User GuideIM 550/600 series

Preparing the Server to Use for User Authentication

When using Windows authentication or LDAP authentication as the user authentication method for the first time, check that your server environment meets the requirements for user authentication, and configure the required settings.

To use Windows authentication

Prepare the server as follows:

  1. Check the requirements of Windows authentication.

  2. Install the Web server (IIS) and the "Active Directory Certificate Service" in the server.

  3. Create a server certificate.

    You do not need to create a server certificate to transmit user information that is not encrypted.

To use LDAP authentication

Check the requirements of LDAP authentication, and configure the settings according to the server environment as necessary.

Requirements of Server Authentication Used for User Authentication

Windows authentication

Items

Explanation

Usable OS

Windows Server 2008/2008 R2/2012/2012 R2/2016/2019

  • To use Kerberos authentication under Windows Server 2008, install Service Pack 2 or later.

Authentication method

Supports the following authentication methods:

  • NTLM authentication (NTLMv1/NTLMv2)

  • Kerberos authentication

To specify Kerberos authentication, the server authenticating users must support Kerberos authentication. If the server does not support it, NTLM authentication is automatically selected.

Requirements for authentication

  • Set up a domain controller in the domain you specify.

  • To obtain user information when Active Directory is running, use LDAP. It is recommended that communication be encrypted between the machine and the LDAP server by using SSL/TLS. The server must support the TLS 1.0/1.1/1.2 or SSL 3.0 encryption method. Register the server certificate of the domain controller in advance.

    Creating a Server Certificate

  • TLS 1.0/SSL 3.0 is disabled in the factory default setting. To use TLS 1.0/SSL 3.0, specify TLS 1.0/SSL 3.0 to Enable on Web Image Monitor.

  • Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled.

    Encrypting Network Communication

Note

  • The server can authenticate users managed in other domains, but cannot obtain information such as an e-mail address.

  • When Kerberos authentication is enabled, the e-mail address cannot be obtained if SSL/TLS is specified.

  • Even if you edit an authenticated user's information, such as an e-mail address, in the machine's address book, it may be overwritten by the information from the server when authentication is performed.

  • If you created a new user in the domain controller and selected "User must change password at next logon" at password configuration, first log on the computer and change the password.

  • If the "Guest" account on the Windows server is enabled, users not registered in the domain controller can be authenticated. When this account is enabled, users are registered in the address book and can use the functions available under [*Default Group].

LDAP authentication

Items

Explanations

Usable version

LDAP Version 2.0/3.0

Authentication method

  • Kerberos authentication

  • Digest authentication

  • Cleartext authentication

When you select Cleartext authentication, LDAP simplified authentication is enabled. Simplified authentication can be performed with a user attribute (such as cn or uid) instead of the DN.

Requirements for authentication

  • To use SSL/TLS, the server must support the TLS 1.0/1.1/1.2 or SSL 3.0 encryption method.

  • TLS 1.0/SSL 3.0 is disabled in the factory default setting. To use TLS 1.0/SSL 3.0, specify TLS 1.0/SSL 3.0 to Enable on Web Image Monitor.

  • To use Kerberos Authentication, register the realm to distinguish the network area.

  • Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled.

    Encrypting Network Communication

  • When you use LDAP, only version 3.0 can use Digest authentication.

Notes when LDAP server is configured using Active Directory

  • When Kerberos authentication is enabled together with SSL/TLS, the e-mail address cannot be obtained.

  • Anonymous authentication might be available. To improve security, set anonymous authentication to Disable.

Note

  • Even if you edit an authenticated user's information, such as an e-mail address, in the machine's address book, it may be overwritten by the information from the server when authentication is performed.

  • Under LDAP authentication, you cannot specify access limits for groups registered in the server.

  • Do not use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Hangul characters when entering the login user name or password. If you use double-byte characters, you cannot authenticate using Web Image Monitor.

  • Under LDAP authentication, if "Anonymous Authentication" in the LDAP server's settings is not set to Prohibit, users who do not have an LDAP server account might be able to access the server.

  • When using the machine for the first time, the user can use "Available Functions" specified in [User Authentication Management].

  • To specify "Available Functions" for each user, register the user together with "Available Functions" in the address book, or specify Available Functions in the user registered automatically in the address book.

Installing the Web Server (IIS) and the "Active Directory Certificate Service"

Install the required service in the Windows server to obtain user information registered in Active Directory automatically.

Windows Server 2012/2016/2019

1On the [Start] menu, click [Server Manager].

2On the [Manage] menu, click [Add Roles and Features].

3Click [Next].

4Select [Role-based or feature-based installation], and then click [Next].

5Select a server, and then click [Next].

6Select the [Active Directory Certificate Service] and [Web Server (IIS)] check boxes, and then click [Next].

If a confirmation message appears, click [Add Features].

7Check the features to install, and then click [Next].

8Read the content information, then click [Next].

9Make sure that [Certification Authority] is selected in the Role Services area in Active Directory Certificate Services, and then click [Next].

10Read the content information, then click [Next].

When using Windows Server 2016, proceed to Step 12 after reading the content information.

11Check the role services to install under Web server (IIS), and then click [Next].

12Click [Install].

13After completing the installation, click the notification icon of the server manager, and then click [Configure Active Directory Certificate Service on the destination server].

14Click [Next].

15Check [Certification Authority] in the role service, and then click [Next].

16Select [Enterprise CA], and then click [Next].

17Select [Root CA], and then click [Next].

18Select [Create a new private key], and then click [Next].

19Select a cryptographic provider, key length, and hash algorithm to create a new private key, and then click [Next].

20In "Common name for this CA:" enter the Certificate Authority name, and then click [Next].

21Select the validity period, and then click [Next].

22Leave "Certificate database location:" and "Certificate database log location:" without change, and then click [Next].

23Click [Configure].

24When the message "Configuration succeeded" appears, click [Close].

Windows Server 2008 R2

1On the "Start" menu, point to "Administrative Tools", and then start the server manager.

2Click [Roles] in the left column, click [Add Roles] from the "Action" menu.

3Click [Next].

4Select the "Web Server (IIS)" and "Active Directory Certificate Services" check boxes, and then click [Next].

If a confirmation message appears, click [Add Features].

5Read the content information, and then click [Next].

6Check "Certification Authority", and then click [Next].

7Select "Enterprise", and then click [Next].

8Select "Root CA", and then click [Next].

9Select "Create a new private key", and then click [Next].

10Select a cryptographic service provider, key length, and hash algorithm to create a new private key, and then click [Next].

11In "Common name for this CA:", enter the Certificate Authority name, and then click [Next].

12Select the validity period, and then click [Next].

13Leave "Certificate database location:" and "Certificate database log location:" without changing, and then click [Next].

14Read the notes, and then click [Next].

15Select the role services to install, and then click [Next].

16Click [Install].

Installation of added features starts.

Creating a Server Certificate

To encrypt user information, create a server certificate in the Windows server. Windows Server 2016 is used as an example.

1On the [Start] menu, click [All Applications], and then click [Internet Information Service (IIS) Manager] of [Administrative Tools].

2In the left column, click [Server Name], and then double-click [Server Certificate].

3In the right column, click [Create Certificate Request...].

4Enter all the information, and click [Next].

5In "Cryptographic service provider:", select a provider, and then click [Next].

6Click [...], and then specify a file name for the certificate request.

7Specify a location in which to store the file, and then click [Open].

8Click [Finish].