Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Active Directory and Windows workgroup support

Configuring Active Directory or Windows workgroup support


You can configure HCP to support either Windows Active Directory or Windows workgroups. HCP cannot support both AD and Windows workgroups at the same time. For information on which Windows servers are supported, check the HCP release notes for the version of HCP that you have installed.

Windows Active Directory is a Microsoft product that, among other features, provides user authentication services. You can configure HCP to support access by users authenticated by AD. With HCP configured this way, an authenticated AD user can use any HCP interface that requires authentication, such as the System Management Console, the Search Console, or the applicable namespace access protocols (provided that the user has the applicable permissions in HCP). For more information on AD, see About Active Directory.

ImportantWebHelp.png

Important: If you have more than one HCP system for which you are enabling support for AD, one or more of those systems may need to be reconfigured to prevent conflicts. Before enabling support for AD for any of the HCP systems, contact your authorized HCP service provider. Your provider can determine whether any reconfiguration is required and then make the necessary changes.

NoteWebHelp.png

Notes: 

For authenticated AD users to use a tenant- or namespace-level interface, such as the Tenant Management Console and the namespace access protocols, the tenant must also be configured to support AD authentication.

If you disable support for AD after it has been enabled, tenants for which the only supported type of authentication is AD will not be able to access the Tenant Management Console. Therefore, before disabling AD support, you should ensure that all tenants support local authentication. Additionally, you should notify all tenant administrators that they need to create at least one locally authenticated user account with the security role.

A Windows workgroup is a named collection of computers on a LAN that share resources such as printers and file servers. User accounts are specific to each computer in a workgroup. No authentication is required for access to the shared resources.

When you configure HCP to support Windows workgroups, you provide the name of the workgroup in which you want CIFS-enabled namespaces to be shared resources. If HCP is on the same LAN as the computers in the workgroup, all CIFS-enabled namespaces are automatically exposed in the workgroup. HCP namespaces each appear as a single shared resource with a name in this format: tenant-name_namespace-name (for example, finance_accounts-receivable). The default namespace appears as two shared resources, fcfs_data and fcfs_metadata.

NoteWebHelp.png

Note: If the CIFS protocol is configured to require authentication for access to a given namespace, that namespace cannot be accessed through a workgroup.

You use the Active Directory page in the HCP System Management Console to configure support for AD and Windows workgroups. To display this page, in the top-level menu of the System Management Console, select Security Active Directory.

RoleWebHelp.png

Roles: To view and modify information on the Active Directory page, you need the security role.

For information on configuring HCP to support AD, see Configuring support for Active Directory. For information on configuring HCP to support Windows workgroups, see Configuring support for Windows workgroups.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

About Active Directory


The following sections provide more information about using AD with HCP. For instructions on configuring AD to support HCP, see Configuring Active Directory to support HCP.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

User authentication with Active Directory


When an AD user tries to access HCP using a client application that supports Integrated Windows authentication (such as Firefox, Internet Explorer, or Windows Explorer):

While logged into Windows with a recognized AD user account, HCP accepts the already authenticated credentials from the client computer and lets the user access the requested interface. This is called single sign-on.

NoteWebHelp.png

Note: Tenant administrators can configure individual namespaces not to support single sign-on with HTTP-based interfaces (such as the HCP Namespace Browser).

With a recognized AD user account other than the one with which the user is currently logged into Windows, HCP sends the specified user credentials to AD for authentication. If AD successfully authenticates the user, HCP lets the user access the requested interface.

As defined in System Management Console, a recognized AD user account is an AD user account for a user that belongs to one or more AD groups for which corresponding group accounts are defined in HCP. For more information on group accounts, see About user and group accounts.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

HCP configuration for Active Directory support


For HCP to support AD, you need to configure HCP to identify the domain in the AD forest to be used for HCP user authentication and provide credentials for an existing AD account in that domain. This AD user account is used to configure HCP in the AD domain.

All AD domain controllers configured for the domain used for HCP user authentication must be able to communicate with HCP over the [hcp_system] network. Therefore, each AD domain controller must have at least one IPv4 or IPv6 address that is routable from the [hcp_system] network.

You also need to specify (or accept the defaults for) the existing organizational unit (OU) in which computer accounts will be created for the HCP nodes, along with the name of a computer account that HCP will use when querying AD for groups and other information. That computer account will be in the same AD groups as the user account you specify.

