Active Directory user authentication
Active Directory is an LDAP-compliant hierarchical database of objects. It is very popular in enterprise environments and is becoming a de facto standard for user authentication.
After Active Directory connection settings and groups have been configured for the SMU, it will allow logins from enabled users who supply their Active Directory name and password. This is typically the same name and password that the user would use to log into Windows and other enterprise applications. Unlike SMU local and RADIUS user names, Active Directory user names are case-insensitive. Active Directory passwords are case-sensitive and cannot be changed from the SMU; they are maintained in the Active Directory server. NAS Manager accepts user names in the following formats:
| Description | Format |
| User logon name (pre-Windows 2000) | administrator |
| NetBIOS domain name and user logon name (pre-Windows 2000) (*) | COMPANY\administrator |
| User Principal Name | administrator@support.company.com |
(*) Not supported with the SMU CLI access.
Instead of maintaining a separate set of user details, the administrator can use an Active Directory enterprise user database. Active Directory groups can be granted access to the SMU. Then, AD users that belong to these groups, can log into the SMU using their usual name and password.
Groups of Active Directory users can have their access restricted to certain roles. For example, giving an Active Directory group a ‘server’ level access, will restrict all the users that belong to such group to be able to only manage HNAS servers. They won’t be able, for example, to make any changes related to SMU administration.
Although the SMU supports RADIUS and Active Directory for external authentication, they are mutually exclusive; it is not possible to have them both configured for external authentication at the same time.
When a login attempt is made, the SMU first tries to authenticate the credentials as a local user. If that fails, and Active Directory is configured, they are authenticated as an Active Directory user.
Active Directory authentication requests are sent to servers in the configured sequential order. If a successful connection cannot be made to the first server or a referral error is returned, it attempts to contact the second server and so on. When a connection is made and an authentication response received (either positive or negative) it is treated as definitive. It does not then contact further servers because all servers are assumed to belong to the same Active Directory forest.