You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > Authentication and Directory Servers > Using Active Directory > Configuring Authentication and Authorization with Active Directory Service (Standard Mode)

Configuring Authentication and Authorization with Active Directory Service (Standard Mode)

To configure integration with Active Directory Service (standard mode):

  1. Select Authentication > Auth. Servers.
  2. Select Active Directory / Windows NT and click New Server to display the configuration page.
  3. Select Active Directory mode and complete the configuration as described in Table 14.
  4. Save the configuration.

Table 14: Active Directory Mode Settings

Settings

Guidelines

Mode

 

Select one of the following modes:

  • Active Directory—For recent versions of Windows Server.
  • Active Directory Legacy Mode—For Windows Server 2003 and earlier.

This table describes Active Directory mode.

Base Configuration

Name

Specify a name to identify the server within the system.

Domain

Specify the NetBIOS domain name for the Active Directory domain.

The system uses DNS to discover domain controllers in the Active Directory forest. It sends authentication requests to the domain controller at the closest site. Ensure that your DNS servers are configured to resolve the Active Directory domain controller fully qualified domain name (FQDN) and service (SRV) records.

Do not create an Active Directory and an Active Directory Legacy Mode configuration with the same domain and computer name. They must have different computer names.

Kerberos Realm

Specify the FQDN of the Active Directory domain. For example, if “pulsesecure” is the domain name (NetBIOS name), then pulsesecure.net is the Kerberos realm name.

Domain Join Configuration

Username

Specify a username that has permission to join computers to the Active Directory domain.

Use the “Delegate Control” workflow in Active Directory to assign the following user account permissions to the username or to a group to which the user belongs:

  • Write
  • Write All Properties
  • Change Password
  • Reset Password
  • Validate Write to DNS hostname
  • Read and write DNS host attributes
  • Delete Computer Objects
  • Create Computer Objects

Password

Specify the password for the special user.

Save Credentials

If this setting is not enabled, the credentials entered will be destroyed after successfully joining the domain.

This option is useful when managing clusters. For example, you might want to save the credentials for a cluster node you have yet to add. If you do not enable this option, you must manually enter the credentials when you add the new cluster node.

Container Name

Specify the container path in Active Directory in which to create the machine account. Changing this field triggers a domain rejoin action.

The default is Computers, which is a standard container created during installation of the AD server. The AD Computers container is the default location for new computer accounts created in the domain.

If desired, you may specify a different container or OU. To specify nested containers, use a forward slash ( / ) as the container separator. For example: outer OU/inner OU.

NOTE: Do not use backslashes in the path. Using backslashes causes an Invalid DN Syntax error.

Computer Name

Specify the machine account name. The default computer name is derived from the license hardware in the following format: 0161MT2L00K2C0. We recommend the Computer Name string contain no more than 14 characters to avoid potential issues with the AD/NT server. Do not include the '$' character.

Update Join Status / Reset Join

The following colors are used to indicate status:

  • Gray. The Domain Join action has not been attempted. This is the default status that appears when you are using the page to create a new Active Directory configuration.
  • Yellow. Attempting to join the Active Directory domain. This is the default status that appears after saving configuration settings or when any domain join settings are changed in an existing configuration.
  • Green. The attempt was successful. This status indicates that this server can now be used to authenticate users.
  • Red. The attempt to join the Active Directory domain was not successful.

Click Update Join to get the latest join status of nodes. If the status appears persistently red, click Reset Join to reinitiate the domain join process. The Reset Join action requires Active Directory administrator credentials.

NOTE:

  • For cluster nodes, you might need to click Update Join multiple times to obtain the latest join status of nodes.
  • Transient network issues might also cause the join status indicator to appear red. Before restarting the join process, ensure that it is not caused by network issues. Make sure your DNS servers can resolve queries to the Active Directory domain controller and that the Active Directory credentials are valid and have the appropriate permissions.

