Difference between revisions of "Authentication Service"
(→Configuring Active Directory) |
(→User Search Filter) |
||
Line 24: | Line 24: | ||
====User Search Filter==== | ====User Search Filter==== | ||
+ | This field determines how the FMR will locate users within the AD tree. The syntax of valid values can be located on the Microsoft support site. FMR will not validate the contents of this field for syntactical correctness and will simply use what is entered. | ||
If this field is left blank, the following value will be used: | If this field is left blank, the following value will be used: | ||
Line 32: | Line 33: | ||
* {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain "bisorg.external", then the value that replaces {0} will be Alice@bisorg.external | * {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain "bisorg.external", then the value that replaces {0} will be Alice@bisorg.external | ||
* {1} - is the "username" only. This corresponds exactly to the username. If the user attempts to log in as "Alice", then the value that replaces {1} will be simply "Alice". | * {1} - is the "username" only. This corresponds exactly to the username. If the user attempts to log in as "Alice", then the value that replaces {1} will be simply "Alice". | ||
+ | |||
+ | By way of example, the following specifies a search for objects of class "user" where the User Principal Name in AD will be the "bind principal". If this is not resolved, then the sAMAccountName is checked against the username: | ||
+ | |||
+ | (&(objectClass=user)(|(userPrincipalName={0})(sAMAccountName={1}))) | ||
===Testing the Active Directory Settings=== | ===Testing the Active Directory Settings=== |
Revision as of 05:18, 10 May 2024
Contents
Overview
The administration page to set the Authentication Service of FMR has controls for the different security services. Use the drop-down at the top of the page to select the service you require. The current options are:
- None
- Active Directory
- LDAP
- Fusion Security
Configuring Active Directory
When Active Directory has been chosen as the Authentication Mechanism, the following information needs to be provided
- The protocol type: either ldap or ldaps
- The IP address or name of the server hosting the Active Directory instance
- The Active Directory Domain Name - this can be obtained from the Active Directory administration tool
- The Base Group Domain Name (optional) - if this is left blank, the root of the Active Directory instance will be used to locate users
- The User Search Filter (optional)
The 2 values which are sometimes the most difficult to define are the Base Group Domain Name and the User Search Filter. If these are specified incorrectly, then even though FMR is communicating with your Active Directory instance correctly, then you may find users are unable to login.
Base Group Domain Name
User Search Filter
This field determines how the FMR will locate users within the AD tree. The syntax of valid values can be located on the Microsoft support site. FMR will not validate the contents of this field for syntactical correctness and will simply use what is entered.
If this field is left blank, the following value will be used:
(&(objectClass=user)(userPrincipalName={0}))
This states that the search filter is looking for objects in Active Directory of class "user" and where the User Principal Name of those objects is the value as specified by {0}. {0} is a placeholder for the value the user types in to FMR in order to become authenticated, however there are some subtleties. In the User Search field there are two placeholder values:
- {0} - is the "bind principal". This is the username that the user types into the login dialog (when attempting to login). However if this value does NOT contain an "@", then the domain name is appended to it. For example, if the user attempts to log in as "Alice", on the domain "bisorg.external", then the value that replaces {0} will be Alice@bisorg.external
- {1} - is the "username" only. This corresponds exactly to the username. If the user attempts to log in as "Alice", then the value that replaces {1} will be simply "Alice".
By way of example, the following specifies a search for objects of class "user" where the User Principal Name in AD will be the "bind principal". If this is not resolved, then the sAMAccountName is checked against the username:
(&(objectClass=user)(|(userPrincipalName={0})(sAMAccountName={1})))
Testing the Active Directory Settings
Since it can be difficult to set the Active Directory settings correctly, since version 11.16.1 of FMR, there is also the ability from this page for an Admin user of FMR to test how Active Directory would respond with an attempted log-on for a particular user. This feature allows for quicker investigation and resolution of the Active Directory settings that you will require for your environment.
Other tools you may want to use are the Windows Powershell commands "Get-ADUser" and "dsquery".