The following table details the encryption types used in Authentication Services.
|Encryption Types||Specification||Active Directory Version||Authentication Services Version|
|HMAC-SHA1-96-AES128||RFC 3961||Windows Server 2008 +||3.3.2+|
|HMAC-SHA1-96-AES256||RFC 3961||Windows Server 2008 +||3.3.2+|
One Identity recommends that you install One Identity Management Console for Unix, a separate One Identity product which provides a mangement console that is a powerful and easy-to-use tool that dramatically simplifies deployment of Authentication Services agents to your clients. The mangement console streamlines the overall management of your Unix, Linux, and Mac OS X hosts by enabling centralized management of local Unix users and groups and providing granular reports on key data and attributes.
Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.
|Supported Windows Platforms||
Can be installed on 32-bit or 64-bit editions of the following configurations:
You can install Management Console for Unix on any platform that has 32-bit Sun JRE (Java Runtime Environment) 1.6.
|Managed Host Requirements||
Click here to view a list of supported Unix, Linux, and Mac OS X platforms that the server can manage; that is, hosts you can add and profile from the mangement console.
|Default memory requirement:||
|Supported Web Browsers||
The mangement console officially supports the following web browsers:
Authentication Services must be able to communicate with Active Directory including domain controllers, global catalogs and DNS servers using Kerberos, LDAP and DNS protocols. The following table summarizes the network ports that must be open and their function.
|389||Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.|
|3268||Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.|
|88||Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default.|
|464||Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Authentication Services always uses TCP for password operations.|
|53||Used for DNS. Since Authentication Services uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.|
|123||UDP only. Used for time-synchronization with Active Directory.|
|445||CIFS port used to enable the client to retrieve configured group policy.|
Note: Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.
Authentication Services, the solution that pioneered the "Active Directory Bridge" market, continues to lead the way with powerful and innovative new capabilities that make heterogeneous identity and access management even more efficient, secure, and compliant. Authentication Services 4.1 features include:
IPv6 Support – Authentication Services now supports hosts running in full IPv6 environments. Authentication Services automatically uses IPv6 when it is available; it uses IPv4 when IPv6 is not available or significantly slower than IPv4. IPv6 is available in Authentication Services on most recent operating systems, but is operating system dependent. Run vastool info ipv6 to determine whether IPv6 is available on each client. Authentication Services operates in IPv4-only, IPv6-only, or dual-stack environments; no special configuration is required. Active Directory servers must be running Windows 2008 or later for IPv6 communication.
Note:Authentication Services uses IPv6 when the operating system's DNS resolver correctly supports mapping of IPv4 addresses to IPv6 addresses. If a problem with address mapping is detected, Authentication Services operates in IPv4-only mode, even if an IPv6 address is assigned and other applications use IPv6.
Customizable Windows Components Installer - The Windows installer was upgraded to be fully customizable so that you can install individual components. For example, you can install an individual MMC snap-in without installing the entire Control Center application.
Note: When upgrading Authentication Services, you must manually add this new preference manifest. Refer to the Preference Manifest Settings topic in the Authentication Services Mac OS X/macOS Administration Guide for the procedure To Add a Preference Manifest.
Note: Group Policy for Certificate autoenrollment is not supported in the Pre-Release Evaluation Guide software.