How do i configure the Backup Server to use Active Directory or LDAP authentication
NovaBACKUP xSP / Remote Workforce
BackupServer.ini
Section: [Configuration]
Key: Authentication
Description: Authentication Type
Possible values:
NT-PDC
NT-LOCAL
LDAP
NNW-Authentication
OFF
Key: LDAP Address
Description: Required if using LDAP Authentication
Key: LDAP Port
Description: Required if using LDAP Authentication
Default Value: 389
Key: LDAP Base DN
Description: Required if using LDAP Authentication
Key: LDAP Authentication DN
Key: LDAP Auth Password
Key: ActivDir2000Mode
Description: Should be set to 1 if the LDAP Server is a Windows 2000 Server with Active Directory Services.
Possible values:
0 - Off
1 - On
User Authentication
Since the Backup Server is highly integrated with the Windows security model, it performs client authentication through Windows 2000/2003, a Microsoft Site Server Membership Directory or a standard LDAP database (including Windows Active Directory).
For Windows Authentication, users can be authenticated on the local Windows system (workstation or stand-alone server) or the Windows Primary Domain Controller for the domain specified in the Windows server installation. Windows authentication is achieved using the challenge/response method (commonly referred to as NTLM), which is the most secure method of authenticating users.
For Membership Authentication, users can be authenticated using the clear-text/basic method or the challenge/response method (commonly referred to as DPA). The clear-text/basic method is the common method for authenticating users against the Membership Directory.
For LDAP authentication, users must supply a username and password to be authenticated against an LDAP database. Therefore, existing credentials may not be used with this authentication method.
NOTE:
If LDAP authentication uses Windows Active Directory, in order for the Backup Server to make anonymous queries to Active Directory, you must assign read access to the Everyone group.
To enable anonymous access:
- In the Active Directory Users and Computers console, if Advanced Features is not enabled, on the View menu, click Advanced Features.
- Right-click on the container to which you want to provide anonymous access (e.g. Users)
- Click Properties, click the Security tab, and then click Advanced.
- In the Permission Entries box, if the Everyone group is not listed, click Add. In the Name column, click Everyone, and then click OK.
- In the Permission Entry for Everyone, click View/Edit, and then click the Properties tab.
- In the Apply Onto list, click User objects.
- In the Permissions list, in the Allow column, click Read General Information, and then click OK.
- On every security warning message that appears (if any), click Yes.
- In the Access Control Settings dialog box, click OK.
Note: All user accounts should have "Allow inheritable permissions from parent to propagate to this object" checked (Security tab).
Authentication options
This indicates how Backup Clients are authenticated when they connect to the Backup Server. The Backup Server is highly integrated with the Windows security model. The choices are:
Use Windows Local Authentication
If this option is selected, authentication will be performed against the Windows User Accounts Database on the local server. This is achieved through Challenge/Response mechanism often referred to as NTLM (Windows NT Lan Manager) authentication. This type of authentication will attempt to use the current Windows logon credentials before requiring that a password be entered.
Use Windows Domain Authentication
If this option is selected, authentication will be performed against the Windows User Accounts Database on the Primary Domain Controller. This is achieved through a Challenge/Response mechanism often referred to as NTLM (Windows NT Lan Manager) authentication. This type of authentication will attempt to use the current Windows logon credentials for the domain before requiring that a password be entered.
Use Membership Authentication (Clear-text/Basic)
If this option is selected, authentication will be performed against the Microsoft Site Server Membership Directory. In this authentication method, the client always sends the supplied credentials (user name and password) to the server. The credentials are always transmitted in an encrypted manner. This is the most common method used for authenticating users against the Membership Directory.
Use Membership Authentication (Challenge/Response)
If this option is selected, authentication will be performed against the Microsoft Site Server Membership Directory. This is achieved through a Challenge/Response mechanism often referred to as DPA (Distributed Password Authentication). This type of authentication will attempt to use the current Windows logon credentials before requiring that a password be entered.
LDAP Authentication
If this option is selected, authentication will be performed against a standard LDAP database (including Windows 2000 Active Directory). The LDAP server address and port number must be configured, along with the base distinguished name that the LDAP database will be searched against. This type of authentication requires that a specific username and password be supplied.
Backup Server User Account Configuration
When setting up user accounts on the Storage Server with Windows Authentication, only do not need to specify a password for the account, as that will be referenced from the domain.