By default, a CygNet service operates under the Windows Local System account. Local System has privileges on the machine itself but does not have privileges outside the local system (unless the Local System account is on a domain controller). CygNet recommends that services be run using a domain account. A domain account can be given access to network resources such as LDAP (Lightweight Directory Access Protocol) queries, read/write access of network drives for backups and reports, printers, etc. See Windows Service Mode.
When using Active Directory with the ACS, the login ID that is used to run CygNet services must have read permission for LDAP queries on the target domain in order to access and maintain distributed directory information services over an IP network.
If CygNet services are not run as a service or the domain account used to run them does not have read permission for LDAP queries, you must include the required login credentials in the ACS configuration file. The ACS keywords for login credentials are ACTIVE_DIRECTORY_USER and ACTIVE_DIRECTORY_PASSWORD.
In the ACS configuration file you can also specify the name of the domain controller’s server. This keyword is required when using Active Directory so that the login ID that is used to run the services can find the path to the domain controller. This may be the case if the services are operating using the Local System account or a Local ID account (that is, a user account only on the machine and not on the domain). The keyword is ACTIVE_DIRECTORY_SERVER_NAME.
Every group and user account in Active Directory is considered an object. Each object has a full canonical name. This name is basically composed of the domain information and the group or user information. See Active Directory ID.
You can specify the domain information in the ACS configuration file using the keyword ACTIVE_DIRECTORY_NAMING_CONTEXT. When you do this, you do not have to include the information in the User or Group ID field in the Group Member Properties dialog box in the ACS. This can be helpful since in CygNet, Active Directory IDs are limited to 64 characters.
When you add an Active Directory group or user ID in the ACS, the Type must be set to AD - Active Directory and the User must be set to the name of the Active Directory group or user. See Configuring CygNet Groups.
You do not have to include the domain information in the ID field if: 1) it is the same as that of the login used to run the services; or 2) it is specified in the configuration file using the ACTIVE_DOMAIN_NAMING_CONTEXT keyword.
Be sure to use the correct ID Type. If the type is CG, that tells the service to reference a CygNet Group. If the type is AD, that means the user ID is an Active Directory user or group.
In the image below, the Group is ADMINS. The ADMINS Group contains two IDs, one for a user (US) and one for an Active Directory (AD) group. The permission references the ADMINS Group.
The ACS has a memory-only cache. If the ACS shuts down it clears its cache and no longer has a copy of user groups and IDs from the Active Directory server. Upon reboot it must connect to an Active Directory domain controller to rebuild the cache of IDs for log-on authorizations. When the ACS starts up it begins a background thread to obtain just the Active Directory information for which it has references. If a request comes in during that brief startup time, the ACS will immediately query the Active Directory for the data before responding to the request. This could also happen if a new ACS entry is made referring to an Active Directory ID that wasn’t in the cache. If an Active Directory group is modified on the Active Directory server it may take a few minutes for the ACS cache to catch up with the change.
If the ACS is unable to build the Active Directory memory cache it cannot authenticate Active Directory users. This is required to use Active Directory users. In such an instance it is recommended you have an administrator set up with both Active Directory and CygNet groups. This would give administrator access to the CygNet site if communication is lost to the domain controller. If a connection to the Active Directory server is severed and not repaired after 30 minutes, Active Directory users will not have access to the CygNet site.
When you use the Active Directory option, have your system administrator turn on NetLogon logging, look for the account for the host server, and see how the domain controller is handling it. If the host server does not show up in the log file, then the request is not getting to the domain controller.
If the ACS log file shows the error "Failed to Open AD Group or User" then the user ID used to run the services or specified in the ACS configuration file does not have rights to run an LDAP read query on the target domain.
|
|
|
