You can configure HCP to support Microsoft Active Directory (AD) or Windows workgroups. HCP cannot support AD and Windows workgroups at the same time.
You can configure HCP to support Active Directory authentication. An authenticated AD user can use any HCP interface that requires authentication, such as the System Management Console, Search Console, or namespace access protocols provided the user has the applicable HCP permissions.
A Windows workgroup is a named collection of computers on a LAN that share resources such as printers and file servers. User accounts are specific to each computer in a workgroup. No authentication is required for access to the shared resources.
When you configure HCP to support Windows workgroups, you provide the name of the workgroup in which you want CIFS-enabled namespaces to be shared resources. If HCP is on the same LAN as the computers in the workgroup, all CIFS-enabled namespaces are automatically exposed in the workgroup. HCP namespaces are displayed as a single shared resource with a name in this format:
For example, finance_accounts-receivable). The default namespace is displayed as two shared resources, fcfs_data and fcfs_metadata.
If the CIFS protocol is configured to require authentication for access to a given namespace, that namespace cannot be accessed through a workgroup.
About Active Directory
The following sections provide more information about using AD with HCP.
User authentication with Active Directory
When an AD user tries to access HCP using a client application that supports Integrated Windows authentication (such as Firefox, Internet Explorer, or Windows Explorer):
- If the user is logged into Windows with a recognized AD user account, HCP accepts the authenticated credentials from the client computer and lets the user access the requested interface by using single sign-on.
- If the user is requesting HCP access with a recognized AD user account that is not the account with which the user is currently logged in to Windows, HCP sends the specified user credentials to AD for authentication. If AD successfully authenticates the user, HCP lets the user access the requested interface.
A recognized AD user account is an AD account for a user who belongs to one or more AD groups with corresponding group accounts in HCP.
HCP configuration for Active Directory support
For HCP to support AD, you need to configure HCP to identify the domain in the AD forest to be used for HCP user authentication and provide credentials for an existing AD account in that domain. This AD user account is used to configure HCP in the AD domain.
All AD domain controllers configured for the domain used for HCP user authentication must be able to communicate with HCP over the [hcp_system] network. Therefore, each AD domain controller must have at least one IPv4 or IPv6 address that is routable from the [hcp_system] network.
You also need to specify or accept the defaults for the existing organizational unit (OU) in which computer accounts will be created for the HCP nodes, along with the name of a computer account that HCP will use when querying AD for groups and other information. That computer account will be in the same AD groups as the user account you specify.
You can choose to enable secure communication between HCP and AD for the configuration of the computer account that HCP will use for querying AD. In this case, HCP needs a copy of the SSL certificate that allows clients to connect securely to the LDAP server used by AD. You need to export this certificate from AD as a base-64-encoded X509 certificate and then upload it to HCP on the Active Directory page.
For secure communication with AD when configuring computer accounts for HCP nodes, you can configure HCP to use NTLM or NTLMv2. The Use NTLMv2 authentication option appears only if you have selected Enable Authenticated CIFS Support. If you want HCP to use NTLM instead, deselect Use NTLMv2 authentication. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.
- If you have more than one HCP system for which you are enabling support for AD, one or more of those systems may need to be reconfigured to prevent conflicts. Before enabling support for AD for any of the HCP systems, contact your authorized HCP service provider. Your provider can determine whether any reconfiguration is required and then make the necessary changes.
- For authenticated AD users to use a tenant- or namespace-level interface, such as the Tenant Management Console and the namespace access protocols, the tenant must also be configured to support AD authentication.
- If you disable support for AD after it has been enabled, tenants that support only AD authentication will not be able to access the Tenant Management Console. Therefore, before disabling AD support, you should ensure that all tenants support local authentication. Additionally, you should notify all tenant administrators that they need to create at least one locally authenticated user account with the security role.
- For HCP to use AD for user authentication:
- HCP must be able to contact at least one DNS server that can resolve the AD domain name.
- The AD time must be within five minutes of the HCP system time. A good practice is to configure HCP and AD to use the same time server.
- All the domains in the AD forest HCP uses for user authentication must minimally be at the 2008 functional level.
- To ensure that AD users have continuous access to HCP, the AD infrastructure should have a robust and fault tolerant configuration.
Service principal name attributes for HCP
When you enable Active Directory (AD) support in HCP, HCP adds values to the service principal name (SPN) attribute of the HCP computer account in AD.
The initial values that HCP adds to the SPN attribute of the computer account in AD are:
- System Management Console
- Default tenant
- Search Console
- Each node in the HCP system
Subsequently, values are added for:
- Each tenant that supports AD authentication
- Each namespace that has both the HTTP protocol and AD single sign-on enabled
- Each node added to the HCP system
Each object for which an SPN value is created is referred to as a single sign-on location. If a single sign-on location for a tenant, namespace, or node is removed from the system, the value for that location is removed from the SPN attribute of the HCP computer account in AD.
AD has a size limit on values that applies to the SPN attribute. Any system-level operation in HCP that causes this limit to be exceeded fails with a message indicating that the failure is related to the number of single sign-on locations. Any tenant-level operation that causes this lmit to be exceeded fails with a message indicating that single sign-on cannot be enabled.
Configuring support for Active Directory
Before you configure support for AD in HCP, you need to prepare AD for access by HCP.
To enable and configure support for AD in HCP:
- Log in to the HCP System Management Console with a user account that has the Security role.
