Active Directory Authentication
About Active Directory Integration
Cerberus FTP Server Professional and Enterprise editions are able to authenticate users on a Windows domain (or the local NT account database), even if the computer Cerberus FTP Server is installed on is not the domain controller. The domain may be an Active Directory domain, or the local system account database (use “.” as the domain for authenticating against local machine accounts). However, the machine Cerberus FTP Server is running on must be a member of the domain you wish to authenticate users against, or be a member of a domain trusted by the domain you wish to authenticate against.
Configuring Cerberus to use Active Directory authentication simply requires enabling Active Directory authentication and telling the server the name of the domain to authenticate against. The rest of the configuration is automatic. Users are able to FTP into the server using the same username and password they use to log into their workstations on the domain. For the purpose of access to files and folders, the FTP user has the same access as the Active Directory user with the same name. All operations on the server by the user are carried out while impersonating the Active Directory user.
Important Security Consideration: There is an exception to impersonation for Active Directory authentication when using SFTP and Public Key only SSH authentication. The Active Directory user can still be authenticated with Public Key only authentication, but the Active Directory user cannot be impersonated. Only Password or Public Key and Password SSH authentication methods support AD user impersonation.
To allow Active Directory authentication, you will need to check the Enable Windows Authentication for this Domain checkbox under the User Manager’s AD Users tab. Once checked, Cerberus will attempt to authenticate users from the domain listed in the Domain edit box.
Default Virtual Directory Mapping for AD Users
Active Directory accounts are always configured for simple directory mode (See Adding users for more information about simple mode) if any mode other than Use Default Group Directories is selected for the Default Virtual Directory Mapping mode.
The Default Virtual Directory Mapping modes work as follows:
|Global Home||Every AD account will use the directory specified under the “Global Home” edit box as the FTP root. This is the simplest option, and every AD user is assigned this one directory as their root folder. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box. NTFS permissions for the AD user still apply.|
|Global Home\%USER%||Every AD account will use a subdirectory off of the “Global Home” directory that is the same as the account’s name. This directory will be created automatically, if it doesn’t exist, when the user logs in. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box. NTFS permissions for the AD user still apply.|
|AD User Home Directory||Every AD account will use that account’s home directory as the FTP root. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box. NTFS permissions for the AD user still apply.|
|AD User Attribute||Every AD account will use the AD directory attribute defined here to determine what virtual directories to add to their account.
When an AD user logs into Cerberus, the server will lookup this attribute on the Active Directory account to determine what virtual directories to add to the user account.
This AD attribute can have multiple values, and each value will be added as a separate virtual directory.
The default value will be a valid Windows directory path. By default, the last directory of the file path will be used for the virtual directory name, and the user will have full permissions to the directory path.
The value can be customized into 3 separated components to customize the added virtual directory path into a full directory path, a virtual directory name, and a permissions set for the virtual directory. You can separate each component by the pipe character or an asterisk.
For example, the value for the attribute could be:
The first part is the directory path, the second is the directory name, and the third is a bit mask indicating the permissions the user has for that virtual directory.
The directory permissions field for a virtual directory is a simple bit mask. Permissions have the following values:
Just add the values up to achieve the desired permissions. e.g., Download, Upload, Rename, and Delete permissions would be (1 + 2 + 4 + 8) = 15.
Granting all permissions would be 2047.
|Use Default Group Directories||The specified Cerberus Group will be used to determine what directories, and what settings, to apply to the AD user when they login, including any security requirements associated with the group. The AD user will inherit all virtual directories and settings from the default Cerberus group.|
Active Directory FTP Security Group
Optionally, you can also configure a Security Group for FTP users. This will cause Cerberus FTP Server to check that the Active Directory user is a member of the listed Active Directory Global security group before allowing login. If selected, only members of the security group will be allowed to login.
Authenticating Against more than one Active Directory Domain
Cerberus FTP Server can authenticate users in multiple Active Directory domains as long as the other domains are in a trust relationship with the domain the Cerberus machine is a member of. You would always specify the domain the Cerberus machine is a part of in the domain edit box. As long as a trust relationship exists between your domain and the domains you wish to authenticate against then you will be able to authenticate users in those AD domains.
You can also add additional Active Directory configurations (for example, to select a different default Cerberus group and mapping mode for a set of users in a different security group) using the Add Domain button. To add a new domain configuration, select the AD Users page of the User Manager and select the icon in the top right corner. This will add a new domain tab to the AD User page. This new domain tab can be configured the same way as the default Active Directory domain tab.
Understanding Windows Authentication
Active Directory user authentication is intended for experienced system administrators that understand the NT security model. Novice users, or users wishing to avoid the details of Windows security, should leave Windows Authentication disabled and stick with native Cerberus FTP Server users.
The “Guest” Account
In Windows, the Guest account lets people log on to a computer when they don’t have a personal account defined on the computer, in the computer’s domain, or in any of the domains that the computer’s domain trusts. Like the Administrator account, the Guest account is a built-in account with a fixed SID; although you can rename the account, it can’t–by default–be deleted. Unlike the Administrator account, the Guest account doesn’t require a password for logon, which is why it’s disabled by default. A Guest account re-enabled by mistake would pose a significant security hole.
To help guards against this potential security hole, an administrator cannot enable Cerberus FTP Server’s Windows authentication integration if the Guest account is enabled.
Active Directory User to Cerberus Group Mapping
By default, all AD users are assigned the same virtual directories and permissions. These defaults are configured on the Domain tab of the AD Users page. However, if you wish to customize the directory and permission mappings for individual AD users then you can do so using the Customize button. You can select individual AD accounts and map them to Cerberus group accounts, or, you can map AD group accounts to Cerberus group accounts. Configuring an AD user to group mapping will override the default Cerberus Group and directory mapping specified for all AD users.
Creating an AD User to Cerberus Group Mapping
Mappings between an AD User and a Cerberus Group can be achieved by first selecting an AD domain. Then, select an AD user from the AD Users list box (or simply type the name of the AD user in the edit box) and then select a Cerberus Group. Select the Assign button and a mapping entry will be placed in the mapping list box to indicate the AD user will now have the same constraints and virtual directory mappings as the selected Cerberus Group.
Creating an AD Group to Cerberus Group Mapping
Customizing each individual AD User to a Cerberus group can be a time-consuming task if you have many users, especially if you can divide up large groups of users into just a few groups.
To make maintaining large numbers of users easier, you can use the new AD group to Cerberus group mapping capability. On the AD User Customization page, you can map AD groups to Cerberus groups.
When an AD user logs into Cerberus, the server will check the direct AD group memberships for that AD user and see if there are any AD group to Cerberus group mappings. If a mapping is founds, the virtual directories for that Cerberus group will added to the virtual root for the AD user. Only the virtual directories from the Cerberus groups are added to the AD user. No other constraints are transferred.
Note: The Default Group and Default Virtual Directory mappings are still applied to the user when AD group to Cerberus group mappings are present, unlike AD user to Cerberus user mappings.
Removing an AD mapping
To remove a mapping, simply select the mapped entry and press the Remove button.