Difference between revisions of "Authentication Integration for Windows"

From ProVide DocWiki
Jump to: navigation, search
(Enable all users to login through FTP)
 
Line 53: Line 53:
  
 
[[File:aiw-groups1.png|none|thumb|500px]]
 
[[File:aiw-groups1.png|none|thumb|500px]]
 +
 +
== Simple graphical step by step guide of how to enable Active Directory intergration==
 +
 +
=== Enable Active Directory integration for the Server in Provide. ===
 +
 +
Click on Authentication Integration to open the settings for Windows Domain and Windows Server Integration.
 +
[[File:Authentication Integration1.png|none|thumb|600px]]
 +
 +
#Enable Authentication Integration for Windows.
 +
#Change to Integrate with a Windows Domain.
 +
#By default your Active Directory name are in the text field. This can be edited when needed.
 +
#Enable Use Windows account impersonation to take NTFS permissions into account.
 +
#Use Windows Login Password caching in case Domain Controller do not respond, allows caching of the password. Provide will use the cached password and let the user log in with the last known password.
 +
 +
[[File:Authentication Integration2.png|none|thumb|600px]]
 +
 +
=== Now you can create users and groups and integrate them into Active Directory. ===
 +
A Provide group integrated into Active Directory allows the whole Active Directory group to login into ProVide.
 +
This can potentially allow several thousand users to log in into Provide, without a lot of configuration in ProVide.
 +
With Active Directory integrated users you can allow only specific users to login
 +
You can also combine the use of groups and user as the example below.
 +
 +
Example.
 +
You have an Active directory group named Users with the users A, B & C in it.
 +
#Create a new group in ProVide and call it Users.
 +
#Enable Windows group integration to integrate the group with Active Directory.
 +
#Give the ProVide group a Resource Which A, B & C will be able to access.
 +
#Now all three users will be able to access that resource, but you want C to be able to access a resource that A & B should not be able to.
 +
#Create a user named C and select Status Use Windows Permissions.
 +
#Add the resources you want C to be able to access.
 +
 +
=== How to create Active Directory integrated groups and users. ===
 +
Click setup accounts as shown in the picture below to show the options to create a group or user.
 +
[[File:groups1.png|none|thumb|600px]]
 +
 +
=== Groups ===
 +
Click New Group.
 +
 +
[[File:groups2.png|none|thumb|600px]]
 +
 +
Name the group to the same as an Active Directory group (Users are created default by Windows)
 +
[[File:groups3.png|none|thumb|600px]]
 +
 +
Click the Home Directory submenu and add the resources you want the user to be able to access. If you add %USERNAME% to the path a directory with the user’s name will be created upon login.
 +
[[File:groups4.png|none|thumb|600px]]
 +
 +
All Users within the Active Directory group with the same name as the ProVide group will now be able to login. This makes it easy to potentially manage thousands of users.
 +
 +
 +
=== Users ===
 +
 +
If you want to do an Active Directory integrated user or just specific settings to a user in a group, you simply create a new user with the same name as the active directory user and changes status to Use Windows Permissions.
 +
You then configure the user just like a normal user.
 +
[[File:user.png|none|thumb|600px]]
  
 
== Implementation of multiple domains with trusts ==
 
== Implementation of multiple domains with trusts ==

Latest revision as of 07:04, 14 February 2020

This allows ProVide to authenticate users with a Windows SAM / Domain / Server / Active Directory making user management a breeze. In fact, a part from these few selected examples, for starters, this feature has awesome power waiting to get harnessed...

Overview

The following authentication methods are included:

  • Using an Active Directory / Domain
  • Using a Windows Server (Local or Remote)^

Additions to the Account management: With this extension, accounts in ProVide can be connected to Windows accounts. If applied to users, it specifies certain account settings like login limits, bandwidth management, and special home directory contents. If applied to groups, it specifies defaults to all users belonging to that Windows group, making management of thousands accounts a breeze.

Seamless authentication at login

Accounts and settings in ProVide always takes precedence and thus ProVide checks if the user...

  1. ...exist as a regular account in ProVide?
  2. ...exist as a Windows-connected account in ProVide?
  3. ...pass Windows authentication?

After aquiring the relevant user data a regular login-attempt to the ftp server is performed. This means that restrictions and security settings can be specified in ProVide on accounts (users and groups) that are connected to Windows-accounts and thus effectively enforce all these powerful features of ProVide onto the Windows-accounts trying to login to the FTP server.

Group management works transparently with Windows Integration

Group management with hierarchical structures and multiple group memberships still apply to both user- and group-accounts in ProVide while using Windows Integration. In the same way as ProVide accounts can me member of multiple groups, the integration with Windows has the same power: If a Windows-user is a member of several Windows-groups, that user will receive resources and security settings from all the Windows-integrated groups in ProVide, making for instance the home directory for users loggin in to the FTP server a composite of, for instance, "Management", "Economy", and personal data.

