Restriction: This topic applies only when the Enterprise Server feature is enabled.
With the
osesm security manager, users sign on to MFDSand/or Enterprise Server Administration using their Windows username and password.
Note: osesm only supports the
Verify operation (user sign-on). It does not do any resource access control (the Auth and XAuth operations). To control access to resources for signed-on users, you will need to configure another ESM module lower in the list for that purpose.
By default
osesm first tries to sign a user on locally. If that fails, it does a search in the default domain (in the domain forest, on Windows 2003 and later) and tries again in the first domain where it finds the user. You can specify a different domain to try initially in the security manager configuration.
Note: osesm is limited to the signon IDs that Windows normally allows, and therefore it cannot verify a user in a domain that is not trusted by the local system.
osesm can authenticate users from any domain that is listed in the Windows sign-on dialog. It cannot authenticate signons of the form
username@domain.tld: the signon screens do not support this.
osesm supports ESF Passtokens, which can be used to automatically pass credentials between MFDS and the Enterprise Server administration UI, if both the directory server and Enterprise Server are configured to use
osesm.