Active Directory Scanner
R81 Harmony Endpoint Server Administration Guide|97
# Issue Solution
4 SSL certificate is not
installed
n
Get an SSL certificate from your Domain Controller and
import it to the Endpoint Security Management Server.
or
n
Disable SSL.
Configuring DNS for GSS Connections
GSSAPI, Generic Security Service API, is an interface used to access security services.
Kerberos is the implementation of GSSAPI used in Microsoft's Windows platform and is
supported by Active Directory authentication protocols. During Kerberos authentication, a
domain's KDC (Key Distribution Center) must be found through a DNS request.
The DNS server configured on the Endpoint Security Management Server must be able to
resolve IP address by name and name by IP address for all domains that are scanned by the
Directory Scanner. If DNS is not configured properly, the authentication fails.
Make sure that:
n
The DNS server is configured on the Endpoint Security Management Server.
n
The DNS server can recognize the DNS servers of all domains that the Directory
Scanner will scan.
To make sure the DNS server is configured correctly for GSSAPI authentication:
1. On the Endpoint Security Management Server, run: nslookup.
2. Test the name to IP resolving for all domain controllers that are used by the Directory
Scanner.
3. Test the IP to name resolving or all domain controllers that are used by the Directory
Scanner.
Strengthening Active Directory Authentication to use LDAPS
By default Active Directory authentication uses the LDAP protocol and a simple authentication
method. You can make the authentication more secure by changing the authentication
protocol to LDAPS, with or without GSSAPI authentication. GSSAPI authentication is based
on Kerberos v5.
To change the authentication protocol to LDAPS, GSSAPI, or the two of them:
1. Edit the $UEPMDIR/engine/conf/ldap.utils.properties file.
2. Configure the protocol or protocols to use.
To Next Page
Loading...
