Each of these security parameters is set during the initial driver configuration.
Understanding how the parameters work together and work with the operating system will help you define your approach to security for NsureTM Identity Manager data synchronization.
Authentication ID: This is the account the driver uses to access domain data. Valid username formats are
Username | Format |
---|---|
Domain name |
user |
Fully Qualified Domain name |
domain\user |
Simple |
cn=DirXML,cn=Users,DC=domain,dc=com |
Authentication Context: This is the DNS name of the Active Directory domain controller if you selected negotiate, or the IP address of your LDAP server if you selected LDAP simple authentication. For example: mycontroller.mydomain.com.
If the driver is running on the Domain Controller and you don't specify an authentication context, the driver will address its connection to the local machine.
Application Password: This is the password for the Authentication ID account. Set a password whenever you use an Authentication ID.
Use Signing: This flag enables signing of the Active Directory connection if you are not using the LDAP SSL port. Signing ensures that a malicious computer is not intercepting data.
This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This enable signing and encryption on a Kerberos or NTLM authenticated connection.
Like SSL, this parameter is not available on initial import; it is set through the Driver Parameters page after installation is complete.
Use Sealing: This flag enables sealing of the Active Directory connection if you are not using the LDAP SSL port. Sealing encrypts the data so that it cannot be viewed by a network monitor.
This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This enable signing and encryption on a Kerberos or NTLM authenticated connection.
Like SSL, this parameter is not available on initial import; it is set through the Driver Parameters page after installation is complete.
Use SSL: This parameter controls encryption if you connect to Active Directory using the LDAP SSL port. By default the parameter is set to No.
If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption will slow the general performance of your servers.
This parameter is configurable through the Driver Parameters page after the driver has been imported.
SSL is required for subscriber password check, set, and modify. Publisher password operations are not available using simple bind. SSL is discussed further in SSL.
Because authentication is dependent on several parameters such as the server support pack, your DNS infrastructure, and policy and registry settings, the most reliable means of authentication is to install the driver on the computer hosting Active Directory and then use the Remote Loader to connect to the DirXML engine, as illustrated in Dual Server Configuration (2). With this configuration, you will be most successful if you set the driver parameters as follows.
If you do not want to run the driver on your Active Directory domain controller, as shown in Single Server Installation and in Triple Server Configuration, set the driver parameters as follows:
SSL is recommended if you have selected the simple authentication mechanism, and is required for password synchronization.