/
Authenticating Admin Accounts Using Active Directory
Document toolboxDocument toolbox

Authenticating Admin Accounts Using Active Directory

Owned by Panna .
Oct 03, 2024

Active Directory™ (AD) is a distributed directory service that is a repository for user information. The appliance can authenticate admin accounts by verifying user names and passwords against Active Directory. If the admin account does not exist on the AD domain controller, or if the user name and password do not match entries on the domain controller, the appliance checks the authentication policy for the next authentication service to try.. However, if the appliance verifies the username and password successfully, it grants access. In addition, the appliance queries the AD domain controller for the group membership information of the admin. The appliance matches the group names from the domain controller with the admin groups on its local database. It then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance.
You must be logged in to the appliance as a superuser to configure the AD authentication service. 19282584
illustrates the Active Directory authentication process.

Figure 4.4 Authentication Using a Domain Controller



Admin Authentication Using Active Directory
To configure the appliance to authenticate administrators using Active Directory, you must first configure user accounts on the domain controller. Then, on the appliance, do the following:

  • Configure an AD authentication server group on the appliance and add one or more AD domain controllers to the group. For information about configuring an AD authentication service group for admins, see 19282584 19282584.
  • If you configured admin groups on the AD controller, you must create those same groups on the appliance and specify their privileges and settings. Note that the admin group names must match those on the AD domain controller. You can specify a default group as well. the appliance assigns admins to the default group if none of the admin groups on the appliance match the admin groups on the AD domain controller or if there are no other admin groups configured. For information about configuring group permissions and privileges, see /wiki/spaces/mgmadminguide/pages/911180917/wiki/spaces/mgmadminguide/pages/911180917.
  • Add the newly configured Active Directory service to the list of authentication services in the admin policy, and add the admin group names as well. See /wiki/spaces/mgmadminguide/pages/911181365 for more information about configuring an admin policy.

Configuring an Active Directory Authentication Service Group

You can add multiple domain controllers to an AD authentication server group for redundancy. the appliance tries to connect with the first domain controller on the list. If it is unable to connect, it tries the next domain controller on the list, and so on.
To configure an Active Directory authentication server group on the appliance:

  1. From the Administration tab, click the Authentication Server Groups tab.
  2. Click the Active Directory Services subtab and click the Add icon.
  3. In the Add Active Directory Authentication Service wizard, complete the following:
    • Name: Enter a name for the service.
    • Active Directory Domain: Enter the AD domain name.
    • Domain Controllers: Click the Add icon and complete the following to add an AD domain controller:
      • Server Name or IP Address: Enter the FQDN or the IP address of the AD server that is used for authentication.
      • Comment: Enter additional information about the AD server.
      • Authentication Port: Enter the port number on the domain controller to which the appliance sends authentication requests. The default is 389.
      • Encryption: Select SSL from the drop-down list to transmit through an SSL (Secure Sockets Layer) tunnel. When you select SSL, the appliance automatically updates the authentication port to 636. Infoblox strongly recommends that you select this option to ensure the security of all communications between the appliance and the AD server. If you select this option, you must upload a CA certificate from the AD server. Click CA Certificates to upload the certificate. In the CA Certificates dialog box, click the Add icon, and then navigate to the certificate to upload it.
      • Connect through Management Interface: Select this so that the appliance uses the MGMT port for administrator authentication communications with just this AD server.
      • Disable server: Select this to disable an AD server if, for example, the connection to the server is down and you want to stop the appliance from trying to connect to this server.
      • Click Test to test the configuration. If the appliance connects to the domain controller using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the server, the appliance displays a message indicating an error in the configuration.
      • Click Add to add the domain controller to the group.
    • Timeout(s): The number of seconds that the appliance waits for a response from the specified authentication server. The default is 5.
    • Comment: Enter additional information about the service.
    • Disable: Select this to retain an inactive AD authentication service profile.
  4. Save the configuration.

Managing the Domain Controller List

This list determines the order in which the appliance attempts to contact a domain controller. You can change the order of the list, as follows:

  1. From the Administration tab, click the Authentication Server Groups tab -> Active Directory Services subtab, select the server_group checkbox and click the Edit icon.
  2. In the Domain Controllers table, do the following:
    • To move a server up the list, select it and click the up arrow.
    • To move a server down the list, select it and click the down arrow.
      You can also delete a domain controller by selecting the controller from the Domain Controllers table and clicking the Delete icon.
  3. Save the configuration.

Disabling Domain Controllers

You can disable an AD domain controller if, for example, the connection to the server is down and you want to stop the appliance from trying to connect to this server. When you disable a server, the appliance keeps the configuration of the domain controller.
To disable a domain controller:

  1. From the Administration tab, click the Authentication Server Groups tab -> Active Directory Services subtab, select the server_group checkbox and click the Edit icon.
  2. In the Edit Domain Controller section, select Disable.
  3. Save the configuration.