Skip to content

Authentication Servers Management

Manage authentication servers from Configuration > Server > Authentication. Configured authentication servers can be used to authenticate or authorize users in an organization.
Refer to the section authentication domain for details.

By default, every organization has one built-in authentication server. The same is also set as the default authentication and authorization server in the authentication domain of that organization and should be updated as per the requirement.

HyWorks deployment supports the following types of authentication servers:

Multiple engines available in HyWorks for authentication with AD and LDAP servers.

The HyWorks Controller also supports authentication and authorization using the LDAP directory searcher methods. This method will be beneficial in the following ways:

  1. Faster authentication and authorization of users

  2. Improvised support for the configuration of the AD

  3. Better support for AD supported special characters in the username, group names and OU names

  4. The Controller service does not get exhausted if running without a restart

LDAP directory searcher method can be configured from the HyWorks Controller Management Console > Advance Configuration > Active directory options. Check description of Active Directory options in this section.

  • Set as 6 to use the LDAP searcher

Add New Authentication Server

  1. Log in to the HyWorks Controller Management Console.

  2. Go to Configuration > Server > Authentication.

  3. Click Add to open Add Authentication Server dialog.

  4. For Microsoft Active Directory

    1. Select Server Type as Active Directory.
    2. Enter display name.

    3. Enter server IP address or FQDN, for example, 192.168.1.1 or accopsad.com.

    4. Enter Domain name which could be the NetBIOS Name for the domain (this domain name information will be used for signing into the remote sessions).

    5. Enter port number to be used to communicate with the authentication server (the default port number is 389).

    6. Enable SSL if the configured Active Directory supports a secure communication.

    7. Enter Base DN information to fetch users, groups or OUs. All users, groups and OUs will be fetched if the Base DN information is not provided.

    8. Provide the Administrator credentials - domain user DN, username and password; with read and write access rights for user account managements.

    9. Login Attribute: Specify which mapped field in HyWorks is to be used for user authentication. The username value entered by the user will be mapped to this field. Login Attribute can have the following settings:

      1. User Id: Map the username entered by the user with the User Id field of HyWorks.

      2. User Principal Name: Map username entered by the user with the User Principal Name field of HyWorks. HyWorks will form the User Principal Name using the following methods:

        1. A User logs on using only the username without a domain name: HyWorks will generate a UPN using the domain name configured in the authentication server configuration. For example, the user logs in using john.test => john.test@domain.com

        2. A User logs on using with domain name\username: HyWorks will generate a UPN using the domain name and username provided by user. For example, the user logs in using the domain.com\john.test => john.test@domain.com

        3. A User logs on using the full UPN in the format username@domain-name: HyWorks will use credentials as provided. For example, a user logs in using john.test@domain.com => john.test@domain.com

        4. Mail Id: Map the username entered by the user with the Mail Id field of HyWorks

        5. Phone Number: Map the username entered by the user with the Phone Number field of HyWorks

    10. Log Attributes in the Log: Specify the AD attributes that will be logged in the logs along with each user login event. This field can be used to create additional information in the log file to generate a customer report.

    11. Skip Login Attribute Verification: When unchecked, all the four underlying attributes will be checked in the AD, whether they are present or not while configuring the AD. If checked, but any attributes are found missing in the AD, then an error will be reported upon user login. For example, if the "Phone Number" attribute is specified as "telephoneNumber" AD attribute and this attribute does not exist in the AD, an error will be reported during login.

    12. Add Secondary authentication server: Add another authentication server. This server will be used in case the primary server is down.

  5. For OpenLDAP/ Novell eDirectory

    1. Select Server Type as Novell Directory/ OpenLDAP

    2. Enter Server IP address oe FQDN, for example, 192.168.1.1 or accopsad.com

    3. Enter Domain name, which could be the NetBIOS Name for the domain (the information related to this domain name will be used for signing into the remote sessions)

    4. Enter port number to be used to communicate with the authentication server (the default port is 389)

    5. Enable SSL if the configured server supports a secure communication.

    6. Enter Base DN information e.g. o=qa.

    7. Provide the Administrator credentials with rights to read and write access to the user account managements

    8. Login Attribute: Specify which mapped field in HyWorks is to be used for user authentication. The username value entered by the user will be mapped to this field. Login Attribute can have the following settings:

      1. User Id: Map the username entered by the user with the User Id field of HyWorks

      2. User Principal Name: Map the username entered by the user with the User Principal Name field of HyWorks. HyWorks will form the User Principal Name using the following methods:

        1. A User logs on using only the username without the domain name: HyWorks will generate a UPN using the domain name configured in the authentication server configuration. For example, the user logs in using john.test => john.test@domain.com

        2. A User logs on using the domain name\username: HyWorks will generate UPN using domain name and username provided by the user. For example, the user logs in using the domain.com\john.test => john.test@domain.com

        3. A User logs on using the full UPN in the format username@domain-name: HyWorks will use the credentials as provided. For example, the user logs in using john.test@domain.com => john.test@domain.com

        4. Mail Id: Map the username entered by the user with the Mail Id field of HyWorks

        5. Phone Number: Map the username entered by the user with the Phone Number field of HyWorks

    9. Custom Filter: Provide a custom LDAP search filter to search for the user account and authenticate the user

    10. Log Attributes in Log: Specify the attributes that will be logged in the logs along with each user login event. This field can be used to create additional information in the log file to generate a customer report.

    11. Disable Password Management: Disable the Change Password function for the LDAP server

    12. Skip Login Attribute Verification: When enabled, ensure that all the attributes are present for the user upon logging on. In case any default search attribute is missing, an error is reported.

  6. Click Test Connection to check server reachability

  7. Once a message indicating a successful connection appears, click Add

The authentication server is configured and ready for use.

Important

In HyWorks v3.3 or later, the Workgroup support has been removed. Built-in directory server can be used instead of the Workgroup, it is an improvisation over the workgroup authentication server.

Modify Authentication Server

The Administrator can modify a configured authentication server. But it's important to understand what information can be updated and the impacts of updating an existing Session Provider:

Modifiable Fields and Impact

The following fields in the authentication server configuration are modifiable and these fields are critical in the configuration. Any misconfiguration in one of these fields could lead to a failed deployment. The Administrator should be extra cautious while configuring these critical settings.

  • Address: Critical

  • Domain: Critical

  • Port Number: Critical

  • Enable SSL: Critical

  • Base DN: Critical

  • User DN: Critical

  • Username: Critical

  • Password: Critical

  • User Search Attribute: Critical

How to Modify a Configured Authentication Server

  1. Go to Configuration > Server > Authentication.

  2. Select the authentication server and click Edit.

  3. Update the required values.

  4. Click Test Connection to verify.

  5. Click Update to update the authentication server settings.

Delete Authentication Server

The built-in authentication server cannot be deleted. Only those
Authentication server that are configure by Administrators can be deleted and only if they are not configured in a current or child organization's authentication domain.

To delete a configured authentication server, follow the steps listed below:

  1. Select the authentication server to be deleted and click Delete.

  2. Confirm and click Delete.

The authentication server will be deleted and will not be displayed in the Management Console.

Important

The current version of HyWorks does not delete any entitlements of the users upon removal of the authentication server configured as the authorization server; however, the users will not be able to authenticate unless the same authentication server is added again and configured as the authorization server.

Advanced Configurations

Advanced configurations can be configured from the HyWorks Controller Management Console > Advance Configuration. Refer this section for a list of the configuration settings related to the authentication server with their descriptions and available options. Changing the configuration setting lead to a change in the behavior of the authentication server by changing it's values.