You can choose to enable secure communication between HCP and AD for the configuration of the computer account that HCP will use for querying AD. In this case, HCP needs a copy of the SSL certificate that allows clients to connect securely to the LDAP server used by AD. You need to export this certificate from AD as a base-64-encoded X509 certificate and then upload it to HCP on the Active Directory page.

For secure communication with AD when configuring computer accounts for HCP nodes, you can configure HCP to use NTLM or NTLMv2. The Use NTLMv2 authentication option appears only if you have selected Enable Authenticated CIFS Support. If you want HCP to use NTLM instead, deselect Use NTLMv2 authentication. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Considerations for the information you need to supply


These considerations apply to the information you need to supply when configuring HCP support for AD:

Before configuring AD support in HCP:

oCreate an AD group in the target domain. Give the group permission to add members to itself. Then give the group these permissions in the specified OU:

Read all properties on descendant computer objects

Write all properties on descendant computer objects

Change password on descendant computer objects

Reset password on descendant computer objects

Delete on descendant computer objects

Create computer objects in this object and all descendant objects

Delete computer objects in this object and all descendant objects

oCreate an AD user account and add it to only that group. This is the user to specify as the domain user in the AD configuration in HCP.

oIf HCP is not joined to AD, you can still prepopulate the domain controller filter list.

Allow a new computer account for use in querying AD for groups to be created automatically. Do not create this account ahead of time.

If you have more than one HCP system for which you are enabling support for AD, specify a computer account name that’s unique among those systems.

By default, for the OU in which computer accounts will be created, HCP uses CN=Computers. For the computer account, HCP uses HCPSrv-hcp-name (for example, HCPSrv-hcp), where hcp-name is the first segment of the domain name associated with the [hcp_system] network.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Service principal name attributes for HCP


When you enable AD support in HCP, HCP adds values to the service principal name (SPN) attribute of the HCP computer account in AD. The initial values added to the SPN attribute are:

The System Management Console

The default tenant

The search console

Each node in the HCP system

Subsequently, values are added for:

Each tenant that supports AD authentication

Each namespace that has both the HTTP protocol and AD single sign-on enabled

Each node added to the HCP system

Each item for which an SPN attribute value is created is referred to as a single sign-on location. If a single sign-on location for a tenant, namespace, or node is removed from the system, the value for that location is removed from the SPN attribute of the HCP computer account in AD.

AD has a size limit on values that applies to the SPN attribute. Any system-level operation in HCP that would cause this limit to be exceeded fails with a message indicating that the failure is related to the number of single sign-on locations. Any tenant-level operation that would cause this limit to be exceeded fails with a message indicating that single sign-on cannot be enabled.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Considerations for using Active Directory with HCP


These considerations apply to the use of Active Directory with HCP:

For HCP to use AD for user authentication:

oHCP must be able to contact at least one DNS server that can resolve the AD domain name.

oThe AD time must be the within five minutes the HCP system time. The recommended configuration is for HCP and AD to use the same time server.

oAll the domains in the AD forest HCP uses for user authentication must minimally be at the 2008 functional level.

To ensure that AD users have continuous access to HCP, the AD infrastructure should have a robust and fault tolerant configuration.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring support for Active Directory


Before you configure support for AD in HCP, you need to prepare AD for access by HCP. For instructions on doing this, see Configuring Active Directory to support HCP.

To enable and configure support for AD in HCP:

1.Log in to the HCP System Management Console with a user account that has the Security role.

2.Navigate to the SecurityActive Directory page.

3.Select one of these options:

oActive Directory with SSL — Enables both support for AD and secure communication with the AD

oActive Directory without SSL — Enables support for AD without enabling secure communication with the AD

With either of these options selected, the Active Directory page displays a Status section. This section contains alerts that report the status of various elements of HCP support for Active Directory. For descriptions of these alerts, see Active Directory page alerts.

4.If you selected Active Directory with SSL:

a.In the Certificates panel, click on Browse. Then select the file containing the AD SSL certificate.

b.Click on Upload Certificate.

The Certificates section shows the uploaded certificate.

NoteWebHelp.png

Note: You can download or delete the uploaded certificate if needed. To download the certificate, click on the download control for it ( DownloadControl.png ). To delete the certificate, click on the delete control ( DeleteControl.png ) for it.

