Transcription
Partner Name Partner Product RSA Ready Implementation Guide forManageEngine ADSelfService Plus 5.3RSA Partner EngineeringLast Modified: October 26th, 2016
ManageEngineADSelfService Plus 5.3Solution SummaryManageEngine 1 ADSelfService Plus (ADSSP) is a secure, web-based self-service password managementsolution. The product allows end users to reset their Microsoft Windows Active Directory (AD) domainpasswords, unlock their accounts and update their personal information without any help deskintervention.ADSelfService Plus supports Active Directory and LDAP password authentication out-of-the-box. Itsintegration with RSA Authentication Manager introduces an extra level of security by enabling RSASecurID two-factor authentication.ADSSP communicates with RSA Authentication Manager using the RSA Authentication Agent API. Duringthe authentication process, ADSSP prompts the user for a username and an Active Directory or LDAPdomain password. After validating the user’s password, ADSSP prompts the user for an RSA SecurIDpasscode and submits it to RSA Authentication Manager for validation.Important: Each ADSelfService Plus user’s Active Directory/LDAP domain username must match hisor her RSA Authentication Manager username.Supported FeaturesManageEngine ADSelfService Plus 5.3RSA SecurID Authentication via Native RSA SecurID UDP ProtocolRSA SecurID Authentication via Native RSA SecurID TCP ProtocolRSA SecurID Authentication via RADIUS ProtocolRSA SecurID Authentication via IPv6On-Demand Authentication via Native SecurID UDP ProtocolRisk-Based AuthenticationRSA Authentication Manager Replica SupportRSA SecurID Software Token AutomationRSA SecurID SD800 Token AutomationRSA SecurID Protection of Administrative Interface1ManageEngine is a division of Zoho Corp.-- 2 -YesNoNoNoYesNoYesNoNoYes
ManageEngineADSelfService Plus 5.3RSA Authentication Manager ConfigurationAuthentication Agent ConfigurationRSA Authentication Agents are custom or ready-made software applications that securely pass userauthentication requests to and from RSA Authentication Manager. RSA provides the RSA AuthenticationAgent API for building custom agents, as well as a variety of out-of-the-box agents for protecting accessto various operating systems and web resources.All agents must be registered with RSA Authentication Manager in order for the server to locate them andestablish secure communication channels with them. Use the RSA Security Console to register an agentfor you ADSSP server.You need the following information to register the agent: the ADSSP server’s hostname IP addresses for all of the ADSSP server’s network interfacesWhen you register the authentication agent, set its agent type to Standard Agent.Note: The ADSSP server’s hostnames must resolve to a valid IP address on your local network.Consult the RSA Authentication Manager Administrator Guide for more information about configuringauthentication agents.Partner Product ConfigurationBefore You BeginThis section provides instructions for enabling RSA SecurID two-factor authentication for ManageEngineADSelfService Plus users. You should have working knowledge of ADSSP and RSA AuthenticationManager, as well as access to the appropriate end-user and administrative documentation. Ensure thatthat both products are running properly prior to configuring the integration, and that each user’s ActiveDirectory/LDAP domain username matches match his/her RSA Authentication Manager username.Important: Each ADSelfService Plus user’s Active Directory/LDAP domain username must match hisor her RSA Authentication Manager username.This document is not intended to suggest optimal installations or configurations.-- 3 -
ManageEngineADSelfService Plus 5.3Configure ADSelfService P lus for RSA SecurI D Authentication1. Download a copy of your RSA Authentication Manager server’s sdconf.rec file and copy it to yourADSelfService Plus installation folder’s bin directory. This directory is C:\ManageEngine\ADSelfServicePlus\bin by default.2. Log in to ADSSP as administrator and click the Admin tab.3. Expand the Customize dropdown menu on the left side of the page and select Logon Settings.4. Click the Two Factor Authentication tab.5. Check the Enable Two Factor Authentication checkbox.6. Select the RSA SecurID radio button and click the Save button.-- 4 -
ManageEngineADSelfService Plus 5.3RSA SecurID Login ScreensDomain User Password Login PromptStandard SecurID Login Prompt-- 5 -
ManageEngineADSelfService Plus 5.3New PIN Mode PromptSystem-Generated PIN Prompt-- 6 -
ManageEngineADSelfService Plus 5.3Next Tokencode Prompt-- 7 -
ManageEngineADSelfService Plus 5.3Certification Checklist for RSA Authentication ManagerDate Tested: October 20th, 2016Product NameCertification EnvironmentVersionInformationRSA Authentication ManagerManageEngine ADSelfService Plus8.25.3 (build 5319)RSA SecurI D AuthenticationMandatory FunctionalityVirtual ApplianceWindows 7Date Tested: October 20th, 2016NativeUDPNew PIN ModeForce Authentication After New PINSystem Generated PINUser Defined (4-8 Alphanumeric)User Defined (5-7 Numeric)Deny 4 and 8 Digit PINDeny Alphanumeric PINDeny PIN ReusePasscode16 Digit Passcode4 Digit Fixed PasscodeNext Tokencode ModeNext Tokencode ModeOn-Demand AuthenticationOn-Demand AuthenticationOn-Demand New PINLoad Balancing / Reliability TestingFailover (3-10 Replicas)No RSA Authentication Manager PassOperating System Fail N/A Non-Available Function-- 8 N/AN/A
ManageEngineADSelfService Plus 5.3AppendixRSA SecurI D Authentication FilesRSA SecurID Authentication FilesUDP Agent Filessdconf.recLocation ADSSP ROOT /bin 2, where ADSSP ROOT is theManageEngine ADSelfService Plus installation folder.sdopts.rec ADSSP ROOT /binNode secret ADSSP ROOT /binsdstatus.12 / jastatus.12 ADSSP ROOT /binP artner I ntegration DetailsPartner Integration DetailsRSA SecurID UDP API8.1.3RSA SecurID TCP APIN/ARSA Authentication Agent TypeStandard AgentRSA SecurID User SpecificationDesignated UsersDisplay RSA Server InfoNoPerform Test AuthenticationNoAgent TracingNoRSA Configuration FilesNode Secret:To clear the node secret on the ADSelfService Plus server, navigate to the ADSSP ROOT /bin directoryand delete the securid file.sdconf.rec:To update sdconf.rec on the ADSelfService Plus server, navigate to the ADSSP ROOT /bin directoryand replace the old sdconf.rec file with the new copy.2This directory is C:\ManageEngine\ADSelfService Plus\bin by default.-- 9 -
RSA Authentication Agents are custom or ready-made software applications that securely pass user authentication requests to and from RSA Authentication Manager. RSA provides the RSA Authentication Agent API for building custom agents, as well as a variety of out-of-the-box agents for protecting access to various operating systems and web resources.
