Help
RSS
About Active Directory Integration
Cerberus FTP Server Professional is able to authenticate users on an NT domain (or the local NT account database), even if the computer Cerberus FTP Server is installed on is not the domain controller. The domain may be a pre-Windows 2000 domain (NT4), a domain configured to use Active Directory, or the local system account database (use "."as the domain for authenticating against local accounts). However, the machine Cerberus FTP Server is running on must be a member of the domain you wish to authenticate users against.
Configuring Cerberus to use Active Directory authentication simply requires enabling Active Directory authentication and telling the server the name of the domain to authenticate against. The rest of the configuration is automatic. Users are able to FTP into the server using the same username and password they use to log into their workstations on the domain. For the purpose of access to files and folders, the FTP user has the same access as the Active Directory user with the same name. All operations on the server by the user are carried out while impersonating the Active Directory user.
To allow Active Directory authentication, you will need to check the Use Windows Authentication checkbox under the NT User Manager's AD Users tab. Once checked, Cerberus will attempt to authenticate users from the domain listed in the Domain edit box.
NT accounts are always configured for simple directory mode (See Adding users for more information about simple mode) if any mode other than "Cerberus Group" is selected for the NT User Directory Mapping mode.
The NT User Directory Mapping modes work as follows:
- Global Home:Every NT account will use the directory specified under the "Global Home" editbox as the FTP root, the user's home directory, or a subdirectory off of a common root directory that is the same as the user's name.
- Global Home\%username%: Every NT account will use a subdirectory off of the "Global Home" directory that is the same as the account's name.
- User Home Directory: Every NT account will use that account's home directory as the FTP root.
- Cerberus Group: The specified Cerberus Group will be used to determine what directories and what settings to apply to the Active Directory user when they login, including any security requirements associated with the group.
Active Directory FTP Security Group
Optionally, you can also configure a Security Group for FTP users. This will cause Cerberus FTP Server to check that the Active Directory user is a member of the listed Active Directory Global security group before allowing login. If selected, only members of the security group will be allowed to login.
Understanding Windows Authentication
NT user authentication is intended for experienced system administrators that understand the NT security model. Novice users, or users wishing to avoid the details of Windows security, should leave Windows Authentication disabled and stick with native Cerberus FTP Server users.
Note: The Cerberus FTP Server account database is always checked for a user before the NT account database is checked. If there is user with the same name in both databases, the Cerberus FTP Server user will be the only one authenticated against. To ensure that the NT user is checked, delete the Cerberus user.
The "Guest" Account
In NT, the Guest account lets people log on to an NT computer when they don't have a personal account defined on the computer, in the computer's domain, or in any of the domains that the computer's domain trusts. Like the Administrator account, the Guest account is a built-in account with a fixed SID; although you can rename the account, it can't--by default--be deleted. Unlike the Administrator account, the Guest account doesn't require a password for logon, which is why it's disabled by default. A Guest account reenabled by mistake would pose a significant security hole
To help guards against this potential security hole, an administrator cannot enable Cerberus FTP Server's Windows authentication integration if the Guest account is enabled.