5.In the Configuration Settings section, select Enable Active Directory. Then:

oIn the Domain field, type the fully qualified name of the AD domain in the AD forest that is to be used for HCP user authentication. All letters in this domain name must be uppercase.

oIn the Domain User field, type the username of an existing AD user account in the applicable AD domain. Make sure the user account belongs to one or more groups that have the applicable permissions, as described earlier in this section.

If the username that you specify is not all lowercase, HCP converts it to all lowercase before passing it to AD.

oIn the Password field, type the password that goes with the specified username. Passwords are case sensitive.

NoteWebHelp.png

Note: HCP uses the password that you type only to authenticate the username with the AD server. To help maintain AD security, HCP discards both the username and password after you submit the page. If you’re modifying the AD configuration, you need to specify the password again.

6.Optionally, to specify an organization unit and computer account other than the defaults and to use NTLMv2 instead of NTLM, click on Advanced Configuration. Then:

oIn the Organizational Unit field, type the distinguished name of the existing organizational unit in which you want the HCP computer accounts to be created. This is the distinguished name relative to the AD domain (for example, OU=HCP, OU=Storage). Do not include the domain name elements.

oIn the HCP Computer Account field, type the name of the computer account that HCP will use when querying AD for groups. This can be the name of an existing account in the specified organizational unit or the name of a new account to be created automatically in that organizational unit.

For a new computer account, the name must be from one through 64 characters long, can contain only alphanumeric characters and hyphens (-), and cannot consist only of digits.

If a computer account with the specified name already exists in a different organizational unit in the same Active Directory domain, the request to configure Active Directory support will fail.

oOptionally, to specify how the HCP user account obtains permissions, do either of these:

If you created an AD group as described in Create an AD group, select Add HCP Computer Account to groups of Domain User. This allows the HCP Computer account from inherit permissions associated with the specified domain user.

If you did not create an AD group, deselect Add HCP Computer Account to groups of Domain User. This prevents the HCP Computer account from inheriting the permissions associated with the specified domain user. If this checkbox is deselected, appropriate permissions need to be manually assigned to the HCP Computer account.

oOptionally, select Non-Hierarchical Realm Configuration if you have multiple trees in your AD forest. This permits authentication from any domain in the forest, and is necessary if they have different domain names.

oOptionally, select Enable Authenticated CIFS Support if you want to require authentication for data access via CIFS in your namespaces. Authenticated CIFS support is disabled by default for new AD joins.

oIf you selected Enable Authenticated CIFS Support, the Use NTLMv2 authentication option appears. Optionally, deselect Use NTLMv2 authentication to use NTLM for secure communication with AD when configuring the computer accounts for the HCP nodes. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.

oOptionally, select Use reverse DNS if you want to join AD without requiring PTR records for domain controllers.

oSelect the Single Sign-On Support to determine how much control you want HCP to have over generating Service Principal Names (SPNs) for tenants and namespaces. The possible values are:

None — HCP does not generate SPNs for new tenants namespaces and does not warn if SPNs are missing.

Warning — HCP does not generate SPNs for new tenants and namespaces but does warn if SPNs are missing.

Full — HCP generates SPNs for new tenants and namespaces and warns if SPNs are missing.

SPNs are used for single sign-on. If you're not using single sign-on, you do not need to have HCP generate SPNs.

oIn the Trusted Forests field, type a comma-separated list of root domains of all trusted forests. This lets the HCP Computer Account authenticate with multiple forests.

7.Click on Update Settings.

This update may take a few minutes to finish.

TipWebHelp.png

Tip: You can verify that AD support has been enabled by logging out of the System Management Console and checking that the Log In page now has a Domain field below the Password field.

8.Optionally, in the Domain Filtering panel, click on Add New Domain. Then:

oIn the Domain Name field, type the name of the domain.

oIn the Domain Controllers field, type the name of the domain controller or controllers.

oClick on Add Domain.

oOptionally, to associate another domain controller with a domain:

1.Select an existing domain from the table in the Domain Filtering panel.

2.In the Domain Controllers field, type the name of the domain controller or comma-separated list of controllers.

3.Click on Add New Domain Controllers.

NoteWebHelp.png

Note: Domain controller filters are always added as a pairing of a domain and a domain controller or controllers. Each time you add one of these filters to the domain controller filter list, a one-time validation occurs. If a domain or domain controller fails the validation process, the filter is not added to the domain controller filter list. You can also manually invoke validation on the domain controller filter's entries by clicking on the Validate button.

9.Click on Update Settings.

This update may take few minutes to finish.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring support for Windows workgroups


To enable and configure HCP support for Windows workgroups:

1.Log in to the HCP System Management Console with a user account that has the Security role.

2.Navigate to the SecurityActive Directory page.

3.Select the Windows workgroup option.

4.In the Windows Workgroup field, type the name of the Windows workgroup in which you want HCP to automatically expose CIFS-enabled namespaces. The workgroup name can be up to 15 characters long.

5.Click on the Update Settings button.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Refreshing the Active Directory status


Tenants and Namespaces can exist without Service Principal Names. HCP creates a table of unassigned Tenants and Namespaces under the Status panel of the Active Directory page under Security.

The Status panel automatically refreshes every twenty four hours, but it can also be manually refreshed. You can use the Active Directory page in the HCP System Management Console to refresh the status of the AD SPNs. The manual console refresh also attempts to automatically repair any SPNs that are missing. To display this page, in the top-level menu of the System Management Console, select Security Active Directory.

RoleWebHelp.png

Roles: To view the Active Directory page and refresh the AD status, you need the security role.

To refresh the AD status, on the Active Directory page:

1.If support for AD is not currently enabled:

a.Select Active Directory.

b.Select Enable Active Directory.

2.Click on Refresh Status.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Clearing the Active Directory cache


HCP caches information about authenticated AD users that access any of its interfaces. The cache also includes information about the AD groups to which those users belong. As long as the applicable information is in the cache, AD-authenticated users can perform any HCP activities for which they have permission without being reauthenticated.

HCP uses the same cache to store information about all the domains included in the AD forest that HCP uses for user authentication. HCP uses this information to supply the list of allowable domains in the Domain field on the login pages for its GUI interfaces.

You can clear the AD cache at any time. You might do this, for example, if the account for an authenticated AD user is deleted from AD. In this case, because the user information is already cached, the user can continue to access HCP even though the user account is no longer valid. Clearing the cache prevents the user from continuing to access HCP with the invalid account.

You also might clear the cache if a domain is added to or removed from the AD forest. This forces an immediate update to the list of allowable domains on the HCP login pages.

You use the Active Directory page in the HCP System Management Console to clear the AD cache. To display this page, in the top-level menu of the System Management Console, select Security Authentication.

RoleWebHelp.png

Roles: To view the Active Directory page and clear the AD cache, you need the security role.

To clear the AD cache, on the Active Directory page:

1.If support for AD is not currently enabled:

a.Select Active Directory.

b.Select Enable Active Directory.

2.Click on Clear Cache.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring Active Directory to support HCP


An HCP system can be configured to support Active Directory. With the system configured this way, you can create HCP group accounts that correspond to AD groups at both the system and tenant levels. AD users in those AD groups then have access to HCP through the various HCP interfaces, subject to the roles and permissions associated with the HCP group accounts.

For HCP to work with AD, you first need to prepare AD for access by HCP. Then you need to configure HCP to support AD. The table below outlines the major steps in this procedure.

Step Activity More information
1

If you want to secure communication between HCP and AD, create an SSL certificate in AD. This certificate will allow HCP to connect securely to the LDAP server used by AD.

Create the SSL certificate
2

Export the SSL certificate you created so it can be uploaded to HCP.

Export the SSL certificate
3

Create an AD group.

Create an AD group
4

Give the AD group permissions for the organizational unit (OU) or common name (CN) in which computer accounts will be created for the HCP nodes.

Give permissions to the new AD group or to the Domain Computers group
5 Grant permissions to a new or existing AD user account. Grant permissions to an AD user account
6

Optionally, create a reverse lookup zone for the applicable AD domain in your DNS.

Create the reverse lookup zone for the AD domain
7

Configure support for AD in HCP.

Configure support for AD in HCP

This appendix describes the prerequisites for configuring AD to support HCP and contains instructions for the first six steps outlined above. These instructions are for Windows Server 2008 R2, but the concepts are the same for all versions of Windows Server.

For information and instructions on configuring support for AD in HCP, see Configuring Active Directory or Windows workgroup support. For information on creating HCP group accounts, see Working with group accounts and Managing a Tenant and Its Namespaces.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Prerequisites for configuring support for HCP in AD


This appendix assumes:

You have a basic understanding of AD concepts.

