What is the Authentication Server?
The authentication server is the system component that accepts the user's credential and checks that the user is trusted. If the user is trusted, they are allowed to connect, otherwise, their connection attempt is rejected and they are not allowed to access the system.
The authentication server issues day tickets to users - these are security tokens that allow users to reconnect for a pre-configured period of time without going back through the authentication process. Days tickets are completely secure and opaque; they cannot be intercepted or used by anything other the device they were issued to. The purpose of a day ticket is to improve the end use experience without compromising security.
Supported Authentication Methods
mSuite has four standard authentication methods:
|•||mSuite's internal authentication (mCenter) - mSuite's mCenter authentication. The credentials submitted from the mobile device are compared with the Account Name and Password in the mSuite user's Properties dialog.|
|•||RADIUS (Remote Authentication Dial-In User Service). The credentials submitted from the mobile device are compared with the user's RADIUS credentials.|
|•||LDAP (Lightweight Directory Access Protocol) - can be used for Active Directory authentication. The credentials submitted from the mobile device are compared with the user's credentials as stored on an LDAP server.|
|•||Internet Password - on the device, the user enters his/her Lotus Notes name and Lotus Notes Internet Password; this information is compared to information stored in the Domino Directory. This is the default authentication method|
Note: Automatic User Creation is only supported for LDAP or Internet Password authentication.
Custom Authentication methods. If your organization has authentication requirements that are not met by the standard offerings, CommonTime will happily create custom authentication methods as part of our Professional Services offering.
Configuring the Authentication Method
Note: Before you change the authentication configuration, make sure that all administration accounts are set to use mCenter authentication irrespective of the general authentication method see Adding Administrators . This will prevent you from locking yourself out of the management console.
|1.||Expand the Configuration node in the navigation tree and select Servers and Groups. The action pane will display the configured servers.|
|2.||Right mouse click the server and select Properties from the pop-up menu.|
|3.||Select the Connection Management tab, this has 2 elements Connection Manager Server Settings and Authentication Server Setting.|
|4.||Run the Authentication Server wizard by clicking on the button with the magic wand icon in the Authentication Server Settings section.|
|6.||On the Welcome screen, make sure that the check box Run the Authentication Service is checked and then click the Next button|
|7.||On the General Settings page, select the Authentication Method (see below), leave the Community set to <Default> and set the Day ticket duration in minutes - by default it is set to 1 day (1440 Minutes).|
|8.||The table at the bottom of the page allows you to configure the TCP IP ports and addresses that the Authentication server listens on. You will only need to change these if there are conflicts with other software.|
|9.||Click Next to configure the chosen Authentication method.|
You will need to understand Radius to configure this correctly. If necessary, seek the assistance of your security administrator.
|1.||Configure Radius Settings to conform to the requirements of your RADIUS server.|
|2.||Under Radius servers, click the Add or Edit button to enter or modify the IP Address, Port Number and Shared Secret information for your RADIUS server.|
This is the simplest authentication method, there is no additional configuration. Authentication uses the account names and passwords stored in each user's mSuite account profile.
|1.||Specify the LDAP server name in the Host field. Check the Use SSL box if you are using secured SSL connections to the server, and specify the connection Port (389 is default for non-SSL connections). Specify the Protocol version used by your LDAP Server.|
|2.||Next, you need to specify LDAP authentication settings in one of two ways, matching two different LDAP scenarios:|
If your users are all in one branch of your LDAP tree, you can normally use the User DN field to build the LDAP user's Distinguished Name for authentication purposes (uncheck the Search Using Attribute box).
The second method uses the Search Using Attribute section (check the box to enable it) to connect to and query the LDAP Server in order to obtain Distinguished Names for authentication purposes.
|1.||Uncheck the Search Using Attribute box. |
|2.||User DN: enter the LDAP syntax for your User DN (Distinguished Name). If you use %cn% (case sensitive!) for the username, it will be substituted with the account name from the mobile device to form a full Distinguished Name for LDAP login and authentication. For example, if the user name on the connecting device is jsmith and you enter %firstname.lastname@example.org in the User DN field, this will become email@example.com.|
|1.||Check the Search Using Attribute box. mSuite will connect to the LDAP server using the details in the Login DN and Password fields. mSuite will query LDAP (typically supplying a Windows account name) to obtain an LDAP Distinguished Name for the authenticating user. This can then be used to authenticate their connection.|
|2.||Filter: The example (&(objectClass=person)(sAMAccountName=%)) is a typical search filter for an Active Directory server, querying the Person object class, supplying the Windows account name variable.|
|3.||Login DN and Password: these can be left blank if your LDAP Server allows anonymous connections with querying rights. If not, you will need to enter an LDAP login in this dialog that will allow mSuite's Authentication Server to connect to and query your LDAP Server to obtain users' account information. If you are not familiar with your LDAP environment and do not have an LDAP administrator to assist you now, you can find out the Login DN syntax by importing a user into mSuite via LDAP and choosing "Distinguished Name" as the account name. Copy the account name to the Windows clipboard then change the user's account name to match an LDAP admin account rather than the Distinguished Name you just obtained. Paste the new Distinguished Name into the Login DN field.|
|4.||Base DN: limits which branches of the tree are queried.|
This is the default option when using mSuite with Lotus Domino (for mail and PIM synchronization). No additional configuration is required. The user's password will be compared with the Domino Internet Password stored in their Person document in the Domino Directory.
|10.||If you selected LDAP (and you checked the Search Using Attribute box) or Internet Password, you will now be taken to the Automatic User Creation page. |
Automatic User Creation
If you are using LDAP (with the Search Using Attribute box checked) or Internet Password as the authentication method, you will now be taken to the relevant Automatic User Creation page.
Note: If you want users to be created automatically, you will need to have one or more groups in the relevant directory (LDAP or Domino) that contain the names of the people allowed to use mSuite.
|1.||To enable this, check the box Create user automatically and then ensure that the table has one or more entries that tell the system which groups (LDAP or Domino) to use and which component of the user's directory entry to use as their account name. Use the Add, Edit and Remove buttons to configure the table.|
|2.||LDAP/Domino Group: The name of a group in the LDAP or Domino Directory that lists the users allowed to use the system.|
|3.||mSuite Group: The name of the mSuite group where users will be created if they are found in the LDAP/Domino group.|
|4.||Account Name Format: which component of the directory user document to use as the mSuite account name: |
|•||Domino: Select from Email Address, First and Last name, First Name, Last Name, Notes Hierarchical Name, Short Name|
|•||LDAP: Select from Common Name, SAMAccountName or type in the component name.|
|11.||On the completion page, you have the choice of saving the settings as a new template or updating the existing properties. You will normally update the existing properties - the default settings. Templates are advanced configuration and you should only use them if instructed by CommonTime support. |
|12.||Click Finish to complete the wizard and save your changes.|
You will need to restart the Authentication Server to implement the changes you have made to the configuration. See: CT_Stopping_and_Starting_Services