Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Authentication Services encryption types

The following table details the encryption types used in Authentication Services.

Table 7: Authentication Services: Encryption types
Encryption Types Specification Active Directory Version Authentication Services Version
KERB_ENCTYPE_DES_CBC_CRC
CRC32 RFC 3961 All All
KERB_ENCTYPE_DES_CBC_MD5
RSA-MD5 RFC 3961 All All
KERB_ENCTYPE_RC4_HMAC_MD5
RC4-HMAC-MD5 RFC 4757 All All
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES128 RFC 3961 Windows Server 2008 + 3.3.2+
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES256 RFC 3961 Windows Server 2008 + 3.3.2+

Management Console for Unix requirements

One Identity recommends that you install One Identity Management Console for Unix, a separate One Identity product which provides a mangement console that is a powerful and easy-to-use tool that dramatically simplifies deployment of Authentication Services agents to your clients. The mangement console streamlines the overall management of your Unix, Linux, and Mac OS X hosts by enabling centralized management of local Unix users and groups and providing granular reports on key data and attributes.

Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.

Table 8: Management Console for Unix: Hardware and software requirements
Component Requirements
Supported Windows Platforms

Can be installed on 32-bit or 64-bit editions of the following configurations:

  • Windows XP SP2 (or later)
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows Server 2003 SP1 (or later)
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012

NOTE: When running Management Console for Unix on Windows Server 2008 R2, functioning as a domain controller, the process must be elevated. As a best practice, One Identity does not recommend that you install or run the Windows components on Active Directory domain controllers. The recommended configuration is to install them on an administrative workstation.

NOTE: The performance of some Active Directory searches may be better on:

  • 64bit: Windows Server 2003 64-bit and above
  • 32bit: Windows Server 2003 SP1 + hotfix* or Windows 2003 SP2 (and above)

    (*Click Microsoft Support to read a Microsoft article entitled, "A hotfix is available that improves the performance of programs that query Active Directory for group memberships in Windows Server 2003".

    To apply this hotfix, you must have Windows Server 2003 Service Pack 1 (SP1) installed. Note: The x64-based versions of Windows Server 2003 already include the fixes and features that are included in Windows Server 2003 SP1. If the computer is running an x64-based version of Windows Server 2003, you do not have to install SP1.

Server Requirements

You can install Management Console for Unix on any platform that has 32-bit Sun JRE (Java Runtime Environment) 1.6.

NOTE: Management Console for Unix is not supported on AIX.

Managed Host Requirements

Click here to view a list of supported Unix, Linux, and Mac OS X platforms that the server can manage; that is, hosts you can add and profile from the mangement console.

NOTE: To use Authentication Services with the mangement console on a Solaris 10 Sparc, you must have Authentication Services 4.0.3.152 or greater.

NOTE: To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

Default memory requirement:

1024 MB

NOTE: See Tune JVM Memory in online help for information about changing the default memory allocation setting in the configuration file.

Supported Web Browsers

The mangement console officially supports the following web browsers:

  • Microsoft Internet Explorer 7, 8, 9, and 10
  • Mozilla Firefox 3 and greater
  • Apple Safari 4 (Mac OS X only; Windows not supported)

NOTE: To use specific features such as the SSH to Host feature or the Policy Editors, you must install the Sun JRE (Java Runtime Environment) 1.6 browser plugin.

NOTE: One Identity recommends that you do not open two sessions of the mangement console in the same browser.

NOTE: One Identity recommends that set your screen resolution to a minimum of 1024 x 768 for the best results.

Network requirements

Authentication Services must be able to communicate with Active Directory including domain controllers, global catalogs and DNS servers using Kerberos, LDAP and DNS protocols. The following table summarizes the network ports that must be open and their function.

Table 9: Network ports
Port Function
389 Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
3268 Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.
88 Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default.
464 Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Authentication Services always uses TCP for password operations.
53 Used for DNS. Since Authentication Services uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.
123 UDP only. Used for time-synchronization with Active Directory.
445 CIFS port used to enable the client to retrieve configured group policy.

Note: Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.

What's new in Authentication Services 4.1

Authentication Services, the solution that pioneered the "Active Directory Bridge" market, continues to lead the way with powerful and innovative new capabilities that make heterogeneous identity and access management even more efficient, secure, and compliant. Authentication Services 4.1 features include:

  • Upgrade Without Reboot – This version of Authentication Services adds the functionality required so that future upgrades will no longer require a system reboot. Some customer deployments of Authentication Services have been running on old versions for long periods of time because of the difficulties of scheduling server down time. With Authentication Services 4.1 deployed as the foundation, future releases will allow customers to deploy upgrades without impacting running services or rebooting.

  • IPv6 SupportAuthentication Services now supports hosts running in full IPv6 environments. Authentication Services automatically uses IPv6 when it is available; it uses IPv4 when IPv6 is not available or significantly slower than IPv4. IPv6 is available in Authentication Services on most recent operating systems, but is operating system dependent. Run vastool info ipv6 to determine whether IPv6 is available on each client. Authentication Services operates in IPv4-only, IPv6-only, or dual-stack environments; no special configuration is required. Active Directory servers must be running Windows 2008 or later for IPv6 communication.

    Note:Authentication Services uses IPv6 when the operating system's DNS resolver correctly supports mapping of IPv4 addresses to IPv6 addresses. If a problem with address mapping is detected, Authentication Services operates in IPv4-only mode, even if an IPv6 address is assigned and other applications use IPv6.

  • Customizable Windows Components Installer - The Windows installer was upgraded to be fully customizable so that you can install individual components. For example, you can install an individual MMC snap-in without installing the entire Control Center application.

  • Authentication Services Group Policy Updates:
    • Support for the native Active Directory ‘Apply’ right.
    • Ability to specify "merging" or "replacing" several local file settings in the GPO. For example, you can configure users.allow to be delivered to every system with the contents overwriting any changes made to the local copy of users.allow.

    • A new ‘NetWork Browser’ preference manifest setting for MAC Group Policy that allows you to deactivate AirDrop.

      Note: When upgrading Authentication Services, you must manually add this new preference manifest. Refer to the Preference Manifest Settings topic in the Authentication Services Mac OS X/macOS Administration Guide for the procedure To Add a Preference Manifest.

  • Group Policy for Certificate autoenrollment - Certificate Autoenrollment provides a quick and simple way to issue and renew certificates for Mac OS X users and systems from Windows 2008 R2 Certificate Enrollment Web Services. In this release you can configure Certificate autoenrollment with Group Policy. Certificate autoenrollment includes the ability to:
    • Automatically enroll X509 Certificates based on Microsoft Certificate Enrollment Policy
    • Renew certificates that are close to expiration according to policy
    • Automatically install newly enrolled Certificates into the Mac OS X Keychain
    • Support both user and machine certificate policy

    Note: Group Policy for Certificate autoenrollment is not supported in the Pre-Release Evaluation Guide software.

  • Management Console for Unix 2.5 Updates:
    • Ability to manage access control settings (users.allow)
    • Ability to managePrivilege Manager for Unix (sold separately)
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating