What are some of the general features and requirements for using the AD Agent for authentication?


This article applies to:

  • R3000

Question:

What are some of the general features and requirements for using the AD Agent for authentication?

Reply

Feature Overview
  • Supports Windows 2000 server, Windows 2003 server
  • Supports Mixed or Native environment
  • Supports both LDAP and LDAPS
  • Runs as a service
  • Auto-detects the domain controllers
  • R3000 will fail over to a defined “Backup” server
  • Data transmitted between R3000 is encrypted in an authenticated session Workflow
  1. DC agent is installed in either a DC or a separated Windows Server machine that can talk to DC through Windows APIs.
  2. Users logon/logoff to the network, the event is logged into event viewer. (Auditing of Logon Events Required)
  3. DC Agent queries the event log or probe workstations for LOGON/LOGOFF event info (login name, domain name, IP)
  4. DC Agent sends such info with event indicator to R3000 Authentication Module through TCP/IP connection
  5. If it is a LOGON event, all user info and LOGON indicator sent
  6. If it is a LOGOFF event, IP and LOGOFF indicator sent
  7. R3000 assigns or removes a profile based on the user info and event indicator

Windows Requirements
  • The agent runs on Windows 2003 Server or Windows 2000 Server Server should be running latest Microsoft patches / service packs.
  • >= 512 MB RAM, 100 MB disk space
  • A special domain user account for the service with permissions to read the DC event logs Prerequisite Domain Configuration
  • A new group on the domain named "dcagent_services".
  • A new domain user account named “dcagent_service” and make it a member of the dcagent_services group.
  • Add your administrator account to the dcagent_services group. (Any users in the dcagent_services group have permission to manage the DC Agent)
  • Domain Security Policy console, "Audit account logon events" policy must be defined as "Success"
  • Domain Security Policy console, "Audit logon events" policy must be defined as "Success"
  • Domain Controller Security Policy console. dcagent_services and Domain Admins groups to the list of permitted users for the "Manage auditing and security log" policy.
  • (If Agent is on Domain Controller) Add the dcagent_service account to the list of permitted users for the the "Allow Logon Locally" NOTES: The AD Agent no longer REQUIRES you to keep the “dcagent_services / dcagent_service” names for the group and user, this is now just a recommendation. You are allowed to substitute other names in your environment that fit with your account naming conventions. (a) 8e6 documentation uses these names so please remember to make the appropriate substitutions (b) If a different naming convention is used, whenever the service starts, it will issue an error message related to the fact that it can’t verify the group membership of the service account.
    This error message will be forwarded to the network administrator if they have e-mail notifications enabled, and it will show up in red in the system log. It is only a warning and beyond that, there is no functional consequence if the system is properly configured.
    This article was previously published as:
    8e6 KB 276444

Last Modified 2/25/2008.
https://support.trustwave.com/kb/KnowledgebaseArticle12276.aspx