Preparing the Server to Use for User Authentication

When using Windows authentication or LDAP authentication as the user authentication method for the first time, check that your server environment meets the requirements for user authentication, and configure the required settings.

To use Windows authentication

Prepare the server as follows:

  1. Check the requirements of Windows authentication.

  2. Install the Web server (IIS) and the Active Directory Certificate Service in the server.

  3. Create a server certificate.
    You do not need to create a server certificate to transmit user information that is not encrypted.

To use LDAP authentication

Check the requirements of LDAP authentication, and configure the settings according to the server environment as necessary.

Requirements of Server Authentication Used for User Authentication

Windows authentication

Items

Explanation

Usable OS

Windows Server 2012/2012 R2/2016/2019/2022

Authentication method

Supports the following authentication methods:

  • NTLM authentication (NTLMv1/NTLMv2)

  • Kerberos authentication

Requirements for authentication

  • Set up a domain controller in the domain you specify.

  • To obtain user information when Active Directory is running, use LDAP. It is recommended that communication be encrypted between the machine and the LDAP server by using SSL/TLS. The server must support the TLS 1.0/1.1/1.2/1.3 or SSL 3.0 encryption method. Register the server certificate of the domain controller in advance.
    Creating a Server Certificate

  • TLS 1.0, TLS 1.1, and SSL 3.0 are disabled by default. To use TLS 1.0/1.1 or SSL 3.0, enable it on Web Image Monitor.

  • Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled.
    Encrypting Network Communication

Note

  • The server can authenticate users managed in other domains, but cannot obtain information such as an e-mail address.

  • When Kerberos authentication is enabled together with SSL/TLS, the e-mail address cannot be obtained.

  • Even if you edit an authenticated user's information, such as an e-mail address, in the machine's Address Book, it may be overwritten by the information from the server when authentication is performed.

  • If you created a new user in the domain controller and selected "User must change password at next logon" at password configuration, first log on the computer and change the password.

  • If the Guest account on the Windows server is enabled, users not registered in the domain controller can be authenticated. When this account is enabled, users are registered in the Address Book and can use the functions available under [* Default Group].

LDAP authentication

Items

Explanations

Usable version

LDAP Version 2.0/3.0

Authentication method

Supports the following authentication methods:

  • Kerberos authentication

  • Digest authentication

  • Cleartext authentication

When you select Cleartext authentication, LDAP simplified authentication is enabled. Simplified authentication can be performed with a user attribute (such as cn or uid) instead of the DN.

Requirements for authentication

  • To use SSL/TLS, the server must support the TLS 1.0/1.1/1.2/1.3 or SSL 3.0 encryption method.

  • TLS 1.0, TLS 1.1, and SSL 3.0 are disabled by default. To use TLS 1.0/1.1 or SSL 3.0, enable it on Web Image Monitor.

  • To use Kerberos authentication, register the realm to distinguish the network area.

    Registering the Realm

  • Data transmission between the machine and the KDC (Key Distribution Center) server must be encrypted if Kerberos authentication is enabled.
    Encrypting Network Communication

  • When you use LDAP, only version 3.0 can use Digest authentication.
Notes when the LDAP server is configured using Active Directory

  • When Kerberos authentication is enabled together with SSL/TLS, the e-mail address cannot be obtained.

  • Anonymous authentication might be available. To improve security, set anonymous authentication to Disable.

Note

  • Even if you edit an authenticated user's information, such as an e-mail address, in the machine's Address Book, it may be overwritten by the information from the server when authentication is performed.

  • Under LDAP authentication, you cannot specify access limits for groups registered in the server.

  • Do not use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Hangul characters when entering the login user name or password. If you use double-byte characters, you cannot authenticate using Web Image Monitor.

  • When using the machine for the first time, the user can use Available Functions specified in [User Authentication Management].

  • To specify Available Functions for each user, register the user together with Available Functions in the Address Book, or specify Available Functions in the user registered automatically in the address book.

Section Top

Installing the Web Server (IIS) and the "Active Directory Certificate Service"

Install the required service in the Windows server to obtain user information registered in Active Directory automatically.

  1. On the [Start] menu, click [Server Manager].

  2. On the [Manage] menu, click [Add Roles and Features].

  3. Click [Next].

  4. Select [Role-based or feature-based installation], and then click [Next].

  5. Select a server, and then click [Next].

  6. Select the [Active Directory Certificate Service] and [Web Server (IIS)] check boxes, and then click [Next].
    If a confirmation message appears, click [Add Features].

  7. Check the features to install, and then click [Next].

  8. Read the content information, then click [Next].

  9. Make sure that [Certification Authority] is selected in the Role Services area in Active Directory Certificate Services, and then click [Next].

  10. Read the content information, then click [Next].
    When using Windows Server 2016, proceed to Step 12 after reading the content information.

  11. Check the role services to install under Web server (IIS), and then click [Next].

  12. Click [Install].

  13. When using Windows Server 2019 or Windows Server 2022, click [Close].

  14. After completing the installation, click the notification icon of the server manager, and then click [Configure Active Directory Certificate Service on the destination server].

  15. Click [Next].

  16. Check [Certification Authority] in the role service, and then click [Next].

  17. Select [Enterprise CA], and then click [Next].

  18. Select [Root CA], and then click [Next].

  19. Select [Create a new private key], and then click [Next].

  20. Select a cryptographic provider, key length, and hash algorithm to create a new private key, and then click [Next].

  21. In [Common name for this CA:], enter the Certificate Authority name, and then click [Next].

  22. Select the validity period, and then click [Next].

  23. Leave [Certificate database location:] and [Certificate database log location:] without change, and then click [Next].

  24. Click [Configure].

  25. When the message "Configuration succeeded" appears, click [Close].

Section Top

Creating a Server Certificate

To encrypt user information, create a server certificate in the Windows server. Windows Server 2016 is used as an example.

  1. On the [Start] menu, point to [All Applications], and then click [Internet Information Service (IIS) Manager] of [Administrative Tools].

  2. In the left column, click [Server Name], and then double-click [Server Certificate].

  3. In the right column, click [Create Certificate Request...].

  4. Enter all the information, and click [Next].

  5. In [Cryptographic service provider:], select a provider, and then click [Next].

  6. Click [...], and then specify a file name for the certificate request.

  7. Specify a location in which to store the file, and then click [Open].

  8. Click [Finish].

Section Top

x

QR Code