You have an AD user account with the administrator role in the AD domain you plan to use when configuring support for AD in HCP.

If you plan to secure communication between HCP and AD:

oThe applicable AD domain is configured with a certificate authority.

oYou have access to a Windows server running the AD certificate authority.

oYou have access to the Windows client from which you plan to access the HCP System Management Console for the purpose of configuring support for AD.

For creating the AD group and user account, you have access to a Windows or Unix server from which you can access AD.

The OU or CN in which you want to create the AD group already exists in the applicable domain.

The OU or CN in which you want to create the AD user account already exists in the applicable domain. This can be, but does not have to be, the same OU or CN as the one in which you create the AD group.

The OU or CN in which computer accounts will be created for the HCP nodes already exists in the applicable domain. This is the OU or CN you specify as the organizational unit in the HCP configuration of support for AD. The default for this in HCP is the CN Computers.

Your DNS is configured on a Windows server.

Your DNS contains a stub zone for HCP that’s configured for AD integration. For information on configuring the HCP stub zone, see Configuring an HCP secondary zone or stub zone in Windows.

Your DNS contains a forward lookup zone definition for the applicable AD domain.

You have access to a Windows server from which you can configure your DNS.

Optionally, you have pre-populated the domain controller filter list even if HCP was not joined to Active Directory at the time. For information on adding domains and domain controllers to the domain controller filter list, see Configuring support for Active Directory.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Required permissions for Active Directory Domain


When HCP joins a domain, it creates an HCP Computer account by authenticating with the user account created by the Active Directory domain admin. The HCP Computer Account is used in all Active Directory operations unless the HCP needs to rejoin the domain. Using the HCP Computer Account for authentication, HCP then joins each of the HCP nodes to the domain through Samba which is required for CIFS authentication of legacy applications.

Once HCP has successfully joined the domain, the HCP Computer Account will update SPNs and add new nodes to the domain if physical nodes are added to the HCP system. HCP will automatically change the password of the HCP Computer Account every 30 days.

The following permissions are required by HCP to join the Active Directory Domain:

For the HCP Admins SELF group you need read and write permissions. They are required to add the computer object to the group OU permissions.

Create Computer objects and Delete Computer objects permissions are required to create the HCP Computer Account.

Change Password and Reset Password permissions are required to reset the password of the HCP Computer Account.

Read All Properties, Write All Properties, and Delete permissions are required to create and update SPNs.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 1 (conditional): Create the SSL certificate


If you want to enable SSL secured LDAP communication between HCP and AD, you need to create an SSL certificate on each domain controller in AD used by HCP. Installing a valid certificate on a domain controller automatically enables SSL connections for both LDAP and global catalog traffic.

If you don’t want to secure communication, skip this step.

If you want to create SSL certificates for communication between HCP and AD, you need to create a certificate on every domain controller that communicates with HCP.

To create the SSL certificate:

1.On the Windows server, click on Start.

2.In the Search programs and files field, enter: mmc

The Console1 - [Console Root] window opens.

ADConsole1.png

3.On the File menu, select Add/Remove Snap-in.

The Add or Remove Snap-ins window opens.

ADAddRemoveSnapins.png

4.In the Available snap-ins list, select Certificates. Then click on Add.

The Certificates snap-in window opens.

ADCertificatesSnapin.png

5.Select Computer account. Then click on Next.

The Select Computer window opens.

ADSelectComputer.png

6.Click on Finish.

Certificates (Local Computer) appears in the Selected snap-ins list in the Add or Remove Snap-ins window.

ADAddRemoveSnapinsCertificates.png

7.Click on OK.

8.In the tree view in the left panel of the Console1 - [Console Root] window, expand Certificates (Local Computer)Personal. Then select Certificates.

The middle panel in the window lists information about the CA root certificate.

NoteWebHelp.png

Note: The CA root certificate is only shown on the Domain Controller where the CA service is installed.

ADConsole1RootCertificate.png

9.On the Action menu, select All TasksRequest New Certificate.

The Certificate Enrollment window opens.

ADCertificateEnrollment.png

10.Click on Next.

The Select Certificate Enrollment Policy page appears.

ADCertificateEnrollmentPolicy.png

11.Click on Next.

The Request Certificates page appears.

