12.1 Default Configuration of the Security Parameters

The security parameters must be changed after the initial configuration of driver occurs.

To change these parameters in iManager:

  1. Click Identity Manager > Identity Manager Overview, then click Search to search for the driver set that is associated with the driver.

  2. Browse to the driver, then click the upper right corner of the driver icon.

  3. Click Edit Properties > Driver Configuration > Driver Parameters.

  4. Review the driver parameters in Table 12-1, and decide if you need to make any changes.

To change these parameters in Designer:

  1. Open a project in the modeler, then right-click the driver line and select Properties > Driver Configuration.

  2. Click Driver Parameters.

  3. Review the driver parameters in Table 12-1, and decide if you need to make any changes.

Table 12-1 Security Parameters

Security Parameter

Description

Authentication ID

The account the driver uses to access the domain data. The Authentication ID can be specified using different formats:

  • If the Authentication method is set to negotiate, the user name is specified with the domain name or the full qualified domain name. For example, user or domain\user.

  • If the Authentication method is set to simple, the user name must be specified using an LDAP fully distinguished name. For example, cn=IDMadmin,cn=Users,dc=domain,dc=com.

Authentication context

The context used to access domain data. The Authentication context can be specified using different formats:

  • If the Authentication method is set to negotiate, use the DNS name of the Active Directory domain controller. For example, mycontroller.mydomain.com.

  • If the Authentication method is set to simple, use the DNS name of the Active Directory domain controller or the IP address of the LDAP server. For example, mycontroller.mydomain.com or 10.0.0.1.

Application password

The password for the Authentication ID account.

Authentication Method

The method of authentication to Active Directory. Negotiate uses Microsoft’s security package to negotiate the logon type. Typically Kerberos or NTLM is selected. Simple uses LDAP style simple bind for logon.

If you want to use Password Synchronization, select Negotiate.

Digitally sign communications

This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This enables signing on a Kerberos or NTLM v2 authenticated connection.

Select Yes to digitally sign the communication between the driver shim and Active Directory. This does not hide the data from view on the network, but it reduces the chance of security attacks.

Signing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM v2 or Kerberos for its protocol.

Do not use this option with SSL.

Select No to have communications not signed.

Digitally sign and seal communications

This setting requires Windows 2003 or Windows 2000 with the most recent support pack, and Internet Explorer 5.5 SP2 or later on both servers. This setting enables encryption on a Kerberos or NTLM v2 authenticated connection.

Select Yes to digitally encrypt communication between the driver shim and the Active Directory database.

Sealing only works when you use the Negotiate authentication method and the underlying security provider selects NTLM v2 or Kerberos for its protocols.

Do not use this option with SSL.

Select No to not have communication between the driver shim and the Active Directory database signed and sealed.

Use SSL for encryption

Select Yes to digitally encrypt communication between the driver shim and the Active Directory database.

This option can be used with Negotiate or Simple authentication methods. SSL requires that the Microsoft server running the driver shim imports the domain controller’s server certificate. For more information, see Securing Windows 200 Server.

By default, the parameter is set to No. If you set this value to Yes, the SSL pipe is encrypted for the entire conversation. An encrypted pipe is preferred because the driver typically synchronizes sensitive information. However, encryption slows the general performance of your servers.

Logon and impersonate

Select Yes to logon and impersonate the driver authentication account for CDOEXM (Collaboration Data Object for Exchange Management) and Password Set support. The driver performs a local logon. The authentication account must have the proper rights assignment. For more information, see Section 2.4, Creating an Administrative Account.

If No is selected, the driver performs a network logon only.