.

Allowing remote users with Active Directory authentication

When the SMS is configured to allow Active Directory (AD) users to log in without an SMS account and the Mapping Failure Action is set to Reject Authentication, users must be mapped to a local SMS resource group through an AD group membership or the AD account Telephone Notes field. If there is not a member of an AD group that is mapped to a local SMS Resource group, the user will receive an error when they attempt to log in.

When using this authentication model, users are not added directly to an SMS resource group. Membership for the local resource group is controlled by the mapped AD group. Another option is to include the mapped AD group name in the Telephone Notes section of a user’s AD account. Choose which method to use when you configure your AD authentication.

Procedure

1. Log in to the SMS from a client.
2. On the SMS toolbar, navigate to the Admin menu and expand the Authentication and Authorization option.
3. Select Authentication.
4. Select the Active Directory tab in the Authentication Configuration area.
5. Click Edit. The Active Directory Server Configuration dialog box opens.
6. Configure the Active Directory server options, referring to the following table for descriptions:

Active Directory Server Options
SettingDescription
IP AddressThe IP address of the Active Directory server.
Enable SSLEnabling this feature ensures SSL-based encrypted communications between the Active Directory authentication server and the SMS server. If enabled, you need to import an Active Directory SSL certificate.
PortThe port on the Active Directory server that listens for authentication requests. The default non-SSL port is 369 and the default port if SSL is enabled is 636.
TimeoutTimeout, in seconds, for communication with the Active Directory server; the default value is 30 seconds.
Search BaseTop-level distinguished name in the Active Directory hierarchical structure where the authentication request begins.
Example: DC=adomain, DC=example, DC=com
Admin Name/DNIdentifies the account on the Active Directory server that is permitted to search the LDAP directory within the defined search base. This is the bind user on the Active Directory server that enables the SMS to query the LDAP directory and authenticate users.
Example: Administrator@DOMAINNAME
Admin PasswordThe Active Directory administrative password set by the Active Directory server administrator, to be used by each Active Directory client, including the SMS server.

7. Click Test to test the configuration.
8. Click OK to return to the Authentication screen.

Reference: SMS User Guide

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087296
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.