ADCertificateEnrollmentRequestCerts.png

12.Select Domain Controller. Then click on Enroll.

The Certificates Installation Results page appears.

ADCertificateEnrollmentResults.png

13.Click on Finish.

The Certificates list now includes the SSL certificate for LDAP communication. The value in the Issued To column for this certificate is the concatenation of the computer name and the FQDN of the AD domain (for example, WIN-AD-SERVER.example.local).

ADConsole1SSLCert.png

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 2 (conditional): Export the SSL certificate


If you are securing communication between HCP and AD, you need to export the SSL root certificate of the CA that you created in Create the SSL certificate so that you can upload it to HCP. For instructions on uploading the certificate to HCP, see Configure support for AD in HCP.

If you did not create an SSL certificate, skip this step.

To export the SSL certificate:

1.On the Windows server running the AD certificate authority, click on Start.

2.In the Search programs and files field, enter: cmd

A Windows command prompt window opens.

3.Change to the directory to which you want to write the file containing the exported certificate.

4.Enter this command to export the certificate:

certutil -ca.cert cert-name.cer

In this command, cert-name is the name (minus the .cer extension) of the file that will contain the exported certificate.

If the export is successful, the window displays the contents of the certificate followed by this message:

CertUtil: -ca.cert command complete successfully.

If you don’t see this message, check that the your applicable AD domain has a domain controller that is configured with the certificate authority role and that you ran this command on the domain controller that has the CA role installed. After verifying, try the procedure again, starting from step 9 in Create the SSL certificate.

5.Copy the file containing the exported certificate to the Windows client from which you plan to access the HCP System Management Console.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 3 (conditional): Create an AD group


For Active Directory to work with HCP, the HCP computer account must have certain permissions. The HCP computer account may either inherit its HCP management permissions from an AD group created specifically for this purpose or from the Domain Computers group.

If you are creating a new AD group to configure HCP management permissions:

1.On the Windows server from which you can access AD, click on the Start button and select Administrative ToolsActive Director Users and Computers.

The Active Directory Users and Computers window opens.

ADUsersAndComputers.png

2.On the View menu, select Advanced Features.

3.Under ad-domain-name, right-click on the OU or CN in which you want to create the AD group and select NewGroup from the dropdown menu.

The New Object - Group window opens.

ADNewObjectGroup.png

4.In the Group name field, type a name for the new group (for example, HCP Admins). Then click on the OK button.

5.In the left panel of the Active Director Users and Computers window, double-click on the OU or CN in which you created the new group.

The middle panel of the Active Director Users and Computers window lists the items in the OU or CN, including the group you just created.

6.Right-click on the new group and select Properties from the dropdown menu.

The Properties window opens.

7.Click on the Security tab.

8.With SELF selected in the Group or user names list, select the box for Write in the Allow column under Permissions for SELF. Then click on the OK button.

HCP Admin Group Permissions.png

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 4: Give permissions to the new AD group or to the Domain Computers group


To grant the HCP computer account HCP management permissions, you need to assign the necessary permissions either to the AD group you created or to the Domain Computers group.

HCP management permissions allow the HCP computer account to create computer accounts and manage computer account properties for each node in the system.

To assign permissions to the AD group or to the Domain Computers group:

1.In the left panel of the Active Director Users and Computers window, right-click on the OU or CN in which you want HCP computer accounts to be created and select Properties from the dropdown menu.

The Properties window opens.

2.Click on the Security tab.

3.On the Security tab, click on the Advanced button.

The Advanced Security Settings window opens.

4.Click on the Add button.

The Permission Entry for HCP window opens.

5.Click on the Select a Principle link.

The Select User, Computer, Service Account, or Group window opens.

ADSelectUserEtc.png

6.In the Enter object name to select field, type the name of the AD group you created in the previous step, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step. Then click on the OK button.

The Permission Entry window opens.

7.In the Permission Entry window:

oIn the Apply to field, select Descendant Computer objects.

oUnder Permissions, select the boxes in the Allow column for:

Read all properties
Write all properties
Delete
Change password
Reset password

Then click on the OK button.

Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

New version of AD
ADPermissionsEntryDescendants.png

Old version of AD
Descendant Computer Objects 1.png

Descendants Computer Objects 2.png

8.In the Advanced Settings window, click on the Add button again.

The Select User, Computer, Service Account, or Group window opens.

