5.5 Configuring in AD LDS Environment

The instructions provided in this section apply to the configuration of the ADAM instance stored and administered on a separate server from the Active Directory server domain controller. Follow the same instructions even if your configuration does not separate the Active Directory server and the ADAM instance server.

Active Directory and AD LDS instance

SecureLogin supports deployment in an AD LDS instance. Active Directory is responsible for network authentication, while AD LDS is responsible for storing and providing the SecureLogin configuration data, setting, policies, and application definitions. For example, if a user logs in to the network and authenticates successfully to Active Directory, the user can then access AD LDS for the user’s single sign-on data.

For more information on AD LDS, see Microsoft website.

You can download the ADAM application from the Microsoft website.

Also read the ADAM release notes from the ADAM Service Pack 1 available at the Microsoft Knowledge Base article KB902838.

The following are the tasks involved in configuring SecureLogin in an ADAM environment:

5.5.1 Creating a Network Service Account and Assigning Permissions

A service account is an user account that is created explicitly to provide a security context for services running on Microsoft Windows Server 2003. The application pools use service accounts to assign permissions to Web sites and applications running on Internet Information Services (IIS). You can manage service accounts individually to determine the level of access for each of the application pool in a distributed environment.

Creating a Network Service Account enables the ADAM instance. To create a Network Service Account:

  1. Click Start > All Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page is displayed.

  2. Select View > Advanced Features. The Advanced Features option is enabled by default.

  3. Select the Domain Controllers folder and locate the Domain Controller of your single sign-on enabled domain.

  4. Right-click the Domain Controller and select Properties. The [Domain] Properties page is displayed.

  5. Select the Security tab.

    If the Network Service account is not on the list of Group or user names, add it.

  6. Select the Network Service account.

  7. In the Permissions for Administrators section, select Allow to Create All Child Objects.

  8. In the Permissions for Administrators field, select Allow to Delete All Child Objects.

    NOTE:Selecting Delete All Child Objects has no effect for SecureLogin, but allows the ADAM instance to be cleaned properly when it is uninstalled.

  9. Click OK to close the [Domain] Properties dialog box.

5.5.2 Configuring ADAM Schema

SecureLogin leverages the directory to store and manage SecureLogin data. Six schema attributes are added to the directory schema. After the ADAM schema has been extended with these attributes the relevant containers, organizational units (ou) and user objects must be permitted to Read and Write SecureLogin data. The SecureLogin ADAM Configuration Wizard automatically extends the ADAM instance schema and assigns directory access permissions to selected objects.

The following are the attributes added to the schema:

  • Protocom-SSO-Auth-Data

  • Protocom-SSO-Entries

  • Protocom-SSO-SecurityPrefs

  • Protocom-SSO-Profile

  • Protocom-SSO-Entries-Checksum

  • Protocom-SSO-Security-Prefs-Checksum

5.5.3 Creating an ADAM Instance

  1. Browse to the ADAM set up file that you downloaded from the Microsoft website.

  2. Double-click to run the ADAMredistX86.exe file.

  3. Click Next.

  4. Accept the license agreement, then click Next.

  5. Select the ADAM and ADAM administration tools option.

  6. Click Next.

  7. Select A unique instance.

  8. In the Instance name field, specify a name for the ADAM instance.

  9. Click Next.

  10. In LDAP port number, specify the ADAM instance port number.

    In the SSL port number, specify the ADAM instance SSL port number.

    NOTE:The default LDAP port number is 50000 and the SLL port number is 50001. However if Active Directory is not installed on your workstation, the default LDAP port number is 389. The default SSL port number is 636.

    It is recommended to use the default values. However if required, the values can be manually changed.

    IMPORTANT:Ensure to make a note of the LDAP port number and the SSL port number because this information is required for further configuration.

  11. Click Next.

  12. Select No, do not create an application directory partition.

  13. Click Next.

  14. Accept the default locations for ADAM files in the Data files and Data recovery files fields or click Browse to select an alternate location.

