To use an Active Directory server to authenticate users, when you configure the settings for your Management Server you must define the connection information for the Active Directory server.
Although the primary administrator account is always managed by the Management Server, you can use an Active Directory server to manage other user accounts. Then, when a user from an external authentication server logs in to the Management Server, the server sends that information to the external Active Directory server. The Active Directory server tells the Management Server whether the user is valid and to what groups he or she belongs. The Management Server then compares the user and groups with its list of users and groups and the role policies they are associated with.
Before you can use the users and groups from your Active Directory server for role-based administration, you must enable your Management Server to connect to your Active Directory server. You must also specify at least one Active Directory domain with correct Service Records (SRV), and make sure that LDAPS is enabled on your Active Directory server. To connect to the Active Directory server for LDAPS authentication, the Management Server submits a DNS query to the domain specified for the server.
For secure connections to your Active Directory server, your Management Server uses the SSL certificate for your Active Directory server. SSL certificates that are signed by most well-known, public Certificate Authorities (CAs) are automatically trusted. To use a certificate signed by a CA that is not in the list, you must import the certificate.
To use Active Directory authentication with your Management Server, you must enable LDAPS (LDAP over SSL) in the Active Directory domain. For more information, see the Microsoft website or review the documentation for your Active Directory server.
To enable and configure Active Directory authentication, from WatchGuard Server Center:
- In the Servers tree, select Management Server.
- Select the Active Directory tab.
The Active Directory page appears.
- Select the Enable Active Directory authentication check box.
- To add, edit, or remove a domain in the Domain Name list, click Add / Remove. You can have multiple domain names in this list.
The Add Domains dialog box appears.
- To add a domain name to the list, in the Specify domain name text box, type the Active Directory domain.
Make sure to specify the same domain in the SRV record for your Active Directory server. Tip!To look up the SRV record for your Active Directory server SRV record, you can run this command: nslookup -querytype=srv _ldap._tcp.domain.local
The Active Directory domain controller uses SSL to connect to the Active Directory server.
- Click Add.
- To add more domain names to the list, repeat Steps 4–6.
- To remove a domain name from the list, select a domain name in the list and click Remove.
- Click OK to close the Add Domains dialog box.
The domain names you selected appear in the Domain Name list.
- To verify the SSL certificate, select the Validate the domain controller's SSL certificate check box.
- To import a CA certificate, click Import and browse to select the CA certificate file.
- To test your connection for Active Directory authentication, click Test.
The AD Authentication Test dialog box appears.
- In the AD Authentication Test dialog box , type the user credentials for the test connection to your Active Directory server.
Make sure to type the user name in the UPN format [email protected].
- Click OK.
The Management Server tests the connection to your Active Directory server.
- Click Apply to save your changes.