The first time you install or upgrade the Authentication Services 4.x Windows tools in your environment, One Identity recommends that you configure Active Directory for Authentication Services. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the Authentication Services application configuration to maintain consistency across the enterprise.
|
Note: Without the Active Directory configuration you can join Unix machines to Active Directory and if your domain supports Windows 2003 R2 Unix naming attributes, you can store Unix identity information in Active Directory. (See Configure Windows 2003 R2 Schema for details.) |
The Authentication Services application configuration stores the following information in Active Directory:
The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.
The Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.
There can only be one Active Directory configuration per forest. If multiple configurations are found, Authentication Services uses the one created first as determined by reading the whenCreated attribute. If another group in your organization has already created an application configuration, use the existing configuration. The only time this would be a problem is if different groups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.
You can modify the settings using the Control Center Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.
In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.
This table summarizes the required rights:
Rights Required | For User | Object Class | Attributes |
---|---|---|---|
Create Child Object | Authentication Services Administrators Only | Container | |
Write Attribute | Authentication Services Administrators Only | Container | cn, displayName, description, showInAdvancedViewOnly |
Read Attribute | Authenticated Users | Container | cn, displayName, description, whenCreated |
At any time you can completely remove the Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the Authentication Services application configuration (or Windows 2003 R2 schema),
If the information related to Authentication Services does not display in the mangement console, you can use the Columns menu in the View panel of the task bar to expose the Authentication Services-related columns in the mangement console; that is, the Authentication Services state column, represented with the icon, the Version, and Joined to Domain columns.
To display the Authentication Services-related information
The Authentication Services columns display in the mangement console; that is, the Authentication Services state column, represented with the icon, the Authentication Services Version and Joined to Domain columns.
|
Note: Once you have opened (or closed) a column group, the mangement console remembers the setting from session to session. However, if you reinstall Management Console for Unix, it reverts back to the default of showing all columns. |
During the installation process, the setup wizard copies the Authentication Services software packages to a default location on the local computer
The default client directories are:
%SystemDrive%:\Program Files\Quest Software\Management Console for Unix\software\qas\<version#>
%SystemDrive%:\Program Files (x86)\Quest Software\Management Console for Unix\software\qas\<version#>
/opt/quest/mcu/software/qas/<version#>
If you plan to install Authentication Services or Defender client software packages, or run the AD Readiness check, you must ensure the path to the software packages is correctly set in System Settings.
To ensure the path to the Authentication Services software packages is correctly set
Make note of where your Authentication Services client software packages are located.
Ensure that System Settings points to that location:
From the top-level Settings menu, navigate to System settings | Authentication Services.
In the Path box, enter the path where the Authentication Services client software packages are located on the server and click OK.
|
NoteS: The path to the software packages must point to the folder containing the client directory. If the path to the software packages is not pointing to where the client files are, you can either change the path or copy the files to the location. When running Management Console for Unix on Windows, the location of the Authentication Services software packages must be accessible to the mangement console service which runs as 'NT AUTHORITY\NetworkService'. |
The Check for AD Readiness command performs a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain.
|
Note:
|
To check host(s) for Active Directory Readiness
Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.
In the Check AD Readiness dialog, enter the Active Directory domain to use for the readiness check.
Enter Active Directory user credentials, and click OK.
On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.
If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
To check the results of the readiness check,
Right-click the host on the All Hosts view of the Hosts tab, and choose Properties.
Select the Readiness Check Results tab on the properties.
Choose AD Readiness from the drop-down menu, if necessary.
AD Readiness Check runs these tests:
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.
If the Readiness Check completed with failures or advisories, correct the issue(s) and rerun the Readiness Check until all tests pass.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy