Sec/User Mgmt: Configure Active Directory

Document created by RSA Information Design and Development on Apr 25, 2016Last modified by RSA Information Design and Development on Sep 1, 2016
Version 3Show Document
  • View in full screen mode
 

This topic explains how to configure Security Analytics to use Active Directory to authenticate external user logins.

When a user logs in, Security Analytics first attempts to authenticate locally. If no local user is found, and Active Directory configuration is enabled, an attempt is made to authenticate with Active Directory Service. You can configure Active Directory settings to enable authentication of external groups in the Administration Security view > Settings tab.

In an environment with multiple authentication servers, LDAP forwarding allows LDAP referral following for AD group lookups. LDAP forwarding can increase the time required to log on because AD group lookups are extended to connected authentication servers. When your AD instance attempts to contact domain controllers that are blocked by your firewall, users can experience a delay of several minutes in logging on to Security Analytics. Security Analytics has a configuration option that specifies whether LDAP forwarding occurs; by default, LDAP referrals are disabled. When disabled, your AD instance does not attempt to contact referred domain controllers.

Procedures

Configure Active Directory Authentication

  1. In the Security Analytics menu, select Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Settings tab.
  3. In the External Authentication section, select Active Directory.
    The Active Directory Configurations list is displayed in the panel so that you can add or edit a configuration.
  4. When all configurations are added click Apply.
    The domains added to this list and enabled are automatically populated in the External Group Mapping tab so that you can map security roles to each group.

Note: To configure security roles used for Active Directory access, see Step 5. (Optional) Map User Roles to External Groups.

Add a New Active Directory Configuration

To add a new active directory configuration in the Active Directory Configurations list:

  1. Under Active Directory Configurations, click .
    The Add New Configuration dialog is displayed.
  2. Click the Enabled checkbox.
  3. Enter Domain, Host and Port information for the Active Directory Service.
  4. (Optional) To select SSL for this configuration, check the Use SSL checkbox.
  5. In the Username Mapping field, select the Active Directory search field to use for username mapping. You can select userPrincipalName (UPN) or sAMAccountName.
  6. For sites that have multiple authentication servers, click Follow Referrals to enable or disable LDAP referral following for AD group lookups.
  7. To provide credentials to bind to the Active Directory Service while searching Active Directory group, enter the credentials in the Username and Password fields.
  8. Click Save.
    The new configuration is listed in the Active Directory Configurations list.

Edit an Active Directory Configuration

To edit an active directory configuration in the Active Directory Configurations list:

  1. Under Active Directory Configurations, click .
    The Edit Configuration dialog is displayed.
  2. (Optional) Enter the Domain, Host and Port information for the Active Directory Service.
  3. (Optional) To select SSL for this configuration, check the Use SSL checkbox.
  4. (Optional) In the Username Mapping field, select the the Active Directory search field to use for username mapping. 
  5. To specify the Follow LDAP referrals behavior in environments with multiple authentication servers, click the Follow Referrals checkbox.
    1. If you want to disable LDAP forwarding, uncheck the box.
    2. If you want to enable LDAP forwarding, check the box.
  6. To provide credentials to bind to the Active Directory Service while searching Active Directory group, enter the credentials in the Username and Password fields.
  7. Click Save.
    The configuration is listed in the Active Directory Configurations list.

Test an Active Directory Configuration

To test an active directory configuration:

  1. Select the configuration to be tested from the Active Directory Configurations list.
  2. In the toolbar, click .
    A message that the test is successful is displayed.

Delete an Active Directory Configuration 

To delete an active directory configuration:

  1. Under Active Directory Configurations, select the configuration to be deleted from the Active Directory Configurations list.
  2. In the toolbar, click .
    A message indicates that the selected configuration is deleted from the list.

Attachments

    Outcomes