Skip past navigation linksSecure Global Desktop Administration Guide > Users and authentication > The Active Directory login authority

The Active Directory login authority

Overview

The Active Directory login authority allows users to log in to Secure Global Desktop if they have an account in an Active Directory domain.

This login authority uses a combination of Kerberos authentication and LDAP searches of Active Directory servers, which makes it faster and more secure than the LDAP login authority. It is also more scalable and flexible as users can be authenticated against any domain in a forest and Active Directory is used to provide information about users instead of ENS.

This login authority is disabled by default.

Logging in

The user types a user principal name (an account logon name and a domain name joined by the "@" sign, for example "indigo@indigo-insurance.com") and password.

Authentication

  1. This login authority uses the Kerberos protocol to authenticate the user principal name and password against a Key Distribution Center (KDC) for a domain.
  2. If the authentication fails, the next login authority is tried.
  3. If the authentication succeeds, the user may log in.

User identity

Once a user has been authenticated, Secure Global Desktop searches an Active Directory server in the domain for an LDAP person object for the user.

The identity is the LDAP person object and has the form .../_service/sco/tta/ldapcache/LDAP-person.

Login profile

The first match of the following is used:

  1. A person object in ENS with the same name as the LDAP person object, allowing for differences in the naming system. For example, if the LDAP object cn=Indigo Jones,cn=Administration,dc=Indigo Insurance,dc=com is found, this login authority would search ENS for dc=com/dc=Indigo Insurance/cn=Administration/cn=Indigo Jones.
  2. A person object in ENS, with the name cn=LDAP Profile, in the same OU as the LDAP person object. For example, dc=com/dc=Indigo Insurance/cn=Administration/cn=LDAP Profile.
  3. A person object in ENS, with the name cn=LDAP Profile, in any parent OU for the LDAP person object. For example, dc=com/dc=Indigo Insurance/cn=LDAP Profile.
  4. The default LDAP profile object o=Tarantella System Objects/cn=LDAP Profile.

Emulator sessions and password cache entries

Emulator sessions and password cache entries belong to the LDAP person object.

Related topics