9.In the Enter object name to select field, type the name of your AD group, or type Domain Computers if you decided not to create an AD group for HCP management in the previous step. Then click the OK button.

The Permission Entry window opens.

10.In the Permission Entry window:

oIn the Apply to field, select This object and all descendant objects.

oUnder Permissions, select the boxes in the Allow column for:

Create Computer objects
Delete Computer objects

Then click on the OK button.

Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

New version of ADPermissionEntryAndDescdents.png

Old version of AD
This object and all descendant objects.png

11.In the Advanced Security Settings window, click on the OK button to close the window.

12.In the Properties window, click on the OK button to close the window.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 5: Grant permissions to an AD user account


To join HCP with your AD domain, you can either create a new AD user account that inherits permissions from the AD group you created in Create an AD group, or you can use an existing AD user account and assign it permissions in the OU or CN in which you want HCP computer accounts to be created. HCP uses this AD user account only once during the AD join process and then never uses the AD user account again. HCP does not store AD user account credentials.

If you are creating a new AD user, follow the Creating a new AD user account and assigning it to your AD group procedure. 

If you have disabled the Add HCP Computer Account to groups of Domain User checkbox on the HCP Active Directory page, then you need to use an existing AD user account. To grant permissions for an existing AD user account, follow the Configuring an existing AD user account for HCP management procedure.

Creating a new AD user account and assigning it to your AD group

To create a new AD user account and assign it to the AD group you created:

1.In the tree view in the left panel of the Active Director Users and Computers window, right-click on the OU or CN in which you want to create the AD user account and select NewUser from the dropdown menu.

The New Object - User window opens.

ADNewObjectUser.png

2.In the New Object - User window:

oIn the First name field type a name for the user account (for example, HCP Admin).

oIn the User logon name field, type a username for the user account (for example, hcpadmin).

Then click on the Next button.

The display in the New Object - User window changes.

ADNewObjectUserPassword.png

3.In the New Object - User window:

oIn the Password field, type a password for the user account.

oIn the Confirm password field, type the password again.

oDeselect the User must change password at next logon option.

Then click on the Next button.

The display in the New Object - User window changes.

4.Click on the Finish button.

The list in the middle panel of the Server Manager window now includes the user account you just created.

5.Right-click on the new user account and select Properties from the dropdown menu.

The Properties window opens.

6.Click on the Member Of tab.

7.On the Member Of tab, click on the Add button.

The Select Groups window opens.

8.In the Enter the object names to select field, type the name of the group you created in Create an AD group. Then click on the OK button.

The AD user account inherits the permissions granted to the AD group you specify.

9.In the Properties window, click on the OK button to close the window.

NoteWebHelp.png

Note: You should perform the following step only if you already have an existing AD user account.

Configuring an existing AD user account for HCP management

To grant HCP management permissions to an existing AD user account:

1.In the left panel of the Active Directory Users and Computers window, right-click on the OU or CN in which you want computer accounts for the HCP nodes to be created and select Properties from the dropdown menu.

The Properties window opens.

2.Click on the Security tab.

3.On the Security tab, click on the Advanced button.

The Advanced Security Settings window opens.

4.Click on the Add button.

The Select User, Computer, Service Account, or Group window opens.

ADSelectUserEtc.png

5.In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain. Then click on the OK button.

The Permission Entry window opens.

6.In the Permission Entry window:

oIn the Apply to field, select Descendant Computer objects.

oUnder Permissions, select the boxes in the Allow column for:

Read all properties
Write all properties
Delete
Change password
Reset password

Then click on the OK button.

Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

New version of AD
ADPermissionsEntryDescendants.png

Old version of AD
Descendant Computer Objects 1.png

Descendants Computer Objects 2.png

7.In the Advanced Settings window, click on the Add button again.

The Select User, Computer, Service Account, or Group window opens.

8.In the Enter object name to select field, type the name of the AD user that is joining HCP to the AD domain. Then click on the OK button.

The Permission Entry window opens.

9.In the Permission Entry window:

oIn the Apply to field, select This object and all descendant objects.

oUnder Permissions, select the boxes in the Allow column for:

Create Computer objects
Delete Computer objects

Then click on the OK button.

Depending on the version of Active Directory that you are using, the Permission Entry page will appear as one of the two following images.

New version of ADPermissionEntryAndDescdents.png

Old version of AD
This object and all descendant objects.png

10.In the Advanced Security Settings window, click on the OK button to close the window.

