To manage the Authentication Servers, navigate to Settings > Configure > Authentication.

Configured authentication servers can be used to authenticate or authorize users in an organization. Refer to the authentication domain section for more details.

By default, every organization has one built-in authentication server.

The same is also set as the default authentication and authorization server in the organization's authentication domain and should be updated as required.

HyWorks deployment supports the following types of authentication servers:

• Microsoft Active Directory

• Open LDAP/ Novell eDirectory

• Built-in Database

Multiple engines are available in HyWorks for communication with AD and LDAP servers.

The HyWorks Controller also supports authentication and authorization using the LDAP directory searcher methods. This method is beneficial in the following ways:

1. Faster authentication and authorization of users.

2. Improvised support for the configuration of the AD.

3. Better support for AD-supported special characters in the username, group names, and OU names.

4. The Controller service does not get exhausted if running without a restart.

The LDAP directory searcher method can be configured from the HyWorks Controller Management Console > Settings > General > Advance Configuration > Active Directory options.

Check the description of Active Directory options in the Authentication section.

• Set the value to six (6) to use the LDAP searcher.

• LDAP Searcher, or option# 6, is the default engine for HyWorks Controllers.

Add New Authentication Server

1. Log in to the HyWorks Controller Management Console.

2. Navigate to Settings >Configure > Authentication.

3. Click Add to open the Add Authentication Server dialog.

4. For Microsoft Active Directory

   1. Select Server Type as Active Directory.

   2. Enter the display name.

   3. Enter the server IP address or FQDN, for example, 192.168.1.1 or exampledc.com.

   4. Enter the Domain name, which could be the NetBIOS Name of the domain (this domain name will be used to sign in to remote sessions).

   5. Enter the port number to use for communicating with the authentication server (the default is 389).

   6. Enable SSL if the configured Active Directory supports secure communication.

   7. Enter Base DN information to fetch users, groups, or OUs. All users, groups, and OUs will be fetched if the Base DN information is not provided.

   8. Provide the Administrator credentials - domain user DN, username, and password; with read and write access rights for user account management.

   9. Login Attribute: Specify which HyWorks field to use for user authentication. The username the user enters will be mapped to this field. Login Attribute can have the following settings:

      1. User Id: Map the username entered by the user with the User Id field of HyWorks.

      2. User Principal Name: Map the username entered by the user with the User Principal Name field of HyWorks. HyWorks will form the User Principal Name using the following methods:

         1. A User logs on using only the username, without a domain name: HyWorks will generate a UPN using the domain name configured in the authentication server. For example, the user logs in with the username john.test => john.test@domain.com

         2. A User logs on using the domain name\username: HyWorks generates a UPN using the domain name and username provided by the user. For example, the user logs in using the domain.com\john.test => john.test@domain.com

         3. A User logs on using the full UPN in the format username@domain-name: HyWorks will use the credentials as provided. For example, a user logs in using john.test@domain.com => john.test@domain.com

         4. Mail Id: Map the username entered by the user with the Mail Id field of HyWorks.

         5. Phone Number: Map the username entered by the user with the Phone Number field of HyWorks.

   10. Log Attributes in the Log: Specify the AD attributes to log with each user login event. This field can be used to create additional information in the log file to generate a customer report.

   11. Skip Login Attribute Verification: When unchecked, all four underlying attributes will be checked in AD during AD configuration, whether they are present or not. If checked and any attributes are found missing in AD, an error will be reported upon user login. For example, if the "Phone Number" attribute is specified as "telephoneNumber" AD attribute and this attribute does not exist in the AD, an error will be reported during login.

   12. Add Secondary authentication server: Add another authentication server. This server will be used in case the primary server is down.

5. For OpenLDAP/ Novell eDirectory

   1. Select Server Type as Novell Directory/ OpenLDAP.

   2. Enter Server IP address or FQDN, for example, 192.168.1.1 or exampledc.com.

   3. Enter the Domain name, which can be the NetBIOS Name of the domain (the information for this domain name will be used to sign in to remote sessions).

   4. Enter the port to use for communicating with the authentication server (the default is 389).

   5. Enable SSL if the configured server supports secure communication.

   6. Enter Base DN information, e.g., o=qa.

   7. Provide the Administrator with read and write access to user account management.

   8. Login Attribute: Specify which HyWorks field to use for user authentication. The username the user enters will be mapped to this field. Login Attribute can have the following settings:

      1. User Id: Map the username entered by the user with the User Id field of HyWorks.

      2. User Principal Name: Map the username entered by the user with the User Principal Name field of HyWorks. HyWorks will form the User Principal Name using the following methods:

         1. A User logs on using only the username without the domain name:

            HyWorks will generate a UPN using the domain name configured in the authentication server configuration. For example, the user logs in with the username john.test => john.test@domain.com

         2. A User logs on using the domain name\username: HyWorks will generate UPN using the domain name and the username provided by the user. For example, the user logs in using the domain.com\john.test => john.test@domain.com

         3. A User logs on using the full UPN in the format username@domain-name: HyWorks will use the credentials as provided. For example, the user logs in using john.test@domain.com => john.test@domain.com

         4. Mail Id: Map the username entered by the user with the Mail Id field of HyWorks

         5. Phone Number: Map the username entered by the user with the Phone 7. Number field of HyWorks

   9. Custom Filter: Provide a custom LDAP search filter to search for the user account and authenticate the user.

   10. Log Attributes in Log: Specify the attributes to log with each user login event. This field can be used to add additional information to the log file to generate a customer report.

   11. Disable Password Management: Disable the Change Password function for the LDAP server

   12. Skip Login Attribute Verification: When enabled, ensure that all the attributes are present for the user upon logging on. In case any default search attribute is missing, an error is reported.

6. For HyID as an Auth configuration for authentication:

   • Follow the detailed step-by-step process provided in the HyID as the Auth document.

7. Click Test Connection to check server reachability.

8. Once a message indicating a successful connection appears, click Add.

The authentication server is configured and ready for use.

Important

In HyWorks v3.3 or later, the Workgroup support has been removed. The \[Built−inBuilt-in\](built_in_directory_server.md) directory server can be used instead of the Workgroup; it offers improvements over the Workgroup authentication server.

Modify Authentication Server

The Administrator can modify a configured authentication server. But it's important to understand what information can be updated and the impacts of updating an existing Session Provider:

Modifiable Fields and Impact

The following fields in the authentication server configuration are modifiable and critical to the configuration. Any misconfiguration in one of these fields could lead to a failed deployment.

The Administrator should be extra cautious while configuring these critical settings.

• Address: Critical

• Domain: Critical

• Port Number: Critical

• Enable SSL: Critical

• Base DN: Critical

• User DN: Critical

• Username: Critical

• Password: Critical

• User Search Attribute: Critical

How to Modify a Configured Authentication Server

1. Navigate to Settings >Configure > Authentication.

2. Select the authentication server and click Edit.

3. Update the required values.

4. Click Test Connection to verify.

5. Click Update to update the authentication server.

6. settings.

Delete Authentication Server

The built-in authentication server cannot be deleted. Only authentication servers configured by Administrators can be deleted, and only if they are not used in a current or child organization's authentication domain.

To delete a configured authentication server, follow the steps listed below:

1. Select the authentication server to delete, then click Delete.

2. Confirm and click Delete.

The authentication server will be deleted and will no longer appear in the Management Console.

Important

The current version of HyWorks does not delete any entitlements of the users upon removal of the authentication server configured as the authorization server; however, the users will not be able to authenticate unless the same authentication server is added again and configured as the authorization server.

Advanced Configurations

Advanced configurations can be set up in the HyWorks Controller.

Management Console > Advance Configuration. Refer to this section for a list of configuration settings for the authentication server, including descriptions and available options. Changing configuration settings alters the behavior of the authentication server by changing its values.