Configuring authentication servers used for managing remote users

Configuring authentication servers in the ITA web client provides access to ITA for remote users provided they have been authenticated by the configured authentication server.

About remote users, certificates, and authentication methods

When a remote user attempts to log on to the ITA server, the credentials are sent to the authentication server associated with that user. It is that server, and not the ITA server, that authenticates the logon attempt.

Configuring remote user authentication

1. In Configuration > Authentication Servers, click to add an authentication server. 

2. Enter authentication server settings, starting with predefined authentication method from the drop-down list. 
   The name, email address, and password data is supplied by the authentication server.

When you are setting up a remote user, user information is stored on:

• Data Center Expert server as a remote repository with user information. The IT Advisor server requires connection setup to the Data Center Expert server in order to obtain the user information.
• LDAP or Active Directory server. The IT Advisor server requires connection setup to the server and logon information is required.

When a remote user attempts to log on to the IT Advisor server, the user credentials (user name and password) are sent to the authentication server associated with that user. It is that server, and not the IT Advisor server, that authenticates the logon attempt.

Indirect AD authentication (via DCE) is not recommended.

LDAP and Active Directory specifications

• Support for LDAPv3, both ldaps:// and ldap:// 
• ITA's Active Directory integration supports mutual trust between child and parent Domain Controllers (Active Directory servers)
  • mutual trust allows the user which authenticates an Active Directory server to authenticate against a parent or child Domain controller of your Active Directory server.
  • The username of a user that has access to reading users and groups from the authentication server can, because of mutual trust, be defined with the child domain name as part of the username. Example: username@child-domain or username@child-domain.domain
  • How-to setup an Active Directory server: Set up AD server
• The operations done are only read operations on the following fields: cn, uid, mail
• You can import individual users or user groups from a remote authentication server.
  Users in groups are automatically added to ITA and will appear in the user interface. Users are not automatically deleted, however, permissions are removed if a user is removed from a group.
• Tested and verified OS versions for Enterprise Active Directory:
  • Windows OS: Windows Server 2008 R2 SP1 and  2012 SP1
  • Forest function level: Windows Server 2008 and 2012
  • Domain functional level: Windows Server 2008 and 2012

LDAP and Active Directory Limitations

• Active Directory has an LDAP query limit of 1000 objects, to prevent excessive load and Denial of Service attacks
  • The default method to get around this limitation, is to break up the query to return at most 1000 objects at a time. For example, query only for objects starting with the letter a, then query for objects starting with the letter b and so forth.
  • The more efficient method for large environments is to enable paging. Paging automatically splits the results into multiple result sets so the integration does not have to split up the query into multiple requests.
• A more comprehensive list of limitations and work-arounds can be found here: LDAP policy in Active Directory