Sec/User Mgmt: Configure Active Directory

Document created by RSA Information Design and Development on Sep 19, 2017Last modified by RSA Information Design and Development on Oct 2, 2017
Version 3Show Document
  • View in full screen mode
  

This topic explains how to configure NetWitness Suite to use Active Directory to authenticate external user logins.

When a user logs in, NetWitness Suite first attempts to authenticate locally. If no local user is found, and Active Directory configuration is enabled, an attempt is made to authenticate with Active Directory Service. You can configure Active Directory settings to enable authentication of external groups in the Admin > Security view > Settings tab.

In an environment with multiple authentication servers, LDAP forwarding allows LDAP referral following for AD group lookups. LDAP forwarding can increase the time required to log on because AD group lookups are extended to connected authentication servers. When your AD instance attempts to contact domain controllers that are blocked by your firewall, users can experience a delay of several minutes in logging on to NetWitness Suite. NetWitness Suite has a configuration option that specifies whether LDAP forwarding occurs; by default, LDAP referrals are disabled. When disabled, your AD instance does not attempt to contact referred domain controllers.

Note: The Settings tab also provides the option to enable PAM configuration, which can be used simultaneously with Active Directory configurations. For information on enabling and configuring PAM authentication, see Configure PAM Login Capability.

Procedures

Configure Active Directory Authentication

  1. Go to ADMIN > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Settings tab.
    The Active Directory Configurations list is displayed in the panel so that you can add or edit a configuration.
    This is an example of the Active Directory Configurations section.
  3. Add, edit, or delete domains as necessary, as described in the following sections.
    The domains added to this list are automatically populated in the External Group Mapping tab so that you can map security roles to each group.

Note: To configure security roles used for Active Directory access, see Step 5. (Optional) Map User Roles to External Groups.

Add a New Active Directory Configuration

To add a new active directory configuration in the Active Directory Configurations list:

  1. Under Active Directory Configurations, click Add icon.
    The Add New Configuration dialog is displayed.
    Add New Configuration dialog
  2. Click the Enabled checkbox.
  3. Enter Domain, Host and Port information for the Active Directory Service.
  4. (Optional) To select SSL for this configuration, check the Use SSL checkbox. You must then enter a certificate file by clicking Browse and selecting the desired file to upload. If the AD server uses a public CA signed certificate, you do not need to upload a certificate. If the AD server uses a self-signed certificate, then you must upload either the CA certificate or the self-signed certificate
  5. In the Username Mapping field, select the Active Directory search field to use for username mapping. You can select userPrincipalName (UPN) or sAMAccountName.
  6. For sites that have multiple authentication servers, click Follow Referrals to enable or disable LDAP referral following for AD group lookups.
  7. To provide credentials to bind to the Active Directory Service while searching Active Directory group, enter the credentials in the Username and Password fields.

Note: If you selected sAMAccountName in the Username Mapping field, you must enter the username in the format "domain\user" to authenticate.

  1. Click Save.
    The new configuration is listed in the Active Directory Configurations list.

Edit an Active Directory Configuration

To edit an active directory configuration in the Active Directory Configurations list:

  1. Under Active Directory Configurations, select the configuration you wish to edit and click Edit icon.
    The Edit Configuration dialog is displayed.
    Edit Configuration dialog
  2. (Optional) Enter the Domain, Host and Port information for the Active Directory Service.
  3. (Optional) To select SSL for this configuration, check the Use SSL checkbox. You must then enter a certificate file by clicking Browse and selecting the desired file.
  4. (Optional) In the Username Mapping field, select the the Active Directory search field to use for username mapping. 
  5. To specify the Follow LDAP referrals behavior in environments with multiple authentication servers, click the Follow Referrals checkbox.
    1. If you want to disable LDAP forwarding, uncheck the box.
    2. If you want to enable LDAP forwarding, check the box.
  6. To provide credentials to bind to the Active Directory Service while searching Active Directory group, enter the credentials in the Username and Password fields.
  7. Click Save.
    The configuration is listed in the Active Directory Configurations list.

Test an Active Directory Configuration

To test an active directory configuration:

  1. Select the configuration to be tested from the Active Directory Configurations list.
  2. In the toolbar, click Test button.
    A message that the test is successful is displayed.
  3. If the test does not succeed, review and edit the configuration.

Delete an Active Directory Configuration 

To delete an active directory configuration:

  1. Under Active Directory Configurations, select the configuration to be deleted from the Active Directory Configurations list.
  2. In the toolbar, click Delete icon.
    A message is displayed warning you that all users in the selected Active Directory configuration will not be able to log in to NetWitness Suite if it is deleted.
  3. Do one of the following:
    1. To confirm the deletion, click Yes.
    2. To cancel the deletion, click No.
You are here
Table of Contents > Set Up System Security > Step 4. (Optional) Configure External Authentication > Configure Active Directory

Attachments

    Outcomes