  15. Click Next.

  16. Select the Network service account.

    or

    Select This account and provide the credentials for the selected service account.

    We recommend you to select Network service account. Nevertheless, you can specify an account with a static password.

    NOTE:The selected service account must have permissions to register a Service Connection Point (SCP) and permission to install SecureLogin.

  17. Click Next.

  18. Select Currently logged on user: SECURELOGIN\Administrator.

    NOTE:The selected account must have administrator level permissions. In this example, the default is selected as the current user. So, the administrator administers this ADAM instance.

    or

    If an alternative account or group is preferred, select This account and specify the account or group name and credentials.

  19. Click Next.

  20. Select Do not import LDIF files for the instance of ADAM.

  21. Click Next.

  22. Review the setup options in the Selections window to confirm that the required options are selected.

  23. Click Next to continue with the installation.

    or

    Click Back to change selected options and continue the installation.

  24. Click Next after confirming the ADAM instance creation settings.

  25. Click Finish to create the ADAM instance. The Completing the Active Directory Application Environment Setup Wizard page is displayed after the ADAM instance is created.

    If required, you can review the Windows Event log to ensure the ADAM instance is created without errors.

Reviewing the Windows Event Log

  1. Go to From the Windows Start menu, select Programs > Administrative Tools > Event Viewer. The Windows Event Viewer displays with the ADAM (Instance#) displayed in the Event Viewer hierarchy.

  2. Double-click ADAM (Instance#) to view the Event log.

    If an error icon is displayed, double-click to view the error details.

After the ADAM instance is successfully created, execute the instructions provided Section 5.5.4, Extending the Schema by Using ADAM Configuration Wizard to automatically extend the ADAM instance schema and assign Read and Write Rights to directory user objects.

5.5.4 Extending the Schema by Using ADAM Configuration Wizard

The SecureLogin ADAM configuration wizard extends the ADAM directory schema with SecureLogin attributes, creates ADAM partitions, and assigns selected directory objects read and write permissions to the SecureLogin attributes. The wizards creates corresponding user proxy objects in Active Directory. This includes the directory hierarchy to the ADAM instance. This can be used to synchronize user object structure after the initial configuration of SecureLogin.

The ADAM schema can be extended manually at the command line using the MSUserProxy. LDF and sso-adam-schema.LDF files. These files are located in the \SecureLogin\Tools\Schema\ADAM folder of the SecureLogin installer package. We recommend that you perform this procedure with the assistance of our Technical Support.

Prerequisites

Before running the SecureLogin ADAM Configuration Wizard:

  1. Copy the AdamConfig.exe file found in \SecureLogin\Tools\Schema\ADAM to server or the administrator workstation.

  2. Copy dsacls.exe from Windows Support Tools to the ADAM folder on the server or Administrator workstation.

Using the ADAM Configuration Wizard

The ADAM Configuration Wizard extends the ADAM directory schema with SecureLogin attributes, creates ADAM partitions, and assigns selected directory objects with read and write permissions to the SecureLogin attributes.

The wizard creates corresponding user proxy objects for user objects in Active Directory, including the directory hierarchy to the ADAM instance and can be used to synchronize user object structure after initial configuration of SecureLogin.

To run the ADAM configuration wizard:

  1. Log in to the ADAM instance, server, or the administration workstation (if it is separate) as an administrator or an user with administrator permissions.

  2. Browse to the AdamConfig.exe file, double-click to run it. The Welcome to the SecureLogin ADAM Configuration Wizard page is displayed.

    Ensure that you have all the Active Directory and ADAM administrator account details required.

    NOTE:The ADAM schema can be extended manually at the command line using the MS-UserProxy.ldf and sso-adam-schema.ldf files. These files are located in the Tools folder of the installer package.

  3. Click Next.

  4. Configure ADAM instance for NetIQ SecureLogin.

    Select this option during the first instance of configuration. Although the ADAM configuration is required only once, selection of this option on subsequent executions does not have any adverse effects.

