Active Directory Authentication for Enterprise Recon

1. Contents

2. General Information

Microsoft Active Directory Domain Services (AD-DS) based authentication feature in Enterprise Recon (version) provides the Single Sign-On (SSO) facility to the users authenticated and managed in enterprise environment. This feature also creates the groups based on domain names and adds the node agent hosts in those groups. There will be no need to explicitly add user and password in Enterprise Recon databases for this authentication mechanism to work.

The SSO feature replaces the original login-password enquiry based login when master hub server is running on Windows host and when the conditions on console side (specified in Section-3.1) are satisfied.

This User Guide provides detailed information about using this feature.

3. System requirements and special notes

  1. This feature is supported by Enterprise Recon master hub server running on Microsoft Windows host in or out of the active directory domain (ADD) and by Enterprise Recon Console (client) running in ADD.
    • This feature is NOT supported by Master hub server and/or Console running on Linux or any other non-Windows hosts.
  2. This feature is tested and supported on Windows 2000, 2003, 2008 and 7 operating systems.
  3. Integration with other Microsoft Active Directory services such as Active Directory Federation Services, Active Directory Certificate Services, Active Directory Lightweight Directory Services is NOT covered in this feature.
  4. Use Step-by-Step Guide to Managing the Active Directory http://technet.microsoft.com/en-us/library/bb742437.aspx for more information on covering the administrative setups provided in this guide.

3.1. Dependencies for SSO to be successful

  1. Console should be running on a Windows host running in ADD.
  2. The user launching the console must physically be logged in as a AD-DS authenticated user.
    • If user is logged in as a local user, then original password-based login will be initiated.
  3. This user must either be the member of EnterpriseReconAdministrators group or EnterpriseReconAccessgroup in AD-DS.
    • These groups must be created with Universal Group Scope and Security Group Type in the root primary domain controller (PDC).
    • For creating the groups, please follow the steps provided in the guide mentioned above.
    • If you are trying to connect from console in a AD forest to a master hub server running in a different AD forest, then both the domain controllers should have the trusts relationship to ensure the authentication of user works from client side AD to server side AD. It is out of scope of this guide to provide details on how to create this relationship. Please contact your Windows Active Directory administrator for more help on this, if you face any issues in this scenario.

4. System Overview

Figure-1 shows the interaction among various components in this SSO based login functionality.

ad1.png 

 

EnterpriseRecon Console-1 which is outside the ADD, will be authenticated using the normal login-password based login dialogue box.
EnterpriseRecon Console-2 and EnterpriseRecon Console-3 which are running in the same parent domain (under domain1.com) will be authenticated using the credentials of the user logged into the host on which these consoles will be run.

5. How does ADDS-SSO work in Enterprise Recon?

Referring to Figure-1, ADDS-SSO works as below:

ad2.png

  1. ADDS authenticated user launches EnterpriseRecon console.
  2. Console determines that it is being run under the ADDS authenticated login id.
  3. Accordingly, console pops-up a connection dialogue box (Figure-2).
    Figure-2: ADDS-SSO connection dialogue
  4. Enter the name of the master server to connect to and click Login.
  5. Console establishes the connection to the specified master server and sends the authentication information to the master server.
  6. Master server validates this user credential information with the ADD server.
  7. If the validation with the ADD passes, then master server checks whether the logged-in user is member of either EnterpriseReconAdministrators or EnterpriseReconAccessgroup.
    • If user is member of EnterpriseReconAdministrators group, it will be treated as Enterprise Recon administrator and master server will confirm to console that the login passed successfully.
    • If user is member of EnterpriseReconAccess group, it will be treated as Enterprise Recon ordinary user and master server will confirm to console that the login passed successfully.
    • If user is not a member of any of these two Enterprise recon groups, then master server will declare the login failure to console.
    • After successful login, master server adds this user to the Enterprise Recon database, if the user does not exist in database.
      • If user exists in the database, then user's privilege levels will not be changed even if the user is member of EnterpriseReconAdministrators group. In this case, Manage Users link will be grayed out on Console for this user indicating that user is still not ER administrator. For bestowing ER-Admin privileges to this user, ER-Administrator will have to login and either change the login privileges of this user or remove this user from database, so that on next login Master Server will add this user as ER-Admin.

This eliminates the need of managing the users in Enterprise Recon which is quite massive amount of work in medium and large sized corporate and enterprise environments.

  1. If console receives the login-success from master server, then console enters into normal operation mode and shows the Welcome page to the user.
    • If console receives the login-failure from master server, then console pops-up original login-password based login dialogue box to fall back to original login style.

