Chat now with support
Tchattez avec un ingénieur du support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

One Identity Defender integration

Defender provides strong authentication capabilities.

Why is strong authentication an important part of an Active Directory bridge solution?

When Authentication Services integrates Unix with Active Directory, it provides centralized access control and password policy enforcement. However, there are situations where security policies dictate a stronger level of authentication. Authentication Services addresses this need with optional strong authentication capabilities. Customers now can use the same solution for integrated Active Directory authentication and strong authentication. Organizations that have tight security requirements will no longer be forced to purchase and implement a third-party solution.

How is strong authentication used with an Active Directory bridge solution?

An organization may have many Unix systems deployed in a traditional, highly secure DMZ environment. As they are integrated with Active Directory, they will require an Active Directory credential to authenticate. Now, an additional layer of authentication can be added for administrators accessing these systems, using either a hardware or software token.

If an organization has integrated hundreds or thousands of Unix systems with Active Directory, a system administrator can now use the same Active Directory credential to access all of them. An additional level of security can be easily added by requiring the system administrator to use one-time password (OTP) in additional to the Active Directory credential.

How do Authentication Services’ strong authentication capabilities compare to other Active Directory bridge solutions?

Strong authentication combined with an Active Directory bridge is a unique and critical differentiator for One Identity. No other Active Directory bridge vendor offers strong authentication as an integrated part of its solution, and no strong authentication vendor offers Unix coverage and Active Directory integration.

Is there an additional charge for strong authentication with Authentication Services 4.x?

There is no additional cost for strong authentication with Authentication Services 4.x; it is a new feature available to new and upgrading customers.

Authentication Services provides strong authentication for up to 25 users at no additional cost through included licenses and tokens for Authentication Services Defender. These licenses will cover and secure 25 of an organization‘s Unix system administrators. Strong authentication support for additional end-users is available at an additional per-user cost.

How does strong authentication with Authentication Services 4.x work?

Authentication Services:

  • Includes strong authentication modules and native packages for all supported platforms (100+).
  • Remotely deploys and installs the strong authentication module.
  • Provides hardware and software tokens for one-time passwords.
  • Enables policy-based configuration of strong authentication through Active Directory Group Policy.

The following figure describes the flow of events that occur during a Unix or Linux login after both Authentication Services Defender and Authentication Services are configured according to this guide.

Figure 2: Defender Integration

One Identity Defender installation prerequisites

Before you install Authentication Services Defender on your host, ensure that you have:

  1. Installed a Defender security server in your Active Directory domain.
  2. Installed the Defender Microsoft Management Console (MMC) snap-in.
  3. Installed Authentication Services on your Unix or Linux machine.

Install One Identity Defender

In order to use strong authentication, you must download and install Authentication Services Defender. See the Defender Installation Guide to obtain detailed steps for installing Authentication Services Defender.

Note: Defender installation requires a license file. A fully-functional 25-user license for it is included with Authentication Services.

The following steps outline the basic procedure for installing Defender. See the

To install Defender

  1. Insert the Authentication Services distribution media.

    The Autorun Home page displays.

    Note: If the Autorun Home page does not display, navigate to the root of the distribution media and double-click autorun.exe.

  2. From the Home page, click the Setup tab.
  3. From the Setup tab, click One Identity Defender.

    The One Identity Defender web page opens.

  4. Click the Download on the left navigation panel.
  5. Follow the online instructions to gain access to the Trial Download page.
  6. From the Trial Download: Defender page, click the Defender Documentation Archive link.
  7. Once you have installed One Identity Defender, see the One Identity Defender Integration Guide for detailed configuration instructions about integrating Authentication Services Defender with Authentication Services.

Change Auditor for Authentication Services integration

Change Auditor for Authentication Services provides auditing, alerting, and change tracking capabilities.

Change Auditor provides the ability to capture Authentication Services events for both Active Directory and Group Policy.

Why is auditing, alerting, and change tracking important?

When organizations make the key decision to integrate Unix with Active Directory, they expand Active Directory's scope and strategic importance. As a result, it is critical to provide visibility into the Unix-centric data, which is now managed by Active Directory. Authentication Services addresses this challenge by delivering the ability to audit, alert, and show detailed change history of Unix-centric information now managed by Active Directory.

