Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - Evaluation Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Installing and configuring Safeguard Authentication Services Getting started with Safeguard Authentication Services
Getting acquainted with the Control Center Learning the basics

Installing software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the management console.

To install Safeguard Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. In the Install Software dialog, select the Safeguard Authentication Services software products you want to install and click OK.
    • Safeguard Authentication Services Agent (Required): Select to allow Active Directory users access to selected host. Safeguard Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include vasd, nss_vas, pam_vas, and vastool.
    • Safeguard Authentication Services for Group Policy (Required): Select to install the Group Policy component that provides Active Directory Group Policy support for Unix, Linux, and macOS platforms.
    • Safeguard Authentication Services for NIS: Select to install the NIS Proxy component that provides the NIS compatibility features for Safeguard Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Safeguard Authentication Services for LDAP: Select to install the LDAP Proxy component that provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater: Select to install the Dynamic DNS Updater component that provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module: Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation, and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Safeguard Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Set the Safeguard Authentication Services Client Software Location on the Server in the management console online help for details.

  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Joining hosts to Active Directory

In order to manage access to a host using Safeguard Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Safeguard Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.

To join hosts to Active Directory

  1. Select one or more hosts from the list on the All Hosts view, open the Join or Configure menu tool bar button, and select Join to Active Directory.

    Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Safeguard Authentication Services Agent installed and are not joined to Active Directory.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (joined, not joined).

  2. In the Join Host to Active Directory dialog, enter the following information to define how and where you want to join the host to Active Directory:
    1. Select the Active Directory domain to use for the join operation or enter the FQDN of the Active Directory domain.

      Use the same domain you entered when you performed the Check for AD Readiness.

    2. Optionally, enter a name for the computer account for the host.

      Leave this field blank to generate a name based on the host's DNS name.

    3. Click the button to locate and select a container in which to create the host computer account.
    4. Enter the optional join commands to use.

      See Optional Join Commands in the management console online help for a list of commands available.

    5. Enter the user name and password to log onto Active Directory.

      The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.

  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials. The management console pre-populates this information.

    The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.

Getting started with Safeguard Authentication Services

Once you have successfully installed Safeguard Authentication Services, you will want to learn how to do some basic system administration tasks using the Control Center and Management Console for Unix.

Getting acquainted with the Control Center

Safeguard Authentication Services consists of plugins, extensions, security modules, and utilities spread across nearly every operating system imaginable. The Control Center pulls those parts together and provides a single place for you to find the information and resources you need.

Control Center installs on Windows and is a great starting place for new users to get comfortable with some of Safeguard Authentication Services' capabilities.

You can launch the Control Center from the Start menu or by double-clicking the desktop icon, or by double-clicking the Control Center application file from %SystemDrive% :\Program Files (x86)\Quest Software\Authentication Services.

Table 11: Control Center: Navigation links
Control Center pane Description
Home

The Welcome page provides information about how to use the Control Center tools and features.

Management Console

You can run the One Identity Management Console for Unix management console within the Control Center or you can run it separately in a supported web browser. The management console is a separate install on Windows, Unix, Linux, or macOS that you can launch from the ISO.

Typically, you install one management console per environment to avoid redundancy. One Identity does not advise managing a Unix host by more than one management console in order to avoid redundancy and inconsistencies in stored information. If you manage the same Unix host by more than one management console, you should always re-profile that host to minimize inconsistencies that may occur between instances of the management consoles.

Group Policy The Control Center provides the ability to search on Active Directory Group Policy Objects that have Unix and macOS settings defined. Also provides links to edit these GPOs and run reports that show the detailed settings of the Group Policy Objects.
Tools The Control Center provides links to additional tools and resources available with Safeguard Authentication Services. A great starting place for anyone new to the product.
Preferences

The Control Center allows you to centrally manage the default values generated by the various Safeguard Authentication Services management tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unix command-line tools.

Log into remote host The Control Center provides a simple SSH client (built on PuTTY) for remote access to Unix systems; simplifies new installs from having to find and install a separate PuTTY client.

To run the Control Center, you must be logged in as a domain user. To make changes to global settings, you must have rights in Active Directory to create, delete, and modify objects in the Safeguard Authentication Services configuration area of Active Directory.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating