What are the prerequisites for Active Directory Remote Authentication with AIQUM?
Applies to
Active IQ Unified Manager (AIQUM)
Answer
Prerequisites for enabling Active Directory (AD) remote authentication with AIQUM
- The firewall must allow the ports mentioned below
- These ports need to be open between LDAP and the Unified Manager server
- Port 389
- Port 636
- Port 445
- Port 88
- Port 53
- If using Global Catalog LDAP server
- Port 3268
- Port 3269
- If using a single FQDN address for multiple authentication servers, the x.509 certificate Subject Alternative Name section of the certificate must have the hostnames for each of the authentication servers present.
- The following command can run from UM server to check the port is open in between UM and the LDAP server
- UM Windows Server
- Use Power shell command prompt window, details of
Test-NetConnectionfound here. - Command -->
Test-NetConnection -ComputerName <ldap_server_name> -InformationLevel "Detailed" -Port 389
- Use Power shell command prompt window, details of
- UM Linux Server
Use your favorite command in Linux to test the ports between the two server- command from UM server -->
nc -zvw10 <ldap_server_name_or_ip> port- Example -->
nc -zvw10 192.168.0.1 389
- Example -->
- command from UM server -->
- UM Windows Server
- These ports need to be open between LDAP and the Unified Manager server
Domain user or Domain service account with "password never expire" attribute should be used- Domain groups to allow users with different access roles in Unified manager server
- The following commands can be run from the Windows CLI by a Domain User to gather information regarding the Active Directory settings:
systeminfo<--- provides the login domain controller and the domain namegpresult /R<---will provide the base distinguished name (DN) of the Domain user that is running the command and the Domain Group that the Domain user belongs to.
Additional Information
Parent topic: Active Directory Remote Authentication Setup and Troubleshooting in AIQ Unified Manager