Active Directory Authentication
About Active Directory Integration
Cerberus FTP Server Professional and Enterprise editions are able to authenticate users on an NT domain (or the local NT account database), even if the computer Cerberus FTP Server is installed on is not the domain controller. The domain may be a pre-Windows 2000 domain (NT4), a domain configured to use Active Directory, or the local system account database (use "." as the domain for authenticating against local machine accounts). However, the machine Cerberus FTP Server is running on must be a member of the domain you wish to authenticate users against.
Configuring Cerberus to use Active Directory authentication simply requires enabling Active Directory authentication and telling the server the name of the domain to authenticate against. The rest of the configuration is automatic. Users are able to FTP into the server using the same username and password they use to log into their workstations on the domain. For the purpose of access to files and folders, the FTP user has the same access as the Active Directory user with the same name. All operations on the server by the user are carried out while impersonating the Active Directory user.
Important Security Consideration: There is an exception to impersonation for Active Directory authentication when using SFTP and only Public Key only SSH authentication. The Active Directory user can still be authenticated with Public Key only authentication but the Active Directory user cannot be impersonated. Only Password or Public Key and Password SSH authentication methods support AD user impersonation.
To allow Active Directory authentication, you will need to check the Enable Windows Authentication for this Domain checkbox under the User Manager's AD Users tab. Once checked, Cerberus will attempt to authenticate users from the domain listed in the Domain edit box.
Active Directory accounts are always configured for simple directory mode (See Adding users for more information about simple mode) if any mode other than "Cerberus Group" is selected for the Default Virtual Directory Mapping mode.
The Default Virtual Directory Mapping modes work as follows:
| Global Home | Every NT account will use the directory specified under the "Global Home" edit box as the FTP root, the user's home directory, or a subdirectory off of a common root directory that is the same as the user's name. |
| Global Home\%username% | Every NT account will use a subdirectory off of the "Global Home" directory that is the same as the account's name. |
| User Home Directory | Every NT account will use that account's home directory as the FTP root. |
| Cerberus Group | The specified Cerberus Group will be used to determine what directories and what settings to apply to the Active Directory user when they login, including any security requirements associated with the group. |
Active Directory FTP Security Group
Optionally, you can also configure a Security Group for FTP users. This will cause Cerberus FTP Server to check that the Active Directory user is a member of the listed Active Directory Global security group before allowing login. If selected, only members of the security group will be allowed to login.
Authenticating Against more than one Active Directory Domain
Cerberus FTP Server can be configured to authenticate against multiple domains. Select the AD Users page of the User Manager and select the
icon in the top right corner. This will add a new domain tab to the AD User page. This new domain tab can be configured the same way as the default Active Directory domain tab.
Understanding Windows Authentication
Active Directory user authentication is intended for experienced system administrators that understand the NT security model. Novice users, or users wishing to avoid the details of Windows security, should leave Windows Authentication disabled and stick with native Cerberus FTP Server users.
Note: The Cerberus FTP Server account database is always checked for a user before the NT account database is checked. If there is user with the same name in both databases, the Cerberus FTP Server user will be the only one authenticated against. To ensure that the NT user is checked, delete the Cerberus user.
The "Guest" Account
In NT, the Guest account lets people log on to an NT computer when they don't have a personal account defined on the computer, in the computer's domain, or in any of the domains that the computer's domain trusts. Like the Administrator account, the Guest account is a built-in account with a fixed SID; although you can rename the account, it can't--by default--be deleted. Unlike the Administrator account, the Guest account doesn't require a password for logon, which is why it's disabled by default. A Guest account re-enabled by mistake would pose a significant security hole.
To help guards against this potential security hole, an administrator cannot enable Cerberus FTP Server's Windows authentication integration if the Guest account is enabled.
Active Directory User to Cerberus Group Mapping
By default, all AD users are assigned the same virtual directories and permissions. These defaults are configured on the Domain tab of the AD Users page. However, if you wish to customize the directory and permission mappings for individual AD users then you can do so through the AD Directory Mapping tab. You can select individual AD accounts and map them to Cerberus group accounts. This mapping will override the default Cerberus Group and directory mapping specified for all AD users on the AD Users page.
Creating an AD User to Cerberus Group Mapping
Mappings between an AD User and a Cerberus Group can be achieved by first selecting an AD domain. Then, select an AD user from the AD Users list box (or simply type the name of the AD user in the edit box) and then select a Cerberus Group. Select the Assign button and a mapping entry will be placed in the mapping list box to indicate the AD user will now have the same constraints and virtual directory mappings as the selected Cerberus Group.
Removing an AD mapping
To remove a mapping, simply select the mapped entry and press the Remove button.
