The driver can run in several security modes. The major factors to consider are authentication, encryption, and use of the DirXML Remote Loader. If you are using the Remote Loader you must consider security settings on the Remote Loader channel between DirXML and the driver plus the settings between the driver and Active Directory. If you have Windows 2000 SP3 or later, you'll want to consider a security option called signing.
A simple prescription for managing security is not possible because the security profile available from Windows 2000 varies with service pack, DNS server infrastructure, domain policy, and local policy settings on the Windows 2000 servers. Security choices for the DirXML driver for Active Directory are covered in the following sections. Various combinations of these choices are discussed in Recommended Security Configurations in the Implementation Guide for the Active Directory driver.
You can set the following parameters during installation or later, in the Driver Parameters page. Understanding how the parameters work together and work with the operating system will help you define your approach to security for DirXML data synchronization.
Authentication ID: This is the account the driver uses to access domain data. Valid username formats are
| Username | Format |
|---|---|
User Principal Name |
user@domain.com |
Domain name |
user |
Fully Qualified Domain name |
domain\user |
If the driver is installed on the Domain Controller and LSA access to Active Directory has not been restricted, you don't have to set an Authentication ID; the driver will use its local identity for authentication.
Application Password: This is the password for the Authentication ID account. Set a password whenever you use an Authentication ID.
Authentication Context: This is an LDAP URL that encodes the DNS name of the Active Directory domain controller. For example: LDAP://mycontroller.mydomain.com.
To configure secure communication using SSL, add the LDAP SSL port number to the DNS server hostname (for example: LDAP://mycontroller.mydomain.com:636). Be aware that SSL will only work if you have set up a Certificate infrastructure and have imported certificates to your Windows 2000 servers. See the Microsoft documentation for Certificate Services for more detail.
If the driver is running on the Domain Controller and you don't specify an authentication context, the driver will address its connection to the local machine.
Use Secure Authentication: When this option is set to Yes, the driver will negotiate Kerberos or NTLM authentication to Active Directory.
When this option is set to No, the driver uses an LDAP simple bind. Simple bind is usually unacceptable because it transmits passwords in clear text on the wire. However if you have configured SSL secure communication, then the password is sent on an SSL encrypted pipe and is secure.
Use SSL: This parameter controls encryption if you connect to Active Directory using the LDAP SSL port number. By default the parameter is set to No, which means the SSL secure communication will drop out after simple bind authentication completes. Communication after authentication will use clear text.
If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption will slow the general performance of your servers.
This parameter is configurable through the Driver Parameters page after the driver has been imported.
Use Signing / Sealing: This flag enables signing and sealing of the Active Directory connection if you are not using the LDAP SSL port. Signing ensures that a malicious computer is not intercepting data. Sealing encrypts the data so that it cannot be viewed by a network monitor.
This setting is effective only if you are running the Windows 2000 Security Rollout Package SP1 (SRP1) or Windows 2000 SP3, with Internet Explorer 5.5 SP2 installed on both Windows 2000 servers, and will enable signing and encryption on a Kerberos or NTLM authenticated connection.
Like SSL mode, this parameter is not available on initial import; it is set through the Driver Parameters page after installation is complete.
Keep Credentials: This parameter instructs the driver to use an updated authentication method to maintain its connection to Active Directory. The updated method is important on systems that have upgraded to Windows 2000 Security Rollout Package 1 (SRP1) or Windows 2000 SP3. If you are using an earlier release of Windows and are not experiencing connection problems, set this parameter to No.
The three authentication methods used by the driver are listed below. If you have installed a different security package into the Microsoft Security Service Provider Interface (SSPI) infrastructure, you will have additional options.
Use Process Identity: This mode is selected when you leave the Authentication ID blank. Typically, eDirectory runs as a service and you will receive Local Service Account (LSA) rights to Active Directory. Unless policy or local Active Directory security settings disallow access for the LSA, this level of rights works when you are running the driver on your Active Directory server. This only works if the driver is running on the Domain Controller.
Simple Bind: Passes the user name and password in clear text. This option should only be used with SSL.
Kerberos / NTLM authentication: NTLM is the standard Domain authentication used on Windows NT 4. It is weaker than Kerberos because key lengths might not be as long and it does not support mutual authentication. However, NTLM has been used for years with Domain authentication and is acceptable for most uses.
Kerberos is the new Windows 2000 authentication and is the preferred method for future authentications with Microsoft. It implements a third-party mutual authentication scheme and is generally stronger than NTLM. The driver is not notified which authentication scheme is being used.