Managing authentications

Use the authentications tree to define credentials for Active Directory groups that will have console access. These credentials only need to let Management Suite enumerate the directory. You'll need to provide credentials for each Active Directory containing users you want to have console access. The authentications you provide determine which user groups you can select from to assign console group permissions.

Console authentication is based on Windows local or Active Directory group membership. When a LANDesk administrator assigns group permissions to a local or Active Directory group, users who are members of that group can log into the Windows or Web consoles and share the permissions assigned to that group.

You should be aware of the following issues when managing Active Directories for use with Management Suite:

• Active Directory is fully integrated with DNS and TCP/IP (DNS) is required. To be fully functional, the DNS server must support SRV resource records or service records.

• Using Active Directory to add a user to a group being used in the console will not enable the user to log in to the console even though the user has Management Suite permissions assigned. In order to log in to the console, a user must belong to the core server's local LANDesk groups. For more information, see Adding Management Suite console users.

• In order for Active Directories to work properly with role-based administration, you need to configure the COM+ server credentials on the core server. This enables the core server to use an account in one of the core server's local LANDesk groups that has the necessary permissions to enumerate Windows domain members, such as the administrator account. For instructions on how to perform the configuration, see Multi-core support.

If the account password for an authentication changes, you will have to log into the console and change the password in the authentication dialog to the new password. You can do this by logging in as a local group. Users are authenticated when they log in, so any existing session will continue to work. Users in the domain that has had the password changed won't be allowed to log in until the password change has been corrected in the Users tool.

To add an authentication

1. In the Users tool, right-click Authentications and click New authentication.
2. In the Authentication details dialog, enter credentials that give access to the Active Directory.
3. Click OK.

Setting rights with Active Directory

The following rules apply to when using Active Directory with RBA:

• If a user is a member of an Active Directory group or OU, the user inherits the RBA rights for that group or OU.
• If a user is a member of an Active Directory group or OU, which is a member of a higher level group or OU, the user inherits the RBA rights of the upper level group or OU.
• Groups can be nested and inherit the appropriate rights according to the usual Active Directory rules.