Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Authentication> Network and Authentication Configuration> Managing User Authentication> Configuring LDAP and LDAPS Authentication> Configuring LDAP with Username and Password

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Configuring LDAP with Username and Password

Remember the following when configuring LDAP:

The Notify user before password expires and Allow user to change password when notifiedsettings in the Password management area have some constraints:
- They are supported only on IBM Directory Server.
- They are available only for users who connect to the appliance using Web access (the translated, custom port mapped, or custom FQDN mapped Web access), or using Connect Tunnel.
- Users must have permission on the LDAP server to change their passwords.
The Login DN and Password fields are not always required in order to connect to an LDAP server. However, if they are not provided (or you do not specify a password), the appliance binds to LDAP anonymously, which does not usually provide the appropriate permissions for performing user and group information searches.

To configure an LDAP authentication server with username and password validation

In the AMC, navigate to System Configuration > Authentication Servers.
Click New.
Under Authentication directory, click LDAP.
In the Name field, type a name for the authentication server.
Complete the information listed under General:
- In the Primary LDAP server field, type the host name or IP address of your LDAP server. If you are using a failover server (optional), specify its address in the Secondary LDAP server field.
  
  If the LDAP server is listening on a something other than the well-known port (389 for unencrypted LDAP connections, or 636 for SSL connections), specify a port number as a colon-delimited suffix (for example, myldap.example.com:1300).
- In the Login DN field, type the distinguished name (DN) used to establish a connection with the LDAP server.
- In the Password field, type the password used to establish a connection with the LDAP server.
- In the Search base field, type the point in the LDAP directory from which you want to begin searching for user information. This will usually be the lowest point in the directory advanced that contains user information. For example, you might type ou=Users,o=xyz.com. The user binding to the LDAP directory must have permissions to view the directory at this level.
- In the Username attribute field, type the attribute used to match usernames. This is usually cn or uid.
- Click the Test button for each server you specified in order to test the connection.
Complete the information listed under Group lookup:
- To enable group checking on this server, select the Use this authentication server to check group membership checkbox. When this checkbox is unchecked, the nested controls are disabled because they apply only to group checking behavior. This checkbox, when unselected, allows an authentication server for LDAP, AD, or AD-Advanced to be configured without enabling it for authorization checks. This improves efficiency by allowing better stacked/affinity authentication support.
- If you want the LDAP search to determine a user’s group membership by searching the group attribute in the user container, select the Find groups in which a user is a member checkbox and then type the Group attribute. This attribute is most often memberOf. Do not select this checkbox unless attribute-based groups are supported by and enabled on your LDAP server.
- If your LDAP server does not support attribute-based groups or you have not enabled this functionality, you can select the Look in static groups for user members checkbox; to specify the depth of the search (how many sub-groups to include in the search), enter a number in the Nested group lookup checkbox. Be aware that this type of search can take some time because it requires searching the entire LDAP advanced; enabling Cache group checking is highly recommended.
- To reduce the load on your directory and get better performance, cache the attribute group or static group search results. Select the Cache group checking checkbox and then specify a Cache lifetime, in seconds. The default value is 1800 seconds (30 minutes).
To secure the LDAP connection with SSL, complete the information under LDAP over SSL:
- To secure the LDAP connection with SSL, select the Use SSL to secure LDAP connection checkbox.
- View your certificate details and verify that the root certificate can be used by the appliance. See Importing CA Certificates for details.
- To configure the appliance to verify that the LDAP host name is the same as the name in the certificate presented by the LDAP server, select the Match certificate CN against LDAP server name checkbox. Typically, your server name will match the name specified in its digital certificate. If this is the case with your server, SonicWall recommends enabling this option in a production environment. This makes it more difficult for an unauthorized server to masquerade as your LDAP server if your digital certificate or DNS server is compromised.
Optionally, complete the information listed under Advanced.
- When an LDAP server cannot answer a client’s query, you can refer it to other LDAP servers by selecting the Enable LDAP referrals checkbox. Use caution when enabling this feature because it can slow down the authentication process. If you are configuring LDAP to authenticate against Microsoft Active Directory, you may want to disable this feature.
- In the Server timeout field, type the number of seconds to wait for a reply from the LDAP server. The default value is 60 (one minute).
- To change the prompts and other text that Windows users see when they log in to the authentication server, select the Customize authentication server prompts checkbox. The page title, message, and login prompts can all be customized. If users log in using a PIN as a password, for example, change the text for the Proof prompt from Password: to PIN: (a customized Message could explain how to retrieve a forgotten PIN).
- You can allow users to change their passwords (in WorkPlace only) by selecting Enable user-initiated password change. If a realm is configured with stacked authentication and requires two sets of username/password credentials, a user who changes his or her password will be changing the credentials for just the first of the two authentication servers.
- To allow the LDAP server to notify users that their passwords are going to expire, select the Notify user before password expires checkbox. To also permit them to change their passwords when prompted by the LDAP server, select the Allow user to change password when notified checkbox. The password prompt users see is controlled by the LDAP server.
- To enable NTLM authentication forwarding, click one of the Domain authentication forwarding options. For more information, see NTLM Authentication Forwarding.
To configure authentication that includes an OTP, enable Use one-time passwords with this authentication server.
1. To send OTP through Email/SMTP, you must configure the SMTP service. For more details, see Configuring SMTP to Deliver One-Time Passwords.
- Enter the number of characters for the OTP in the Password contains field. The default length is 6, the minimum is 4, and the maximum is 20.
- Select the type of characters in the OTP from the drop-down list. Select Alphabetic, Alphabetic and numeric, or Numeric.
- In the From address field, enter the email address from which the OTP will be sent.
- In the Primary email address attribute box, enter the directory attribute for the email address to which one-time passwords will be sent. If the primary attribute exists on the authentication server, it is used.
- The Secondary email address attribute, if specified, is used in addition to the primary email address. The OTP is sent to both addresses.
  
