Microsoft Active Directory back-end authentication

OneSpan Authentication Server can be configured to query Active Directory via an LDAP connection for back-end authentication. This is typically used if a supported Windows operating system is not available on the OneSpan Authentication Server machine.

You need to set up and use SSL for connections between OneSpan Authentication Server and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work, unless you have a very old and specially configured version of Windows Server. OneSpan Authentication Server does not support unencrypted connections to Active Directory via LDAP!

OneSpan Authentication Server also supports site awareness for Global Catalog-based Active Directory domain controller lookup. OneSpan Authentication Server queries the Global Catalog for all domain controllers serving the user currently in process of back-end authentication and contacts the relevant domain controllers according to their priority in the Global Catalog. In this context, OneSpan Authentication Server identifies the network site to which the machine that is running OneSpan Authentication Server belongs. Those domain controllers that share the same site with OneSpan Authentication Server during back-end authentication take precedence over others.

For more information about Active Directory user name resolution, see Active Directory user name resolution.

To enable back-end authentication for Active Directory using LDAP

  1. Identify the Active Directory server based on the Active Directory back-end server records in OneSpan Authentication Server. If no Active Directory back-end server records are defined, then OneSpan Authentication Server will attempt to identify the Active Directory domain controller using the Global Catalog.
  2. Bind to Active Directory using the security principal ID and password defined for the Active Directory back-end server if principal details specified. The format of the security principal ID will be the DN, for example: cn=Administrator, cn=User, dc=vasco, dc=com.
  3. Search Active Directory for the attributes of the user to be authenticated.
  4. OneSpan Authentication Server will bind to the directory server that handles the authentication request and use the user ID and the password specified in the authentication request received. If the bind succeeds, the user authentication is deemed to be successful. If the bind fails, the authentication is deemed to have failed.

If authentication fails, the attributes retrieved during the search will be used to determine the cause of the failure.

When upgrading Active Directory domain controllers, the following rule must be obeyed:

  • If a server with Windows group users is promoted to an Active Directory domain controller, you must reset the Active Directory password for any user that existed on the server before it was promoted.
Back-end authentication with Active Directory (Workflow)

Figure: Back-end authentication with Active Directory (Workflow)

For more information about setting up a back-end server record for an Active Directory server, refer to the Administration Web Interface Help.