Preparing the Server to Use for User Authentication

When using Windows authentication or LDAP authentication as the user authentication method for the first time, check that your server environment meets the requirements for user authentication, and configure the required settings.

To use Windows authentication

Prepare the server as follows:

Check the requirements of Windows authentication.
Install the Web server (IIS) and the "Active Directory Certificate Service" in the server.
Create a server certificate.
You do not need to create a server certificate to transmit user information that is not encrypted.

To use LDAP authentication

Check the requirements of LDAP authentication, and configure the settings according to the server environment as necessary.

Requirements of Server Authentication Used for User Authentication

Windows authentication
Items	Explanation
Usable OS	Windows Server 2008/2008 R2/2012/2012 R2/2016/2019 To use Kerberos authentication under Windows Server 2008, install Service Pack 2 or later.
Authentication method	Supports the following authentication methods: NTLM authentication (NTLMv1/NTLMv2) Kerberos authentication To specify Kerberos authentication, the server authenticating users must support Kerberos authentication. If the server does not support it, NTLM authentication is automatically selected.
Requirements for authentication	Set up a domain controller in the domain you specify. To obtain user information when Active Directory is running, use LDAP. It is recommended that communication be encrypted between the machine and the LDAP server by using SSL/TLS. The server must support the TLS1.0/1.1/1.2 or SSL 3.0 encryption method. Register the server certificate of the domain controller in advance. Creating a Server Certificate TLS1.0/SSL 3.0 is disabled in the factory default setting. To use TLS1.0/SSL 3.0, specify TLS1.0/SSL 3.0 to Enable on Web Image Monitor. Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled. Encrypting Network Communication

Note

The server can authenticate users managed in other domains, but cannot obtain information such as an e-mail address.
When Kerberos authentication is enabled, the e-mail address cannot be obtained if SSL/TLS is specified.
Even if you edit an authenticated user's information, such as an e-mail address, in the machine's address book, it may be overwritten by the information from the server when authentication is performed.
If you created a new user in the domain controller and selected "User must change password at next logon" at password configuration, first log on the computer and change the password.
If the "Guest" account on the Windows server is enabled, users not registered in the domain controller can be authenticated. When this account is enabled, users are registered in the address book and can use the functions available under [*Default Group].

LDAP authentication
Items	Explanations
Usable version	LDAP Version 2.0/3.0
Authentication method	Kerberos authentication Digest authentication Cleartext authentication When you select Cleartext authentication, LDAP simplified authentication is enabled. Simplified authentication can be performed with a user attribute (such as cn or uid) instead of the DN.
Requirements for authentication	To use SSL/TLS, the server must support the TLS1.0/1.1/1.2 or SSL 3.0 encryption method. TLS1.0/SSL 3.0 is disabled in the factory default setting. To use TLS1.0/SSL 3.0, specify TLS1.0/SSL 3.0 to Enable on Web Image Monitor. To use Kerberos Authentication, register the realm to distinguish the network area. Settings screen type: Standard Registering the Realm Settings screen type: Classic Programming the Realm Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled. Encrypting Network Communication When you use LDAP, only version 3.0 can use Digest authentication.

Notes when the LDAP server is configured using Active Directory

When Kerberos authentication is enabled together with SSL/TLS, the e-mail address cannot be obtained.
Anonymous authentication might be available. To improve security, set anonymous authentication to Disable.

Note

Even if you edit an authenticated user's information, such as an e-mail address, in the machine's address book, it may be overwritten by the information from the server when authentication is performed.
Under LDAP authentication, you cannot specify access limits for groups registered in the server.
When using the machine for the first time, the user can use "Available Functions" specified in [User Authentication Management].
To specify "Available Functions" for each user, register the user together with "Available Functions" in the address book, or specify Available Functions in the user registered automatically in the address book.

Installing the Web Server (IIS) and the "Active Directory Certificate Service"

Install the required service in the Windows server to obtain user information registered in Active Directory automatically.

Windows Server 2012/2012 R2/2016/2019

On the [Start] menu, click [Server Manager].

On the [Manage] menu, click [Add Roles and Features].

Click [Next].

Select [Role-based or feature-based installation], and then click [Next].

Select a server.

Select the [Active Directory Certificate Service] and [Web Server (IIS)] check boxes, and then click [Next].

If a confirmation message appears, click [Add Features].

Check the features to install, and then click [Next].

Read the content information, then click [Next].

Make sure that [Certification Authority] is selected in the Role Services area in Active Directory Certificate Services, and then click [Next].

Read the content information, then click [Next].

When using Windows Server 2016, proceed to Step 12 after reading the content information.

Check the role services to install under Web server (IIS), and then click [Next].

Click [Install].

After completing the installation, click the notification icon of the server manager, and then click [Configure Active Directory Certificate Service on the destination server].

Click [Next].

Check [Certification Authority] in the role service, and then click [Next].

Select [Enterprise CA], and then click [Next].

Select [Root CA], and then click [Next].

Select [Create a new private key], and then click [Next].

Select a cryptographic provider, key length, and hash algorithm to create a new private key, and then click [Next].

In "Common name for this CA:" enter the Certificate Authority name, and then click [Next].

Select the validity period, and then click [Next].

Leave "Certificate database location:" and "Certificate database log location:" without change, and then click [Next].

Click [Configure].

When the message "Configuration succeeded" appears, click [Close].

Windows Server 2008 R2

On the "Start" menu, point to "Administrative Tools", and then start the server manager.

Click [Roles] in the left column, click [Add Roles] from the "Action" menu.

Click [Next].

Select the "Web Server (IIS)" and "Active Directory Certificate Services" check boxes, and then click [Next].

If a confirmation message appears, click [Add Features].

Read the content information, and then click [Next].

Check "Certification Authority", and then click [Next].

Select "Enterprise", and then click [Next].

Select "Root CA", and then click [Next].

Select "Create a new private key", and then click [Next].

Select a cryptographic service provider, key length, and hash algorithm to create a new private key, and then click [Next].

In "Common name for this CA:", enter the Certificate Authority name, and then click [Next].

Select the validity period, and then click [Next].

Leave "Certificate database location:" and "Certificate database log location:" without changing, and then click [Next].

Read the notes, and then click [Next].

Select the role services to install, and then click [Next].

Click [Install].

Installation of added features starts.

Creating a Server Certificate

To encrypt user information, create a server certificate in the Windows server. Windows Server 2016 is used as an example.

On the [Start] menu, click [All Applications], and then click [Internet Information Service (IIS) Manager] of [Administrative Tools].

In the left column, click [Server Name], and then double-click [Server Certificate].

In the right column, click [Create Certificate Request...].

Enter all the information, and click [Next].

In "Cryptographic service provider:", select a provider, and then click [Next].

Click [...], and then specify a file name for the certificate request.

Specify a location in which to store the file, and then click [Open].

Click [Finish].