3.5 Advanced Authentication Credential Provider

After successful installation of Client for Open Enterprise Server 2 SP4 (IR6) or later and Advanced Authentication Client, to perform the Windows logon followed by automatic eDirectory login using the Advanced Authentication credential provider, the following requirements must be met:

  • The existing Advanced Authentication credential provider obtains its configuration from the config.properties file setting, or performs DNS discovery if the config.properties is not configured.

  • The Windows account password is set the same as user’s eDirectory account password for an automatic and transparent eDirectory login to be successful.

  • In avoid not being prompted for eDirectory information, the user would need to have logged into eDirectory successfully before using Advanced Authentication. So that the eDirectory tree name, eDirectory context, and other login profile information for Client for Open Enterprise Server is populated during the login process. Otherwise, the user will be prompted to provide and save these details during their first login.

  • To use the Advanced Authentication Credential Provider in the Client for Open Enterprise Server 2 SP4 (IR11) and later, in the Advanced Login tab of Client Properties, the parameter Client Logon must be set to Off and the parameter Login with Third-Party Credential Provider must be set to On.

To log in to Windows, on the Advanced Authentication login page, the user must provide the user credential in the format Advanced Authentication user repository\username. Further login requirements are based on the enrolled methods that are required by Advanced Authentication for the Windows user login. For more information on configuring Advanced Authentication methods, see Advanced Authentication Administration Guide.

NOTE:For a non-domain joined Windows workstation, when logging in with Advanced Authentication for the first time, the Advanced Authentication credential provider prompts for additional Windows account credentials. This information is used to map the local account to the domain account of the user.

After the user has successfully completed the required Advanced Authentication methods and before the Windows user desktop is displayed, the Login with Third-Party Credential Provider functionality of Client for Open Enterprise Server performs the eDirectory login.

If the user has not logged into eDirectory before from this workstation, or if the eDirectory tree name, eDirectory context, or eDirectory password are incorrect, then the Client for Open Enterprise Server prompts the user to provide correct eDirectory information to complete the eDirectory login. The information thus provided for the first time the user logs into eDirectory successfully is saved for future logins.

When the Windows user desktop is displayed after successful login, the user is logged in to both Windows and eDirectory.

If the user disconnects their NCP connections or logs out of eDirectory, the Client for Open Enterprise Server requires the user to perform the Advanced Authentication log in again to access eDirectory.