This section describes the procedures used to implement Administrator Interface (AI) authentication using Active Directory (AD) domain credentials. Users can be set up as members of specified AD domains to access the Unitrends system without being added as users in that system itself.
Note: AD authentication is implemented at the AI and Apache component level. The Unitrends operating system is not joined to the AD domain.
The AD group to which a user belongs determines which features that user can view and utilize. Users are granted one of the following privilege levels: monitor, manage, administrator, or superuser. User actions are logged in the system and can be viewed in the Audit History report. For details, see Audit History Report.
Perform these procedures to manage Active Directory authentication:
Note: If are using the Active Directory user with navigation grouping, give the user Manage level privileges. For details, see Navigation grouping.
1 | Create the following groups in your Active Directory domain: |
Group |
Description |
---|---|
Unitrends-Superuser |
Members of this group are granted superuser privileges. |
Unitrends-Admin |
Members of this group or domain administrators are granted administrator privileges. In addition to monitoring and managing systems, these users can add, edit, or delete customers or customer locations, and add, edit, or delete users. Because administrators can create customers and locations, they can also assign systems to different customers and locations in the navigational tree (using Settings > System, Updates, and Licensing > Grid Management). |
Unitrends-Manage |
Members of this group are granted manage privileges. These users can view statuses and reports, start backups, and perform other management tasks, such as adding or modifying clients and retention settings. They can also view running jobs or processes, but cannot create users or modify users, with the exception of modifying their own user account password. |
Unitrends-Monitor |
Members of this group are granted monitor privileges. These users are only able to view the status of operations, such as backups or replication, on the front Status page, and run reports. They cannot start backups or restores, view running jobs, or configure the system in any way, other than to modify their own user account password. |
Note: You may name these groups to suit your environment. If you use your own names, be sure to enter these names when you configure AD authentication in the Unitrends system. User group names in your AD domain must match the names you enter in step 7.
2 | Add users to the Unitrends domain groups as desired. |
Users who are not domain administrators must be assigned to a Unitrends group to log in to the AI using AD authentication.
Note: Add users to the groups only. Do not add groups. Nested grouping is not a Microsoft best practice and may cause undesirable results.
3 | In the Unitrends AI, select the desired system in the Navigation pane. |
4 | Do one of the following: |
Note: The backup system must be running release 7.2 or higher to use the DNS option. For older releases, you must add the AD server to the system’s host file.
• | Create a DNS entry for the AD server with reverse lookup configured, then skip to step . |
• | Add the AD server to the Unitrends system’s host file as described in step . |
Select Settings > Clients, Networking, and Notifications > Networks > Hosts, click Add Another Host, enter Host Name, IP Address, and Qualified Name as described below, then click Confirm.
• | The AD server is the machine where the Active Directory domain is located. |
• | For Qualified Name, enter the active directory domain only. Do not include the server name. |
• | Example: for an AD server called SERVER_AD whose IP address is 192.168.111.75 and AD domain is company_domain.com, enter the following: |
Important! This host entry must be added before continuing with this procedure. The host entry must be present before configuring the Unitrends system for AD authentication.
6 | Select Settings > System, Updates, and Licensing > Active Directory. |
7 | Enter information as follows: |
Field |
Action |
---|---|
Enable Active Directory Authentication |
Check this box to start using AD authentication, or leave unchecked to start using AD authentication at a later time. |
Use SSL |
The Use SSL option is not supported. |
Active Directory Server |
Enter the hostname of the machine where the Active Directory Domain is located. If left blank, the system populates this field using the hosts file entry. If you are using DNS and did not add the AD server to the hosts file, be sure to enter the hostname here. This field is limited to 15 characters. |
Active Directory Domain |
Enter the name of the AD domain. Do not include the AD server name. For example, |
Active Directory IP |
Enter the IP address of the AD server. This is optional. |
Unitrends Superuser Group |
Enter Unitrends-Superuser |
Unitrends Administrator Group |
Enter Unitrends-Admin. |
Unitrends Manage Group |
Enter Unitrends-Manage. |
Unitrends Monitor Group |
Enter Unitrends-Monitor. |
8 | Click Confirm to save, or click Cancel to exit without saving. |
This procedure assumes you have set up the Unitrends user account in Active Directory and have configured AD authentication as described in To authenticate using Active Directory.
1 | Connect to the Unitrends system by directing any browser to |
https://<system IP address>/recoveryconsole
2 | Click the lock icon. |
3 | In the Enter your username field, enter the AD domain and user name in either of the following formats: ad_domain\ad_username or ad_username@ad_domain.company_domain |
For example, for user jsmith on AD domain accounting and company domain americanaccountants.com, enter:
accounting\jsmith
or
jsmith@accounting.americanaccountants.com
4 | In the Enter your password field, enter the password for this AD user. |
5 | Click Login. |
1 | Select Settings > System, Updates, and Licensing > Active Directory. |
2 | Check the Enable Active Directory Authentication box to enable AD authentication, or uncheck this box to disable AD authentication. |
3 | Click Confirm to save. |