6. Environment Setup for using this feature

Assuming that active directory domain services based logins are already in place, this section explains the important steps to be performed for enabling this feature in Enterprise Recon installation.
For using SSO login and group creation feature, all the three major components - console, master hub and node agent need to be upgraded to the newer version.

6.1. Configurations to be done in Active Directory Domain Server

  1. Create EnterpriseReconAdministrators and EnterpriseReconAccessgroups in AD-DS.
    • These groups must be created with Universal Group Scope in the root primary domain controller (PDC), so that with this one time creation, these groups will be visible in all the child domains in this forest.
    • For creating the groups, please follow the steps provided in the guide mentioned above.
  2. Now, assign the membership of these groups to the appropriate personnel in your organization according to the role they are going to play in using the Enterprise Recon application.
    • If you want the Administrator login in your ADD (i.e. the account with name yourADD_Domain\Administrator) to access the Enterprise Recon functionality, then you need to explicitly assign membership of Enterprise Recon groups to this Administrator account.

Once the setup in ADDS is done, you are ready to install new version of Enterprise Recon.

6.2. Upgrading the Enterprise Recon to new version

Steps for this are as follows:

  1. Obtain the latest Enterprise Recon build (version 1.16),
  2. Stop the node agents, consoles connecting to and the master hub you want to upgrade,
  3. Upgrade the master hub to new version of Enterprise Recon by following steps from installation wizard,
    • After the successful installation, master hub service will start automatically (if installed as a service),
  4. Upgrade the node agents and consoles also following the steps from installation wizard,
    • Same as normal installation, set the node agent to connect to the master hub,
      Now when the new node agent starts as a service it will connect to the master hub and provide its fully qualified domain name (FQDN) hostname for identification (if running in ADD).
      Effect of this will be that this node will be seen under its own domain tree.

Now, if you try to launch the new console, you will get a new login prompt as shown in Figure-2 (assuming that your login account is ADD authenticated).
This login prompt will have only one text box - text box for entering the master hub hostname (or IP address).
Once you enter the master hub hostname and click on Login button, you will see Connecting and then Loading windows and finally a Welcome page will appear.
In the Manage Users tab under Configuration page, you can see that your user id has been added automatically. This confirms that master hub has authorised your user account for accessing the Enterprise Recon functionalities and your user account is added to the Enterprise Recon database automatically.

7. Group creation based on active directory domains

At present, groups are manually created in Enterprise Recon from Group Manager in Configuration page.
With the new feature, when master hub server receives the registration request from node agent running in ADD, master hub server will create the group(s) according to the domain names forming the node agent host name.
Figure 3: Nodes running in and out ADD

ad3.png

 

Figure 4: Grouping of the node agents shown in Figure-3

 

ad4.png
These node agents will be grouped as shown in Figure-4.
Node agents running in ADD will be shown under their corresponding domains.
Node agents running out of ADD will be shown directly under Network node.

8. Scenarios for SSO and explicit password based logins

S.No.

Location of Console

Location of Master Hub Server

Will SSO work?

1

Started on host in ADD, by ADDS authenticated user or Administrator, member of any one of Enterprise Recon groups

Running on Windows host in the same ADD

Yes

2

Started on host in ADD, by ADDS authenticated user or Administrator, NOT a member of any one of Enterprise Recon groups

Running on Windows host in the same ADD

No

3

Started on host in ADD, by user or Administrator local to that host

Running on Windows host in the same ADD

No

4

Started on host in ADD, by ADDS authenticated user or Administrator, member of any one of Enterprise Recon groups

Running on Windows host out of the ADD

No

5

Started on host out of ADD. (Old login style will be used).

Running on Windows host in the ADD

No

6

Old console running in or out of ADD. (Old login style will be used).

Running on Windows host in the ADD

No

7

Started on host in ADD, by ADDS authenticated user or Administrator, member of any one of Enterprise Recon groups

Old master hub Running on Windows host in the same ADD

No - connection will fail. Pls upgrade hub server.

9. Implications of this feature

  1. This new feature is not compatible with:
    • old master hub servers. Thus, it is mandatory to upgrade master hub servers also when console is upgraded.
    • master hub servers running on Linux or other non-Windows hosts.
    • any other non-windows directory services.
  2. If the user is not available in Enterprise Recon and if the ADDS based SSO fails, then user won't be able to login at all. For the original login to work, user need to be added to Enterprise Recon DB.
Have more questions? Submit a request

0 Comments

Article is closed for comments.