In order to manage access to a host using Safeguard Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Safeguard Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.
To join hosts to Active Directory
Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Safeguard Authentication Services Agent installed and are not joined to Active Directory.
The tool bar button will not be active if:
Use the same domain you entered when you performed the Check for AD Readiness.
Leave this field blank to generate a name based on the host's DNS name.
See Optional Join Commands in the management console online help for a list of commands available.
The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.
Note: This task requires elevated credentials. The management console pre-populates this information.
The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.
You can either check the health status of Safeguard Authentication Services agents manually, or you can configure the management console to automatically check the SAS Agent Status and report any warnings or failures to the console.
Note: Running the Check SAS Agent Status commands requires:
See Check SAS Agent Status Commands Not Available in the management console online help for more information.
To check SAS agent status
A progress bar displays in the Task Progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.
Note: This task requires elevated credentials.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
See View the SAS Agent Status in the management console online help for details.
To have updated information about the status of Safeguard Authentication Services agents, you can configure the management console to periodically check the SAS Agent Status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:
To configure the console to automatically check the SAS agent status
Note: This option is only available for multiple hosts if all hosts are in the same "Check SAS Agent Status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.
Note: Use standard crontab syntax when entering Advanced schedule settings.
Note: This task requires elevated credentials.
When configured for automatic checking, the Authentication Services state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over four hours (by default), it displays the icon. No icon in the Authentication Services state column indicates the host is not configured to check the SAS agent status automatically.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
Note: If you receive a GID conflict error, see UID or GID Conflicts in the online help.
See View the Safeguard Authentication Services Status Errors in online help for details.
When you configure a host to check the SAS agent status automatically, the management console,
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online help to troubleshooting this issue.
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion; however, the management console does not use the questusr account to make changes to any configuration files.
Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic SAS agent status checking.
To disable automatic status checking
When you disable auto-status checking for a host, the management console
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center