11.In the Properties window, click on the OK button to close the window.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 6 (conditional): Create the reverse lookup zone for the AD domain


If your AD domain does not already have a reverse lookup zone, you can create one for the applicable AD domain in your DNS.

1.On a Windows server from which you can configure your DNS, click on the Start button and select Administrative ToolsActive Director Users and Computers.

2.Under Roles in the tree view in the left panel of the Active Director Users and Computers window, expand DNS ServerDNSad-domain-nameReverse Lookup Zones.

3.Right-click on Reverse Lookup Zones and select New Zone from the dropdown menu.

The New Zone Wizard window opens.

NewZoneWizard1.png

4.In the New Zone Wizard window, click on the Next button.

The Zone Type page appears.

NewZoneWizard2.png

5.Select the Primary zone option. Then click on the Next button.

The Active Directory Zone Replication Scope page appears.

NewZoneWizard3.png

6.Click on the Next button.

The Reverse Lookup Zone Name page appears.

NewZoneWizard4.png

7.Click on the Next button.

The Reverse Lookup Zone Name page display changes.

NewZoneWizard5.png

8.In the Network ID field, type the first three octets of the subnet for the applicable AD domain. Then click on the Next button.

The Dynamic Update page appears.

NewZoneWizard6.png

9.Click on the Next button.

The Completing New Zone Wizard page appears.

10.Click on the Finish button.

To see the reverse lookup you just created, expand Reverse Lookup Zones in the tree view in the left panel of the Active Director Users and Computers window. The name of the reverse lookup zone, which appears under Reverse Lookup Zones, consists of the first three octets that you specified in step 8 above in reverse order, followed by in-addr.arpa., as in this sample Active Director Users and Computers window.

NewZoneWizard7.png

 

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Step 7: Configure support for AD in HCP


Now that you’ve completed the steps for preparing AD for communication with HCP, you need to use the HCP System Management Console to configure support for AD in HCP. For instructions on doing this, see Configuring support for Active Directory.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Browser configuration for single sign-on with Active Directory


If HCP is configured to support AD, you can use a recognized AD user account to access the System Management Console with single sign-on. However, for this to work, the web browser you use to access the Console must be configured to support single sign-on.

This appendix contains instructions for configuring Windows Internet Explorer and Mozilla® Firefox® to support single sign-on. For information on configuring AD support in HCP, see Configuring Active Directory or Windows workgroup support.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring Windows Internet Explorer for single sign-on


Before you set up single sign-on, you need to configure Windows Internet Explorer. The following instructions apply with Windows Internet Explorer 11.

To configure Windows Internet Explorer for single sign-on with Active Directory:

1.Open Internet Explorer.

2.On the Tools menu, click on Internet Options.

3.In the Internet Options window, click on the Security tab.

4.On the Security page, select Local intranet.

5.Click on Sites.

6.In the Local intranet window, ensure that all the options are selected.

7.Click on Advanced.

8.In the Add this website to the zone field, take either of these actions:

oTo enable single sign-on with HTTP, type:

http://*.hcp-name.domain-name

For example:

http://*.hcp.example.com

oTo enable single sign-on with HTTPS, type:

https://*.hcp-name.domain-name

For example:

https://*.hcp.example.com

9.Click on Add.

10.Click on Close.

11.In the Local intranet window, click on OK.

12.In the Internet Options window, click on the Advanced tab.

13.In the Settings list, under Security, select Enable Integrated Windows Authentication.

14.Click on OK.

15.Close Internet Explorer.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring Mozilla Firefox for single sign-on


To configure Mozilla Firefox for single sign-on with Active Directory:

1.Open Firefox.

2.In the address field in the Firefox window, enter:

about:config

3.In response to the warning message, click on I’ll be careful, I promise!.

4.In the Preference Name list, double-click on network.negotiate-auth.delegation-uris.

5.In the Enter string value window, type:

http://*.hcp-name.domain-name,https://*.hcp-name.domain-name

For example:

http://*.hcp.example.com,https://*.hcp.example.com

6.Click on OK.

7.In the Preference Name list, double-click on network.negotiate-auth.trusted-uris.

8.In the Enter string value window, type:

http://*.hcp-name.domain-name,https://*.hcp-name.domain-name

9.Click on OK.

10.Close Firefox.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.