    The ADAM configuration wizard copies across the selected Active Directory user data to the ADAM instance, including the directory hierarchy.

    NOTE:Directory synchronization for a large number of users can adversely affect the network performance. You can delay the directory synchronization to a more convenient time.

    You can run the ADAM configuration wizard at any time to synchronize the updated Active Directory user data.

  5. Select the Configure Microsoft Active Directory synchronization option.

  6. (Optional) Select Synchronize now option.

    NOTE:Each time a new organizational unit or user object is created in Active Directory, the ADAM configuration wizard or the SyncAdam.cmd command file must be executed to synchronize with the ADAM instance and assigned read and write permissions.

    The SyncAdam.cmd cannot be run before running the ADAM configuration wizard.

  7. Click Next. The Microsoft Active Directory user account page is displayed.

  8. Select Current Microsoft Active Directory, the click Next.

    or

    Select Select Microsoft Active Directory user account and specify the account details in the User, Password, and Domain fields, then click Next. The ADAM instance location page is displayed.

    NOTE:The account selected in this page is used to access and copy the Active Directory object data for synchronization with the ADAM instance, so it must have Read permission. This account must not have Write permission.

    By default, the current account (that is, the one to which you are logged in) is selected. However, any user account that has Active Directory read permission is valid.

  9. Click Next. The ADAM instance location page is displayed.

  10. Accept the default values or specify the alternative Server and Port values as required, then click Next.

    • The default server value is localhost. Select an alternate server if you are hosting your ADAM instance on another computer.

    • The default port value is 50000. Specify an alternate port number if this is not the ADAM instance server port.

  11. Click Next. The Microsoft Active Directory containers/organizational units page is displayed.

    All containers and organizational units that include SecureLogin users are specified here, so you can assign SecureLogin rights and select for Microsoft Active Directory synchronization.

  12. Click the Add.The Domain, Container or Organizational unit dialog box is displayed.

  13. Specify the full distinguished name in the Enter distinguished name of domain, container or organizational unit field.

  14. Click OK.

    If the specified distinguished name of the domain, container, or organizational unit is invalid, an error message is displayed. In that case, click OK. You return to the dialog box. Specify the correct distinguished name of the domain, container, or organizational unit.

  15. Click OK when the required objects are added to the list.

    Review the selected configuration options.

  16. Click Back to change details or click Finish finish the configuration.

    The SecureLogin ADAM Configuration - Termination dialog box is displayed if the configuration was not able to complete successfully. If this occurs, review the text box to investigate cause of termination. If a solution to the problem is determined, click Close and repeat execution of the SecureLogin ADAM Configuration Wizard.

  17. Click Close.

Viewing Objects Using the ADAM ADSI Edit Tool

The ADSI Edit Tool is a Microsoft Management Console (MMC) snap-in which you can use to view all objects in the directory, including the schema and configuration information, modify objects, and set access control lists on the objects.

You can use the ADSI Edit tool to check and review SecureLogin ADAM configuration. To do this:

  1. Click Start > Programs > ADAM > ADAM ADSI Edit.

  2. Select ADAM ADSI Edit in the hierarchy pane to view the ADAM Instance details.

  3. Select Connect to from the Action menu.

  4. Specify a name for the connection in the Connection name field.

  5. Specify the ADAM instance server name in the Server name field.

  6. Specify the ADAM instance port name in the Port name field.

  7. Select Distinguished name (DN) or naming context.

  8. Specify the Distinguished Name in the Distinguished name (DN) or naming context field.

  9. Select Connect using these credentials. This is the account through which you wish to connect to the ADAM instance.

    In this example, The account of the currently logged on user is selected

  10. Click OK. The ADSI Edit tool displays the selected ADAM instance.

  11. Right-click the Users container to display the context menu.

  12. Select Properties. The CN=Users Properties dialog box is displayed.

To confirm if the schema attributes are added successfully or not, scroll down the Attributes table window and verify if the six attributes in Section 5.5.2, Configuring ADAM Schema are listed or not. Repeat this for each container and or organizational unit containing SecureLogin users.

