Active Directory Authentication
The Active Directory Authentication application allows the Crystal Eye appliance to be integrated with an Active Directory Server. The integration procedure makes things convenient as it eliminates any possible requirements of re-creating AD server users in the Crystal Eye appliance. This essentially means that once the synchronization process is done, the CE appliance grabs the users created in the AD server. In addition, the CE administrator can provide the user admin privileges, VPN access, web proxy access, and access to user certificates directly from the AD server further lessening the burden of redoing it in the Crystal Eye appliance.
The synchronization process involves entering some vital AD server details in Crystal Eye’s Active Directory Authentication application such as, Netbios Domain, Windows Domain, Domain Controller FQDN, and Domain Controller IP. Upon entering the above mentioned details in the CE the users created in the AD server auto-syncs with CE and gets displayed in the Accounts application under System Configuration.
Why Use the Active Directory Authentication Application?
- It reduces the administrative burden of re-creating users in the CE appliance which have already been created in the AD server.
- It enables Crystal Eye administrators to assign users created in the AD server to explicitly have admin privileges, VPN access, web proxy access and user certificate access.
Left-hand Navigation Panel > System Configuration > Account Manager > Active Directory Authentication |
|---|
The Active Directory Authentication application authenticates users and groups created in the AD and display’s them in the Accounts application of the Crystal Eye appliance. However, CE administrators can assign specific roles to the AD users before they are synced with the Crystal Eye appliance.
The following roles can be assigned to AD users:
- Provide admin privileges
- Provide VPN access
- Provide web proxy access
- Provide access to user certificates
In order to assign the above mentioned roles the CE administrator would have to create four groups in the active directory server and name them rp_admin_group, web_proxy_plugin, openvpn_plugin, and user_certificates_plugin. Post this; users must be placed in the relevant groups based on the roles decided for them. For example, if a user is required to be given admin privileges in CE then the user must be aligned with rp_admin_group. Likewise, the user must be added to AD groups such as web_proxy_plugin, openvpn_plugin and user_certificates_plugin if there is a requirement to provide them with VPN access, web proxy access and access to user certificates.
How to Sync the default user groups created in the active directory server with CE?
Step 1: Create 4 user groups in the AD server namely, rp_admin_group, web_proxy_plugin, openvpn_plugin and user_certificates_plugin. Add the desired users to these groups.
Note: Please make sure that users requiring admin access are added to rp_admin_group and similarly users requiring web proxy, vpn and user certificate access are added to groups named as web_proxy_plugin, openvpn_plugin and user_certificates_plugin.
Step 2: Sync the Crystal Eye appliance with the active directory server.
Note: Refer to “Synchronizing AD server with CE” to know how to go about the settings required to sync the Crystal Eye appliance with the active directory server.
Step 3: You will now be able to view the synced groups in the Plugins section of the Accounts application.
Note: To go to Accounts application, in the Left-hand Navigation Panel, click System Configuration > Accounts Manager > Accounts
Step 4: To view the users under each group, click the App Policy button next to the groups under the Plugins section of the Accounts application.
Note: To view the admin users go to Left-hand navigation panel > System Configurations > Account Roles
In order to sync Active Directory server with the Crystal Eye appliance, the CE administrator must enter AD server details such as Netbios Domain, Windows Domain, Domain Controller FQDN, Domain Controller IP, and the AD server user credentials. Once the AD server details are verified by the CE, it would trigger the initiation of the synchronization process and the CE would then finally sync with the AD server.
How to enter active directory settings details?
Step 1: In the Active Directory Authentication application page, click the Enable button. 
Note: After Active Directory application is enabled, you would see that the app status would change to “Active Directory Authentication is Enabled”.
Step 2: In the Active Directory Authentication application page, enter the Netbios Domain in the textbox under the Active Directory Settings section.
Note: To know the Netbios Domain go to Active Directory Users and Computers. You will find the Windows Domain on the left pane. Right click on it and select Properties. The Properties pop-up will then pop out. The Netbios domain will be mentioned in the Domain name (pre-Windows 2000) textbox (Refer to the screenshot below).
Step 3: Enter the Windows Domain in the textbox.
Note: To know the Windows Domain, go to Control Panel > System & Security > System. You will then see the Windows Domain (refer to the screenshot below).
Step 4: Enter the Domain Controller FQDN in the textbox. 
Note: To know the Domain Controller FQDN go to Control Panel > System and Security > System. You will see the Domain Controller FQDN under Full Computer Name (refer to the screenshot below). 
Step 5: Enter the Domain Controller IP.
Note: To know the Domain Controller IP, click all servers in the left pane. You will find the Domain Controller IP address under the Servers section. 
Step 6: Enter the Username and Password in the textbox and click the Save button.
Step 7: You will now see the connection status message. Click the Active Directory Authentication button.
The Crystal Eye appliance can be integrated with a Microsoft Active Directory server to assign CE web proxy policies to AD users.
This feature allows Crystal Eye administrators to assign authentication based Explicit web proxy policies to AD users. This also means that when the users access their browsers in the Crystal Eye network through their devices they will be prompted to authenticate via AD user credentials. The user will be assigned the web proxy policy once the username and password is fed in.
Access the knowledge base article below to know how to assign authentication based Explicit web proxy policies to AD users after syncing with the the Crystal Eye appliance:
How to Assign Explicit Web Proxy Policies to Active Directory Users Synced with the CE appliance?