Additional Options

Authentication Protocol

The system attempts authentication using the protocols you have enabled in the order shown on the configuration page. For example, if you have selected the check boxes for Kerberos and NTLMv2, the system sends the credentials to Kerberos. If Kerberos succeeds, the system does not send the credentials to NTLMv2. If Kerberos is not supported or fails, the system uses NTLMv2 as the next protocol in order.

Kerberos. Select this option to enable the Kerberos authentication protocol. Kerberos is the most secure method and is required for Kerberos single sign-on authentication. Kerberos must be enabled if you plan to use Pulse Secure client single sign-on or browser-based agentless single sign-on (SPNEGO).

Enable NTLM protocol. Select this option to enable NTLM if you plan to use any of the following features:

  • Machine authentication using OAC, Pulse Secure client, or Windows native 802.1x supplicants.
  • MS-CHAP-based authentication protocols for any 802.1x supplicants.
  • User password management.
  • Role mapping rules based on group membership.

If you enable NTLM, select one of the following versions:

  • NTLMv2. This protocol is moderately secure. It is required for machine authentication and MS-CHAP v2 based 802.1x authentication protocols.
  • NTLMv1. This protocol is comparatively less secure. It might be required for compatibility with existing legacy servers, MS-CHAP based servers, and MS-CHAP based 802.1x authentication protocols.

Trusted domain lookup

Contact trusted domains. Select this option to contact domain controllers of trusted domains directly without proxying authentication requests and group membership checks through the domain controller.

If this option is not selected:

  • Network contact with trusted domains is not permitted, but pass-through authentication using the primary domain is still permitted.
  • Trusted domain user's group lookup for Kerberos SSO and SPNEGO authentication does not work even though user authentication succeeds.
  • Trusted domain user's password-based authentication does not work.
  • Only groups from the domain in which this system is a member are available for use in role mapping when a group search is performed in the server catalog window.

NOTE: If you want to restrict trusted domain users and computers (machine authentication) from logging in when this option is not selected, you can define a custom expression based on the ntdomain variable and use it in role mapping rules. For example, if Policy Secure or Connect Secure belongs to the domain named Corporate, you can define a custom expression as ntdomain=Corporate and use the custom expression in the role mapping rule of the realm.

Domain Connections

Maximum simultaneous connections per domain. Enter the maximum number of simultaneous domain connections (1 to 10).

This field specifies the maximum number of simultaneous connections that the auth daemon should open to the domain controller of one domain. A value of greaterthan 1 can improve the scalability with simultaneous authentication requests. However, this field value should be judiciously used, especially if trusted domain setting is enabled. This value dictates how many authentication processes are created per domain. For example: if the maximum domain connection is configured as 4 and there are 5 trusted domains, there could be as many as 5*4+1 = 21 auth processes. Hence if there are many trusted domains, the domain connection value needs to be controlled by the administrator, failing which there could be too many auth processes created only for AD authentication purpose.

By default, this field value is set to 2 if trusted domain setting enabled. If trusted domain is not enabled then the default value is set to 5.

NOTE: If Contact trusted domains is enabled, a value above 6 may degrade overall system performance.

SPNEGO Single Sign On

This feature is available only on Policy Secure.

Enable SPNEGO. Select this option to support SPNEGO SSO.

Keytab Upload. Select this option to use the controls to upload the SPNEGO keytab. The keytab must be generated on the Active Directory Service for the SPN. It must match the FQDN used to access this device.

Machine account password change

Enable periodic password change of machine account. Select this option to change the domain machine account password for this configuration.

Change machine password frequency. Specify a frequency in days. For example, every 30 days.

User Record Synchronization

This feature is available only on Connect Secure.

Enable User Record Synchronization

Select this option to retain the bookmarks and individual preferences regardless of which system you log in to.

Logical Auth Server Name

Specify a logical authentication server name.

Save Changes?

After you have saved your configuration, the “Mode” section is removed from the top of the configuration page and the “Active Directory Selection” section is included at the bottom of the page. Click the Switch to Active Directory Legacy Mode button to display the Active Directory Legacy Mode configuration page. The settings that are applicable to both configurations are populated in the Active Directory Legacy Mode configuration page. You must complete the remaining settings.

Related Topics