6. Active Directory Authentication

License Required

This feature must be licensed to be used. Contact your Eventide Dealer for assistance.

Active Directory (AD) authentication works in the same manner as LDAP Authentication authentication, allowing users, passwords, and group memberships to be managed via a pre-existing central directory database. The differentiating feature is that AD authentication allows for Single Sign-On (SSO) from a domain joined client PC.

This authentication mode will join the recorder to the network domain.

Since the only advantage of using AD authentication instead of LDAP is SSO, this section will guide you through configuring Active Directory authentication specifically to use Single Sign-On. If SSO is not desired, it is recommended that you use LDAP instead, since this method requires an advanced knowledge level of Active Directory.

Fig. 6.1 Authentication Mode - Active Directory

This authentication mode can be use along with Local Authentication. It is recommended that a local account be created to serve as a “break glass” account in the event that the recorder is no longer able to talk to the directory service.

6.1. How It Works

When a user logs in to the NexLog DX-Series recorder, their username is evaluated to see if it exists, or is already associated with the directory service.

If the user does not exists, or is associated with the directory service, the credentials entered are tested against the directory server.

If the supplied credentials work, the user is considered authenticated and the login will be processed. If the user does not already exist on the recorder, their recorder account will be created.

If the supplied credentials do not work for the directory service, the login is rejected.

Upon successful login, the recorder will query the directory service for the user’s group memberships. If the user is a member of the recorder’s paired groups, that group’s permissions will be given to the user.

6.2. Prerequisites

Before configuring AD authentication, the recorder must be setup with the following:

• Time Sync

• Hostname with valid DNS records

• TLS/SSL Certificate

Setting up this authentication mode will make use of commands that require a domain administrator permission level. Ensure that a domain administrator is available to assist.

To setup AD Authentication you must know the following:

• The full domain name, realm and workgroup for user accounts

• The FQDN of the AD Password Server

• The FQDN of the AD Kerberos Key Distribution Center Server (KDC)

• The FQDN of the AD Admin Server

• LDAP protocol in use, LDAP or LDAPS (TLS/SSL)

• LDAP server hostname

• LDAP server port number

• Base user search path or organizational unit (OU)

• Base group search path or organizational unit (OU)

• Username for the recorder’s AD account

• Password for the recorder’s AD account

• Domain for the recorder’s AD account

6.3. Configure Time Sync

The NexLog DX-Series recorder must be time synced to the same source as the domain server, otherwise authentication will fail because the times are incorrect. To configure the time sync settings, login to the web configuration manager and navigate to System → Date and Time.

Note

In this example, we use NTP Time Sync, however other Time Sync sources are also valid.

In the Time Sync dropdown, select NTP (Network Time Protocol). Enter one or more domain controller addresses into the fields provided, then press Save and Force Sync.

Fig. 6.2 Date and Time - NTP Settings

Consult the NexLog DX-Series system manual for additional information.

6.4. Configure Hostname

The hostname of the recorder must be configured in Networking → System Identification. The hostname will be used repeatedly in the domain administration steps, so it is important to have agreement on what the hostname should be to fit in with current domain policy.

For example, if the desired fully qualified domain name for the system is https://NLRecorder.contoso.net, then NLRecorder is the hostname.

The DNS server used by the recorder must be configured on this same page. Enter the IP address of the DNS server(s) and Save.

Ensure that the DNS server has a valid A Record with a matching PTR Record pointing to the recorder.

6.5. Configure TLS

The NexLog DX-Series recorder must have a valid TLS/SSL certificate that is trusted by the end client PCs. The certificate can be issued by Microsoft Certificate Services, a public CA, or a private CA who’s root CA is trusted by the network. SSO will not function without a valid certificate. To configure TLS, consult the NexLog DX-Series system manual. The certificate’s Common Name would typically be the fully qualified domain name used in the hostname setup.

After configuring TLS, navigate to Users and Security → SSL → Connection Settings and set Database connections to Both or SSL Only.

Fig. 6.3 TLS/SSL Connection Settings

6.6. Configure AD Authentication

Once the recorder’s prerequisites have been satisfied, you can begin configuring the domain settings and then apply the configuration to the recorder.

It is important that each section below is followed in order. All domain configuration and command examples should be performed on a PC using a domain administrator account or equivalent.

• 6.6.1. Create AD User
• 6.6.2. Set Service Principals
• 6.6.3. Create Keytab
• 6.6.4. Deploy AD Configuration
  • 6.6.4.1. Install the Keytab
  • 6.6.4.2. Configure Domain Settings
• 6.6.5. Joining the Domain
• 6.6.6. Single Sign-On
  • 6.6.6.1. Brave Browser
  • 6.6.6.2. Google Chrome
  • 6.6.6.3. Microsoft Edge (Chromium)
  • 6.6.6.4. Mozilla Firefox