  To have OTPs sent as a text message (instead of an email message), enter the corresponding attribute name (for example, SMSphone instead of Mail or primaryEmail). See Configuring the AD or LDAP Directory Server for more information.
- In the Subject field, customize the subject line of the OTP email. You can use the replacement variable {password} to indicate a position in the subject line where the actual password will display.
- In the Body field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
- To test delivery of an OTP to a user, enter the email address of the user who will receive the OTP into the Email address field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMTP server, or errors communicating with the AD/LDAP server or looking up the specified user on the AD/LDAP server.
You can configure OTP to be delivered through SMS and Email or only through SMS or only through Email. Same OTP will be delivered through both the channels.
1. To send OTP through SMS, you must configure the SMS service. For more details, see Configuring an Authentication Server for email-basedOne-Time Passwords
- Enable Send password via text message using SMS option.
- Enter the number of characters for the OTP in the Password field. The default length is 6, the minimum is 4, and the maximum is 20.
- Select the type of characters in the OTP from the drop-down menu. Select Alphabetic, Alphabetic and numeric, or Numeric.
- Choose masking level of user phone number shown on authentication page after sending OTP. This helps the user to know to which number the OTP is being sent.
  - Choose Partial if only part of phone number should be displayed.
  - Choose None if whole phone number should be displayed.
  - Choose Full if no phone number should be displayed.
- In the Phone number attribute field, enter the directory attribute for the phone number to which one-time passwords will be sent.
- In the Message field, customize the body of the OTP message. Use the replacement variable {username} to indicate a position in the message where the user’s account name will display. Use the replacement variable {password} to indicate a position in the message where the actual password will display.
- To test delivery of an OTP to a user, enter the phone number of the user who will receive the OTP into the Phone number field and click the Send test message button. If the appliance is able to send the message, the status Message successfully sent is displayed below the button. Failure messages are also displayed below the button, such as errors connecting to the SMS gateway server.
- To use Time based OTP, you must enable “Use the configured TOTP service” under Authentication servers. For more details, see Configuring Time-Based One-Time Passwords Settings.
When you are upgrading from prior versions of SMA to 12.4, TOTP service and the configuration information is automatically moved from global configuration to authentication server.
- Select Use the configured TOTP service option. Password will be generated by the user on their application.
- In the Service name field, you can configure an individual name for authentication servers. This optional name will be displayed in the application along with the account name to differentiate the service from others that also use TOTP.
- If you want the user to deregister account, enable Allow user to deregister account. This will provide an option on workplace for user to deregister their account.
- Backup codes can be used when the user does not have access to their application. Available codes are displayed in WorkPlace. User can generate new codes when needed only once in 24 hours. To provide back up code option to users, enable Use back-up codes.
- You can configure list of networks where you can restrict registration of users from unauthenticated networks. Click + icon to configure the trusted networks that should be used by the users for the application based TOTP registration.
If you have not configured any trusted networks, TOTP account registration is allowed from any network.
Click Save.

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Configuring LDAP with Username and Password