Microsoft Active Directory back-end authentication

OneSpan Authentication Server also supports site awareness for Global Catalog-based Active Directory domain controller lookup. OneSpan Authentication Server queries the Global Catalog for all domain controllers serving the user currently in process of back-end authentication and contacts the relevant domain controllers according to their priority in the Global Catalog. In this context, OneSpan Authentication Server identifies the network site to which the machine that is running OneSpan Authentication Server belongs. Those domain controllers that share the same site with OneSpan Authentication Server during back-end authentication take precedence over others.

When deploying Microsoft Active Directory with OneSpan Authentication Server Appliance for back-end authentication, ensure the following:

• The domain controllers are running Windows Server 2016 or later.

• If the global catalog is set up (via Back End > Settings in the Administration Web Interface) and no back-end components have been defined, domain discovery will be used to search for a user and identify the Active Directory server to authenticate the user.

  • If domain discovery via the global catalog is to be used, users must be set up in the same domain on Active Directory as they are on OneSpan Authentication Server Appliance.
  • After domain discovery, communication to the Active Directory server containing the user credentials will use SSL if and only if Enable SSL for Back-End Servers is set in the Global Catalog Domain Discovery setting. You can also use the SSL Port option in this section to override the port to be used for SSL communication. If not specified, OneSpan Authentication Server Appliance will determine the port number from DNS or the global catalog.
• OneSpan Authentication Server Appliance must be configured to use the DNS server containing the DNS records of the Active Directory server on the host OS.
• The user ID that is used to log in to the Active Directory back-end system during authentication must have both search and update permissions for the data that is to be accessed.

LDAP configuration

The LDAP back-end server needs to be configured to allow it to authenticate via the LDAP protocol. For instructions on how to do this, refer to the OneSpan Authentication Server Appliance Administrator Guide.

If you are using Microsoft Active Directory as the back-end server and configure LDAP back-end authentication with SASL-DIGEST-MD5, the cyrus-sasl-md5 library must be installed to ensure connectivity between OneSpan Authentication Server and Active Directory!

For more information about setting up a back-end server record for an Active Directory server, refer to the Administration Web Interface Help.