Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

Secure Global Desktop Authentication

User Identity

User Profile

System Authentication Mechanisms

Password Expiry

Security and Passwords

Active Directory Authentication

How Active Directory Authentication Works

User Identity and User Profile

Setting Up Active Directory Authentication

Preparing for Active Directory Authentication

Supported Versions of Active Directory

Domain Requirements

Network Requirements for Active Directory Authentication

Synchronizing System Clocks

SSL Connections to Active Directory

Configuring SGD for Kerberos Authentication

Kerberos Realms and KDCs

Active Directory Password Expiry

Network Protocols

KDC Timeout

How to Enable Active Directory Authentication

Anonymous User Authentication

How Anonymous User Authentication Works

User Identity and User Profile

Application Sessions and Password Cache Entries

How to Enable Anonymous User Authentication

LDAP Authentication

How LDAP Authentication Works

User Identity and User Profile

Setting Up LDAP Authentication

Preparing for LDAP Authentication

Supported LDAP Directories

Network Requirements for LDAP Authentication

LDAP Bind DN and Password Change

Authentication to Novell eDirectory

How to Enable LDAP Authentication

SecurID Authentication

How SecurID Authentication Works

User Identity and User Profile

Setting Up SecurID Authentication

Configuring SGD Servers as Agent Hosts

How to Configure an SGD Server as an Agent Host

How to Enable SecurID Authentication

Third-Party Authentication

How Third-Party Authentication Works

Search Local Repository

User Identity and User Profile

Search LDAP Repository

User Identity and User Profile

Use Default Third-Party Identity

User Identity and User Profile

Setting Up Third-Party Authentication

How to Enable Third-Party Authentication

SGD Administrators and Third-Party Authentication

Trusted Users and Third-Party Authentication

Information for Application Developers

How to Create a New Trusted User

UNIX System Authentication

How UNIX System Authentication Works

Search Unix User ID in Local Repository

User Identity and User Profile

Search Unix Group ID in Local Repository

User Identity and User Profile

Use Default User Profile

User Identity and User Profile

UNIX System Authentication and PAM

How to Enable UNIX System Authentication

Windows Domain Authentication

How Windows Domain Authentication Works

User Identity and User Profile

How to Enable Windows Domain Authentication

Passwords, Domains, and Domain Controllers

How to Specify a Domain Controller on a Different Subnet

Tuning Directory Services for Authentication

Filtering LDAP or Active Directory Logins

User Login Filter

Group Login Filter

How to Configure a User Login Filter

How to Configure the Group Login Filter

LDAP Discovery Timeout

Using Service Objects

How to Create an Active Directory Service Object

How to Create an LDAP Service Object

Password Expiry

LDAP Password Update Mode

Sites

Whitelists

Blacklists

Search Only the Global Catalog

Suffix Mappings

Domain Lists

Lookup Cache Timeout

LDAP Operation Timeout

Active Directory Authentication and LDAP Discovery

Troubleshooting Secure Global Desktop Authentication

Setting Log Filters for Authentication Problems

Denying Users Access to SGD After Failed Login Attempts

How to Enable the Login Failure Handler

How to Change the Number of Login Attempts

Users Cannot Log In to Any SGD Server

Using Shared Accounts for Guest Users

How to Share a User Profile Between Users

Solaris OS Users Cannot Log in When Security is Enabled

An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in

3.  Publishing Applications to Users

4.  Configuring Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Secure Global Desktop Authentication

SGD is designed to integrate with your existing authentication infrastructure and has the following two methods for authenticating users:

The following are main results of a successful authentication:

Sometimes the user identity and the user profile are the same.

In the SGD Administration Console, you can monitor user sessions and application sessions using either the user identity or the user profile.

Depending on how users are authenticated, SGD can prompt users to change their password when they try to log in with an expired password. See Password Expiry for details.

SGD authentication is global. A user can log in to any SGD server in the array with the same user name and password.

SGD Administrators can enable and disable each authentication mechanism independently, as follows:

User Identity

A user identity is the name that identify the user. Each authentication mechanism has its own set of rules for determining the user identity.