Without these capabilities, Active Directory bridge administrators are blind to any changes made to Unix-centric information managed by Active Directory and may be forced to purchase and implement a third-party solution.

Who needs the Change Auditor functionality in Authentication Services?

An organization using the Active Directory Group Policy features of Authentication Services to manage Unix systems may have a group policy that grants a Unix system administrator the right to authenticate to every Unix machine. If an administrator edits this group policy and grants additional users the same access, Authentication Services now provides immediate visibility into these changes. An alert will be generated and the organization will know who made the change, when, and from where. A detailed history of the policy will also be provided.

To achieve and maintain compliance with regulations and policy, an organization must be able to prove it has control over its Unix-centric data in Active Directory. With Authentication Services, an organization will now be alerted to events, such as when Unix systems are joined to Active Directory, when Active Directory users or groups are "Unix enabled," or changes to NIS data stored in Active Directory. This information will be available for audit and will show the change history.

How does Authentication Services’ audit capabilities compare to other Active Directory bridge solutions?

The audit, alerting, and change tracking capabilities of Authentication Services are unique, and a critical differentiator for One Identity. Only One Identity can offer these benefits as an integrated and included component of its Active Directory bridge solution.

Is there an additional charge for Authentication Services 4.x audit capabilities?

There is no additional cost for Authentication Services audit, alerting, and change tracking capabilities; they are considered new features and are available to new customers, as well as to existing customers that upgrade as part of their active relationship with One Identity.

How does Authentication Services integrate with Change Auditor?

Authentication Services includes a special license key for Change Auditor for Authentication Services that unlocks a number of unique, Authentication Services-specific events. These Active Directory events can be monitored using the Change Auditor console, as illustrated in the following table.

Table 22: Events for Authentication Services
Change Auditor Authentication Services event Description
NIS Object Added Created when an NIS object is added to Active Directory.
NIS Object Attribute Changed Created when the data stored in an NIS object in Active Directory is changed.
NIS Object Deleted Created when an NIS object is deleted from Active Directory.
NIS Object Moved Created when an NIS object is moved within Active Directory.
NIS Object Renamed Created when an NIS object is renamed within Active Directory.
Personality Object Added Created when a Unix user or group personality object is added to Active Directory.
Personality Object Attribute Changed Created when the data stored in a Unix personality object in Active Directory is changed.
Personality Object Deleted Created when a Unix user or group personality object is deleted from Active Directory.
Personality Object Moved Created when a Unix personality object is moved within Active Directory.
Personality Object Renamed Created when a Unix personality object is renamed within Active Directory.
Authentication Services Computer Object Added Created when a new Authentication Services computer object is added to an Active Directory domain.
Authentication Services Computer Object Attribute Changed Created when an attribute for Authentication Services computer object is changed.
Authentication Services Computer Object Deleted Created when a Authentication Services computer object is removed from an Active Directory domain.
Authentication Services Computer Object Moved Created when Authentication Services computer object is moved in an Active Directory domain.
Authentication Services Computer Object Renamed Created when Authentication Services computer object is renamed in an Active Directory domain.
Authentication Services GPO Setting Changed

Created when Authentication Services Group Policy settings is changed.

NOTE: To capture Authentication Services GPO events, Authentication Services must be installed on the DC which is used to perform the GPO changes (in most cases this will be the PDC).

Unix GECOS Changed Created when the GECOS attribute of a Unix-enabled Active Directory user is changed.
Unix Group ID Number Changed for Group Created when the group ID number of a Unix-enabled Active Directory group is changed.
Unix Group ID Number Changed for User Created when the primary group ID number of a Unix-enabled Active Directory user is changed.
Unix Group Name Changed Created when the Unix name of a Unix-enabled Active Directory group is changed.
Unix Home Directory Changed Created when the Unix home directory of a Unix-enabled Active Directory user is changed.
Unix Login Name Changed Created when the Unix login name of a Unix-enabled Active Directory user is changed.
Unix Login Shell Changed Created when the Unix login shell of a Unix-enabled Active Directory user is changed.
Unix User ID Number Changed Created when the user ID number of a Unix-enabled Active Directory user is changed.
Unix-Enabled Changed for Group Created when the Unix attributes of an Active Directory group are changed such that it no longer exists on a Unix or Linux system.
Documents connexes