Active Directory Global Catalog Identity Sources

If you have an Active Directory forest, and you configure multiple identity sources within it, you can optionally configure an Active Directory Global Catalog as an identity source that the other Active Directory identity sources can use for finding and authenticating users, and resolving group membership within the forest. You need to:

  • Add each Global Catalog to Authentication Manager as a separate identity source.

  • Map the identity source to the Global Catalog port on the domain controller that hosts the Global Catalog.

RSA Authentication Manager does not use Global Catalogs for administrative operations, such as changing users’ passwords. Administrative actions are only performed against non-Global Catalog identity sources.

Deployment Requirements for Global Catalogs

These requirements apply only to deployments that use restricted authentication agents.

To use a Global Catalog as an identity source, your deployment must meet all of the following requirements:

  • All groups granted access to a restricted authentication agent must be Windows Universal Security groups.
  • When you view the Active Directory groups from the Security Console, all types of groups (Universal Security, Domain Local, and Global) are displayed, but only Universal Security groups may be successfully used with restricted agents through a Global Catalog.
  • All domains in the forest must run Windows 2008 R2 or Windows 2012 R2.

Only the Windows administrator can change the group type in Active Directory.

Note: If you select a group from the list of Active Directory groups in order to activate users on restricted agents, make sure you select a Universal Security group. If you use any other type of group, the user cannot authenticate.

Data Replication for Global Catalogs

When you use the Active Directory Global Catalog as an identity source, individual Active Directory domain controllers replicate domain changes to the Global Catalog. For this type of deployment, you must integrate the following with Authentication Manager:

  • The Global Catalog. If your forest has more than one Global Catalog, you can use one for failover. You do not need to create an identity source for the second Global Catalog. Instead, you can specify it as a failover URL when you create the identity source for the first Global Catalog.
  • All domain controllers that contain users and user groups that you want to reference from Authentication Manager. Add each domain as an identity source.

For example, suppose that GC1 is the Global Catalog identity source for user authentication, and AD1, AD2, and AD3 replicate a subset of their data to GC1. You must map each Active Directory to an identity source. After integration is complete, Authentication Manager accesses GC1 for authentication requests and AD1, AD2, and AD3 for administration, such as updating the user password.

Global Catalog Deployment Example with Four Identity Sources

The following figure shows a forest composed of three domains, each consisting of one domain controller, and a single Global Catalog. In this example, you must enable at least four identity sources in Authentication Manager.

  • Three identity sources for domain controllers, possibly with failover domain controllers
  • One identity source for a Global Catalog, possibly with a failover Global Catalog server