Active Directory
 		Previous Topic  Next Topic 

Active Directory


Description



These options are only visible on the settings form, if the Login Type is set to one of the Active Directory options.


In this context the word Directory has nothing to do with Folders on the disk. Rather it refers to a central user directory which allows administrators to control computer use from a remote location. Active Directory uses a technology called LDAP and Secwin (via NetTalk) supports LDAP. The most common Active Directory in use is the Windows Active Directory Directory Services.


There are two approaches to using Active Directory;


1. The user enters a login and password as usual. Instead of being validated against a local database though they are passed to the Active Directory Server and validated there. In addition to this the user has to be placed in an Active Directory Group in order to gain access to the program. This allows a remote administrator to control access to the program - for example terminated employees can be removed from the group centrally, instead of having to visit all the different programs individually.


2. The program passes the Windows User Name to the Active Directory Server. The server then checks the group to see if that user has access to the program.  The user does not (and can not) enter the user name, and there is no password required. This approach assumes that logging into the machine itself, as a valid user, is sufficient authentication. This is also sometimes known as single-sign-on. This approach can be used in conjunction with Second Factor Policies to improve security. This approach is only supported in Desktop programs, not Web programs.


In order to make use of an Active Directory server, some settings are required. You will need to liaise with the customer's IT department to get these settings.


Active Directory Server: These details allow the program to connect to the server itself.


Host: (required) This is the address of the server. This could be an IP address, or a DNS (or WINS) name that resolves to an IP address.

Port: (required) This is the port the server is running on. The default port for Active Directory connections is 389 (for insecure) or 636 (for secure).

TLS: Tick this on if the connection to the server should occur over TLS.

Domain: (required) This is the domain, on the server, in which all the users, and groups exist.


NOTE: If one of the required fields above are not set, then the program will be unable to validate against the Active Directory server. In this situation a user (if they have a level of Administrator or higher) will be logged in (without checking) primarily so that the Administrator can correct the settings.


Active Directory Admin User / Password: These are the details for an Admin user - one that allows you to make requests to the server to check if a user is in a group.


NOTE: If these are not set then the user logging in (if they have a level of Administrator or higher) will NOT be checked against a Group, even if the Active Directory Group name is set.


NOTE: If these fields are set, but either the user name, or password, is incorrect, then the user logging in (if they have a level of Administrator or higher) will NOT be checked against a Group, even if the Active Directory Group name is set.


Active Directory Rights: This is the name of the Active Directory Group, that the user must be a part of, in order to gain access to the program.