If the attributes are not displayed, run the ADAM configuration wizard again and ensure that you specify the correct container, organizational unit, and user objects.

Adding Users or User Groups to Manage SecureLogin In ADAM Instance

To assign LDS rights to a specific user or user group, perform the following steps:

  1. Click Start > Administrative Tools > ADSI Edit.

  2. In the console tree, click Configurations > CN=Roles.

  3. Double-click CN=Administrators to open CN=Administrators Properties.

  4. In Attribute Editor, select the member attribute and click Edit.

  5. Click Add Windows Account... or Add DN... in the Multi-valued Distinguished Name With Security Principal Editor window to add users or user groups that you want to assign LDS rights.

  6. Click OK.

Synchronizing Data from Active Directory to an ADAM Instance

The Active Directory to ADAM Synchronizer is a command-line tool that synchronizes data from Active Directory forest to a configuration set of an ADAM instance. You can use this to ensure that new users are added to Active Directory have objects representing their SecureLogin data created in the ADAM instance.

To synchronize data from Active Directory to an ADAM instance:

  1. Navigate to SecureLogin\Tools of the SecureLogin installation package.

  2. Double-click the syncadam.cmd file.

After the synchronization is complete, you can look at the log file - SyncAdam.log, to ensure that the synchronization process is complete.

It is recommended that you synchronize regularly, when new organizational units are created or when Active Directory user are changed. You can add the process to the Windows Schedules Tasks.

During the synchronization, the following processes are automatically synchronized:

  • A new container or organizational unit in Active Directory is created as a corresponding container in ADAM.

  • A new user in Active Directory is created as ADAM user proxy.

  • A renamed user object in Active Directory causes the corresponding user proxy to be renamed in ADAM.

  • A moved user object in Active Directory causes the corresponding user proxy to be moved in ADAM. This requires both user object source container and destination container in synchronization scope.

However, the following processes are not automatically synchronized:

  • Deleted user objects in Active Directory are not deleted in ADAM by default. This is because od security concerns. You can override this by manually editing SyncAdam.config. However, this is not recommended unless there is a good reason because username might conflict with a ‘zombie’ user, or performance issues.

  • Deleted, moved, or renamed containers and organizational units in Active Directory are not synchronized to ADAM. Changes to existing container or OU objects in Active Directory must be manually synchronized to ADAM by using the ADSI Edit tool or any other directory editor. For example, if an OU is renamed in Active Directory, it must be renamed in ADAM. Because of security concerns, synchronization does not run if existing containers and OUs do not match in Active Directory and ADAM.

5.5.5 Enabling TLS 1.1 In SecureLogin

WARNING:Installing SecureLogin with TLS 1.1 is less secure than using TLS 1.2. It can open your deployment environment to security threats.

Perform the following steps to modify the registries. The registry modification is necessary to enable TLS 1.1 in SecureLogin.

  1. Click Start > Run to open the Run dialog box.

  2. Specify regedit and click OK to open Registry Editor.

  3. Navigate to the

    HKEY_LOCAL_MACHINE > SOFTWARE > Protocom > SecureLogin key.

  4. Right click and click New > DWORD.

  5. Rename the DWORD to AllowTLSv1.1.

  6. Edit the AllowTLSv1.1 value to 1.

5.5.6 Disabling SSL In SecureLogin

Perform the following steps to modify the registry. The registry modification is necessary to disable SSL in SecureLogin.

NOTE:It is not recommended to configure SecureLogin in NonSSL mode.

  1. Click Start > Run to open the Run dialog box.

  2. Specify regedit and click OK to open Registry Editor.

  3. Navigate to the

    HKEY_LOCAL_MACHINE > SOFTWARE > Protocom > SecureLogin key.

  4. Right click and click New > DWORD.

  5. Rename the DWORD to DisableSSL.

  6. Edit the DisableSSL value to 1.