6.6.4. Deploy AD Configuration¶
After all of the previous sections have been completed, you can proceed with deploying the Active Directory authentication configuration to the recorder.
Insure that you have completed the prerequisite tasks, and gathered the prerequisite information.
- Prerequisite Tasks
Time Sync configured and syncing with a domain controller
Hostname set and validated with DNS
TLS certificate has been applied and tested
The recorder’s AD User has been created
Service Principal Names have been set
NexLog_final.keytab has been created- Prerequisite Information
Domain Administator login credentials
The full domain name, realm and workgroup for user accounts
The FQDN of the AD Password Server
The FQDN of the AD Kerberos Key Distribution Center Server (KDC)
The FQDN of the AD Admin Server
LDAP protocol in use, LDAP or LDAPS (TLS/SSL)
LDAP server hostname
LDAP server port number
Base user search path or organizational unit (OU)
Base group search path or organizational unit (OU)
Username for the recorder’s AD account
Domain for the recorder’s AD account
6.6.4.1. Install the Keytab¶
The final keytab file, NexLog_final.keytab, must be imported to the recorder.
Login to the web configuration manager and navigate to .
Under Authentication Mode, select the radio button for Active Directory Domain (Reference Figure 6.1).
Next, select the Domain Settings tab.
Fig. 6.5 Domain Settings - Import Keytab File¶
Scroll to the Import Keytab File section and press Import New Keytab File. If a Keytab is already uploaded, the page will say Note: A Keytab File already exists.
Press Choose File and select the keytab named NexLog_final.keytab. Press the OK button to begin the upload.
Important
It is not necessary for the initial setup, but if the keytab is ever replaced, you must reboot the recorder for it to be applied.
6.6.4.2. Configure Domain Settings¶
In the web configuration manager and navigate to .
Under Authentication Mode, select the radio button for Active Directory Domain (Reference Figure 6.1).
Next, select the Domain Settings tab, then enable the Enable Single Sign-On check box.
Fig. 6.6 Domain Settings - Active Directory Settings¶
In the Active Directory Settings section, complete all fields. Some of these fields must be in UPPERCASE and others must be in lowercase, but you don’t have to worry about that because when you save, the form will automatically set the case correctly for fields where it matters.
- Workgroup
(UPPERCASE) The NetBIOS workgroup name for login users
Example:
CONTOSO- Realm
(UPPERCASE) The domain’s kerberos realm
Example:
CONTOSO.NET- Password Server
(UPPERCASE) The password server the recorder should use to authenticate user credentials. This is typically a domain controller.
Example:
DC1.CONTOSO.NET- KDC
(lowercase) The Kerberos Key Distribution Center server the recorder should use kerberose authentication. This is typically a domain controller.
Example:
dc1.contoso.net- Admin Server
(lowercase) The server that should be used for group membership queries. This is typically a domain controller.
Example:
dc1.contoso.net- Ticket Encoding Type
The kerberose encrption type the account should use. This must be the same as what was used to generate the keytab. Options:
- AES-128¶
- AES-256 (default)¶
- RC4-HMAC¶
- Recorder Service Principal Account
(lowercase) The primary service principal account name for the recorder. This is typically the same as the recorder’s FQDN.
Example:
nlrecorder.contoso.net
Once all fields have been completed in Active Directory Settings, switch to the LDAP Settings tab and complete all fields.
Select the protocol that will be used to communicate with the directory service.
Refer to Section 5.4.1 - LDAP Configuration or Section 5.4.2 - LDAPS Configuration of this document for the options specific to your protocol selection. The LDAP Bind fields will be disabled when using Active Directory authentication.
When finished, click Save to enable your settings.
A reboot is required to complete the configuration. Once the recorder is back after the reboot, you can join it to the domain.