Actually, the power of this extension goes way beyond anything currently on the market for FTP servers. Despite all this power, it is still a very elegant and easy to use solution.

Enable all users to login through FTP

Once the general settings of ProVide is setup and the Windows server has been configured, there is basically just one thing to do: create a group-account that is integrated with Windows. Generally, the Windows-group "Users" is pre-installed and all new Windows-accounts are members of this group.

Step-by-step guide in ProVide

  1. Create a group called "Users1".
  2. Integrate this account with Windows by checking the "Integrate with Windows group".
  3. Specify "Home Directory", "Restrictions", and "Security" as usual.

You might want to use the %USERNAME% token when defining the "Home Directory" to allow users to have their Windows directories as home directory in ProVide:

Aiw-users1.png

Or you can use the special tokens %AD_HOMEDIR%, %AD_COMMENT%, and %AD_SCRIPT% to access corresponding setup from your Active Directory for the current logged on user.

Enforce special restrictions on a user

The Windows-user "Alan" has access to very business-critical documents. If "Alan" is going to use FTP we must enforce him to use secure connections to make sure the documents are not intercepted during transmission.

  1. The user "Alan" already exist in Windows
  2. Create a user called "Alan" in ProVide and specify this account to "Use Windows permissions".
  3. Specify which service(s) should be allowed on the tab "Security".
Aiw-enforce1.png

Apply general FTP settings to a complete Windows-group

The existing Active Directory has been thoroughly setup with groups assigned to users as applicable. Among these groups there is a group "Economy" that has to have access to certain documents.

  1. Create a group called "Economy" in ProVide.
  2. Integrate this group with Windows by checking the "Integrate with Windows group".
  3. Add resources as necessary, effectively making Windows-users logging in having access to all these files.
Aiw-groups1.png

Simple graphical step by step guide of how to enable Active Directory intergration

Enable Active Directory integration for the Server in Provide.

Click on Authentication Integration to open the settings for Windows Domain and Windows Server Integration.

Authentication Integration1.png
  1. Enable Authentication Integration for Windows.
  2. Change to Integrate with a Windows Domain.
  3. By default your Active Directory name are in the text field. This can be edited when needed.
  4. Enable Use Windows account impersonation to take NTFS permissions into account.
  5. Use Windows Login Password caching in case Domain Controller do not respond, allows caching of the password. Provide will use the cached password and let the user log in with the last known password.
Authentication Integration2.png

Now you can create users and groups and integrate them into Active Directory.

A Provide group integrated into Active Directory allows the whole Active Directory group to login into ProVide. This can potentially allow several thousand users to log in into Provide, without a lot of configuration in ProVide. With Active Directory integrated users you can allow only specific users to login You can also combine the use of groups and user as the example below.

Example. You have an Active directory group named Users with the users A, B & C in it.

  1. Create a new group in ProVide and call it Users.
  2. Enable Windows group integration to integrate the group with Active Directory.
  3. Give the ProVide group a Resource Which A, B & C will be able to access.
  4. Now all three users will be able to access that resource, but you want C to be able to access a resource that A & B should not be able to.
  5. Create a user named C and select Status Use Windows Permissions.
  6. Add the resources you want C to be able to access.

How to create Active Directory integrated groups and users.

Click setup accounts as shown in the picture below to show the options to create a group or user.

Groups1.png

Groups

Click New Group.

Groups2.png

Name the group to the same as an Active Directory group (Users are created default by Windows)

Groups3.png

Click the Home Directory submenu and add the resources you want the user to be able to access. If you add %USERNAME% to the path a directory with the user’s name will be created upon login.

Groups4.png

All Users within the Active Directory group with the same name as the ProVide group will now be able to login. This makes it easy to potentially manage thousands of users.


Users

If you want to do an Active Directory integrated user or just specific settings to a user in a group, you simply create a new user with the same name as the active directory user and changes status to Use Windows Permissions. You then configure the user just like a normal user.

User.png

Implementation of multiple domains with trusts

To make ProVide work with multiple domains, a trust between domains have to be established, and all domain names need to be entered into the Authentication Integration settings seperated by pipes.

Multiple-domains.PNG

A trust is a relationship between domains, which makes it possible for users in one domain to be authenticated in the other domain. You can read more about trusts at Technet.

Example with two domains

In this example we have two domains where ProVide is installed on a server in the domain Extranet. Extranet trusts Intranet which means users from Intranet are able to access the FTP-server through their AD-accounts.

The ProVide service, which is installed on a server in the Extranet domain, has to be run as an admin from the domain Intranet (make sure the admin has enough permissions on the ProVide folder).

When the service is running as an admin from Intranet and both domains are added to the domain list (seperated by pipes("|")) users from both domains are able to access the server seamlessly!

One way trust.png