- Navigate to the page.
- Select one of these options:
Active Directory with SSL
Enables both support for AD and secure communication with the AD
Active Directory without SSL
Enables support for AD without enabling secure communication with the AD
With either of these options selected, the Active Directory page displays a Status section. This section contains alerts that report the status of various elements of HCP support for Active Directory.
- If you selected Active Directory with SSL:
- In the Certificates panel, click Browse. Then select the file containing the AD SSL certificate.
- Click Upload Certificate.
The Certificates section shows the uploaded certificate.
You can download or delete the uploaded certificate if needed. To download the certificate, click the download control for it (). To delete the certificate, click the delete control () for it.
- In the Configuration Settings section, select Enable Active Directory. Then:
- In the Domain field, type the fully qualified name of the AD domain in the AD forest that is to be used for HCP user authentication. All letters in this domain name must be uppercase.
- In the Domain User field, type the username of an existing AD user account in the applicable AD domain. Make sure the user account belongs to one or more groups that have the applicable permissions, as described earlier in this section.
If the username that you specify is not all lowercase, HCP converts it to all lowercase before passing it to AD.
- In the Password field, type the password that goes with the specified username. Passwords are case-sensitive.
HCP uses the password that you type only to authenticate the username with the AD server. To help maintain AD security, HCP discards both the username and password after you submit the page. If you’re modifying the AD configuration, you need to specify the password again.
- Optionally, to specify an organization unit and computer account other than the defaults and to use NTLMv2 instead of NTLM, click Advanced Configuration. Then:
- In the Organizational Unit field, type the distinguished name of the existing organizational unit in which you want the HCP computer accounts to be created. This is the distinguished name relative to the AD domain (for example, OU=HCP, OU=Storage). Do not include the domain name elements.
- In the HCP Computer Account field, type the name of the computer account that HCP will use when querying AD for groups. This can be the name of an existing account in the specified organizational unit or the name of a new account to be created automatically in that organizational unit.
For a new computer account, the name must be from one through 64 characters long, can contain only alphanumeric characters and hyphens (-), and cannot consist only of digits.
If a computer account with the specified name already exists in a different organizational unit in the same Active Directory domain, the request to configure Active Directory support will fail.
- Optionally, to specify how the HCP user account obtains permissions, do either of these:
- If you created an AD group, select Add HCP Computer Account to groups of Domain User. This allows the HCP Computer account from inherit permissions associated with the specified domain user.
- If you did not create an AD group, deselect Add HCP Computer Account to groups of Domain User. This prevents the HCP Computer account from inheriting the permissions associated with the specified domain user. If this checkbox is deselected, appropriate permissions need to be manually assigned to the HCP Computer account.
- Optionally, select Non-Hierarchical Realm Configuration if you have multiple trees in your AD forest. This permits authentication from any domain in the forest, and is necessary if they have different domain names.
- Optionally, select Enable Authenticated CIFS Support if you want to require authentication for data access via CIFS in your namespaces. Authenticated CIFS support is disabled by default for new AD joins.
- If you selected Enable Authenticated CIFS Support, the Use NTLMv2 authentication option appears. Optionally, deselect Use NTLMv2 authentication to use NTLM for secure communication with AD when configuring the computer accounts for the HCP nodes. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.
- Optionally, select Use reverse DNS if you want to join AD without requiring PTR records for domain controllers.
- Select the Single Sign-On Support to determine how much control you want HCP to have over generating Service Principal Names (SPNs) for tenants and namespaces. The possible values are:
HCP does not generate SPNs for new tenants namespaces and does not warn if SPNs are missing.
HCP does not generate SPNs for new tenants and namespaces but does warn if SPNs are missing.
HCP generates SPNs for new tenants and namespaces and warns if SPNs are missing.
SPNs are used for single sign-on. If you're not using single sign-on, you do not need to have HCP generate SPNs.
- In the Trusted Forests field, type a comma-separated list of root domains of all trusted forests. This lets the HCP Computer Account authenticate with multiple forests.
- Click Update Settings.
This update may take a few minutes to finish.TipYou can verify that AD support has been enabled by logging out of the System Management Console and checking that the Log In page now has a Domain field below the Password field.
- Optionally, in the Domain Filtering panel, click Add New Domain. Then:
- In the Domain Name field, type the name of the domain.
- In the Domain Controllers field, type the name of the domain controller or controllers.
- Click Add Domain.
- Optionally, to associate another domain controller with a domain:
- Select an existing domain from the table in the Domain Filtering panel.
- In the Domain Controllers field, type the name of the domain controller or comma-separated list of controllers.
- Click Add New Domain Controllers.
Domain controller filters are always added as a pairing of a domain and a domain controller or controllers. Each time you add one of these filters to the domain controller filter list, a one-time validation occurs. If a domain or domain controller fails the validation process, the filter is not added to the domain controller filter list. You can also manually invoke validation on the domain controller filter's entries by clicking the Validate button.
- Click Update Settings.
This update may take few minutes to finish.
Configuring support for Windows workgroups
You can enable and configure HCP support for Windows workgroups.
Log in to the HCP System Management Console with a user account that has the Security role.
Navigate to thepage.
Select the Windows workgroup option.
In the Windows Workgroup field, type the name of the Windows workgroup in which you want HCP to automatically expose CIFS-enabled namespaces.
The workgroup name can be up to 15 characters long.
Click Update Settings.