A user identity is a name assigned by SGD and is sometimes referred to as the fully qualified name. The user identity is not necessarily the name of a user profile in the local repository. For example, for LDAP authentication the identity is the distinguished name (DN) of the user in the LDAP directory.

The user identity is associated with the user’s SGD session, their application sessions, and their entries in the application server password cache.

User Profile

A user profile controls a user’s SGD-specific settings. Depending on whether or not you use an LDAP directory to assign applications to users, a user profile can also control the applications a user can access through SGD, sometimes called webtop content. Each authentication mechanism has its own set of rules for determining the user profile.

A user profile is always an object in the local repository and is sometimes referred to as an equivalent name. A user profile can be a special object called a profile object stored in the System Objects organization. For example, for LDAP authentication the default user profile is o=System Objects/cn=LDAP Profile.

System Authentication Mechanisms

The following table lists the available system authentication mechanisms and describes the basis for authentication.

Table 2-1 System Authentication Mechanisms

Mechanism
Description
Anonymous user
Enables users to log in to SGD without using a user name and password.

All anonymous users have the same webtop content.

See Anonymous User Authentication.

Authentication token
Enables users to log in to SGD if the SGD Client supplies a valid authentication token.

Users might have their own webtop content, depending on configuration.

Used when the SGD Client operates in Integrated mode, see Integrated Mode.

UNIX system – Search Unix User ID in Local Repository
Enables users to log in to SGD if they have user profiles in the local repository and UNIX or Linux system accounts on the SGD host.

Users might have their own webtop content, depending on configuration.

See UNIX System Authentication.

Windows Domain
Enables users to log in to SGD if they belong to a specified Windows domain.

Users might have their own webtop content, depending on configuration.

See Windows Domain Authentication

LDAP
Enables users to log in to SGD if they have an entry in an LDAP directory.

Users might have their own webtop content, depending on configuration.

See LDAP Authentication

Active Directory
Enables users to log in to SGD if they have an account in an Active Directory forest.

Users might have their own webtop content, depending on configuration.

See Active Directory Authentication.

UNIX system – Search Unix Group ID in Local Repository
Enables users to log in to SGD if they have UNIX or Linux system accounts on the SGD host.

All users in the same UNIX system group have the same webtop content.

See UNIX System Authentication.

UNIX system – Use Default User Profile
Enables users to log in to SGD if they have UNIX or Linux system accounts on the SGD host.

All UNIX system users have the same webtop content.

See UNIX System Authentication.

SecurID
Enables users with RSA SecurID tokens to log in to SGD.

Users might have their own webtop content, depending on configuration.

See SecurID Authentication

When a user logs in, the enabled authentication mechanisms are tried in the order they are listed in System Authentication Mechanisms. When you configure SGD authentication, the Administration Console shows the order in which the mechanisms are tried. The first authentication mechanism that authenticates a user “wins” and no further authentication mechanisms are tried.

Password Expiry

SGD can handle the expiry of the user’s password if configured to do so.

When a user attempts to log in to SGD with an expired password, the Aged Password dialog displays. This dialog does the following:

If the new password is accepted, the user is logged in to SGD.

The following table shows which authentication mechanisms support aged passwords.

Authentication Mechanism
Aged Password Support
Active Directory
Anonymous user
Not applicable. User logs in without a user name or password.
Authentication token
Not applicable. User logs in without a user name or password.
LDAP
No. Once a user’s password has expired, they cannot log in to SGD. However, SGD can be configured to force users to change their password before it expires. See LDAP Bind DN and Password Change for details.
SecurID
Yes. If the user’s personal identification number (PIN) has expired, a new PIN dialog is displayed instead of the Aged Password dialog.
Third-party

(including web server authentication)

No. The expiry of the user’s password is handled by the third-party authentication mechanism and is nothing to do with SGD.
UNIX system
Windows domain
No.

Security and Passwords

When logging in to SGD, passwords and authentication tokens are only encrypted if there is an Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) connection.

SGD uses external mechanisms for authenticating users. The security of passwords when authenticating users is as follows: