Authentication Domain
Overview
The authentication domain facilitates authentication and authorization configuration for users logging into the HySecure gateway.
The administrator can define the authentication and authorization for multiple HySecure domains. Each domain can have its own AA scheme.
Important
An Authentication Domain becomes effective only when attached to a HySecure Domain to which a remote user would log on.
View Authentication Domains
The Authentication Domains page provides management of Authentication Domains configured in the system, including its creation.
To get the list of configured Authentication Domains and manage them, perform the following steps:
-
Log on to the Management console.
-
Go to Settings > Authentication >Authentication Domains.
-
All the created authentication domains, including the default ones, will be visible on this page in a tabular manner with the following information about each domain:
| Field | Description |
|---|---|
| Authentication Domain Name | Displays the Authentication Domain identifier. |
| Authentication Domain ID | Displays the system generated Authentication Domain ID. |
| No. of Authentication Server | Displays the total number of Authentication Servers configured for this Authentication Domain. |
| No. of Authorization Server | Displays the total number of Authorization Servers configured for this Authentication Domain. |
| Self Service Portal status | Displays whether the Self-Service Portal is enabled for the particular domain or not. |
Add Authentication Domain
-
Log on to the Management console.
-
Go to Settings > Authentication Domains and click Add.
Authentication Domain Name
The Authentication Domain Name is the unique identifier for the authentication domain.
Authentication Servers
Multiple Authentication Servers can be set in priority order for user authentication. Once a server authenticates a user, the remaining servers in the list will not be checked.
Note
A maximum of five authentication servers can be configured in the priority order.
| Field | Description |
|---|---|
| Server at Priority 1 | a) Anonymous: If the Anonymous server option is selected for Server at Priority 1, the user must log in using the HySecure domain without a username or password. The username will be from a list of created anonymous users. For the Anonymous configuration, the authorization server would be the same as the authentication Server. b) Native: In case the option Native is selected, then the user gets authenticated against the local users’ list. c) Configured Servers: A list of configured AD/LDAP servers will be listed here, and any one of these can be used. Click Add another Authentication Server if another authentication server needs to be added at the next priority level. |
| Server at Priority 2 till Server at Priority 5 | a) Native: In case Native is selected, then the user gets authenticated against the local users’ list. b) Configured Servers: A list of configured AD/LDAP servers will be listed, and any one of these can be used. Click Add another Authentication Server if another authentication server needs to be added at the next priority level. Adding another authentication server will not be available beyond priority level 5. |
Against each Authorization Server, the server can be used for authentication purposes as well after the prioritized list of Authentication Servers. This can be achieved by checking the option Enable additional authentication and selecting a server name.
Authorization Servers
A maximum of two authorization servers can be configured in a priority order. Authorization server configuration can be selected from the following values:
| Field | Description |
|---|---|
| Authorization Server 1 | a) Same as Authentication Server: Selecting this option will cause the authorization to happen using the same Authentication Server through which the user is authenticated. b) Native: Selecting this option will allow the user to get authorized against the local users' database. c) Configured Servers: A list of configured AD/LDAP servers will also be listed, and any one of these can be used for Authorization. |
| Authorization Server 2 | a) Same as Authentication Server: Selecting this option will cause the authorization to happen using the same Authentication Server through which the user is authenticated. b) Native: Selecting this option will allow the user to get authorized against the local users' database. c) Configured Servers: A list of configured AD/LDAP servers will also be listed, and any one of these can be used for Authorization. |
Anonymous Users
If Anonymous is set as the server Priority 1 for Authentication Servers, then create anonymous users with username and password prefixes/suffixes. The number of users created depends on the concurrent user license.
| Field | Description |
|---|---|
| Username prefix | Enter the username prefix to be used. |
| Username suffix | Enter the username suffix to be used. |
| Password prefix | Enter the password prefix to be used. |
| Password suffix | Enter the password suffix to be used. |
For example, If the username prefix is Prefix and the username suffix is Suffix, clicking the Create Users button will generate a range of usernames from Prefix00000Suffix to Prefix00004Suffix, assuming a 5-user license is being used. The corresponding passwords will also be generated accordingly.
Self Service Portal
If the administrator selects an Authentication Server option for authentication, the Self Service Portal can be enabled. Authenticated HySecure users can manage and reset their AD password via the forgot password link without admin intervention. The administrator can control the strength for authentication password resets such as PIN authentication, security questions, email/mobile verification, and OTP to authenticate users.
Enable Self Service Portal
Prerequisites
- To change a user password from HySecure, the ADCS role needs to be installed on the AD.
- Port 636 of the Active Directory must be open and reachable from HySecure. It should also be configured in the Authentication server of the HySecure gateway.
- The Admin Bind user must have Delegated Rights in the AD to change the AD user's password via the HySecure gateway.
Self Service Portal can be enabled for the Authentication Domain so that the users who get authenticated/authorized by the configured Authentication/Authorization servers of the Authentication Domain can create their profiles and manage their AD passwords.
Basic Configuration
| Field | Description |
|---|---|
| Enable Forgot Password | Users can reset their password through the Portal after logging in if they forget it. |
| Enable Unlock Account in AD/Native Server | Enables the Users to unlock their AD/native accounts without administrator intervention. A user account is a representation of a user in an information system. It can include personal (e.g., username, password), security information, and access-related information. |
| Enable Unlock Profile | Enables the users to unlock their profile without administrator intervention. A user profile is a set of customized settings that dictate how an endpoint will implement the chosen options. Each user account has at least one user profile associated with it. |
| Enable SSL Certificate Reset | Allow certificate users to reset their passphrase via Self Service Portal authentication. |
| Enable Forced Enrollment | Activate this feature to make user enrollment with the Self Service Portal mandatory. |
| Account Lockout on number of failed attempts | If the user fails to authenticate a certain number of times, the profile gets locked automatically for security reasons. |
| Account Lockout Time | Choose the lockout duration for failed login attempts. |
Email Address or Mobile Number Source
| Field | Description |
|---|---|
| Ask from user | At the time of user enrollment, they will be prompted to provide their email address and mobile number. |
| Use directory server | This directory server will fetch users' mobile numbers and email addresses if selected. |
| Select directory server | Select the configured Directory Server to fetch email and mobile numbers. |
Authentication Method
| Field | Description |
|---|---|
| Enable Pin | The Self Service Portal will prompt the user to enter a PIN during enrollment and authentication. |
| Enable One Time Password Verification | The Self Service Portal will prompt the user to provide a One-Time Password (OTP) to authenticate. |
| Select OTP Type | Choose an OTP type to access the Self Service Portal. |
| Select OTP expiry time | Choose OTP expiry time from the drop-down list. |
| Select maximum OTP send attempts | Set the maximum OTP entry attempts. |
| Select OTP sending cool off time | Choose the time interval for generating a new set of OTPs after maximum failed attempts. |
| Enable Email Verification | If the feature is enabled, email will be required for Self Service Portal enrollment. |
| Enable Phone Number Verification | Users must provide their mobile number to enroll and authenticate with the Self Service Portal. |
| Enable Security Question Verification | Enable security questions for enrolling and authenticating with the Self Service Portal. |
Modify Authentication Domain
Select the domain, click Modify, edit details, and click Submit.
Delete Authentication Domain
To delete domains, select them on the Authentication Domain page and click Delete.