Chat now with support
Chat with Support

Safeguard Authentication Services 4.2.3 - Upgrade Guide

Privileged Access Suite for Unix Introducing One Identity Authentication Services Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Checking readiness

Once you install the software on your remote hosts, the mangement console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.

Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. See Roles and Permissions System Settings in the mangement console online help for more information.

To check hosts for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.
  2. In the Check AD Readiness view, enter the Active Directory domain to use for the readiness check.
  3. Enter Active Directory user credentials, and click OK.
  4. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.

Installing software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the mangement console.

To install Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. In the Install Software dialog, select the Authentication Services software products you want to install and click OK.
    • Authentication Services Agent (Required): Select to allow Active Directory users access to selected host. Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include vasd, nss_vas, pam_vas, and vastool.
    • Authentication Services for Group Policy (Required): Select to install the Group Policy component that provides Active Directory Group Policy support for Unix, Linux, and macOS platforms.
    • Authentication Services for NIS: Select to install the NIS Proxy component that provides the NIS compatibility features for Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Authentication Services for LDAP: Select to install the LDAP Proxy component that provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater: Select to install the Dynamic DNS Updater component that provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module: Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation, and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. Refer to Set the Authentication Services Client Software Location on the Server in the mangement console online help for details.

  3. In the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displays that allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Upgrade Authentication Services client components manually

The easiest way to upgrade Authentication Services client components is from Management Console for Unix. Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products to them from the mangement console. For more information, see Configure Unix agent components.

You can also upgrade your Authentication Services client components from the Unix command line, if you prefer.

About the Authentication Services Application Configuration

The first time you install or upgrade the Authentication ServicesWindows components in your environment, One Identity recommends that you configure Active Directory for Authentication Services to utilize full functionality. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the application configuration to maintain consistency across the enterprise.

If you upgrade Authentication Services using Management Console for Unix, the Authentication Services Active Directory Configuration Wizard starts automatically to assist you in setting up the application configuration; however, if you are upgrading from the Unix command line, you can create the Authentication Services application configuration using the vastool command.

Note: You need only one application configuration per forest. If you already have an Authentication Services application configuration in your forest, you do not need to create another one. For more information, see About Active Directory configuration.

Related Documents