Changing Windows Authentication Options
You cannot change the authentication method after you have created a Site; however, if you need to change the authentication options, you can do so on the General tab of the Site. After you change the options, you must manually refresh the administration interface. Any users logged on to the Site will be disconnected if you change the AD configuration and click OK, because the Site will stop and then restart. If you remove a logged-on user account from AD, the account is not removed from the interface until after they log off and you refresh the interface.
Regardless of the logon name chosen, EFT will accept the provided logon name type, whether UPN, NT4 account name, common name, or display name, and if a match exists, the user will be authenticated and the chosen logon name type will be displayed in the administration interface.
Logon name type |
Allowed login form |
---|---|
NT4 Account Name (NT4) |
NT4/UPN |
Display Name (DN) |
DN/NT4/UPN |
User Principal Name (UPN) |
UPN/NT4 |
Common Name (CN) |
CN/NT4/UPN |
To edit the AD authentication options for a Site
-
In the administration interface, connect to EFT and click the Server tab.
-
On the Server tab, click the AD Site you want to configure.
-
In the right pane, click the General tab.
-
Next to the User auth manager box, click Configure. The Windows Authentication Options dialog box appears.
-
To specify that the user list is to be updated automatically, select the Refresh user list automatically every check box, then specify how often you want EFT to check the authentication database for new users. Clear the check box if you do not want the Site's user list to refresh automatically
-
When you created the Site, you specified either Active Directory or Local System Accounts. If you need to change this, click the appropriate option to match the authentication method used on EFT's domain. Authentication is done with the LogonUser() function. The operating system determines which method to use for authentication, such as Kerberos, NTLM2, etc.
-
Active Directory - EFT queries the domain controller for a list of users and groups.
-
NTLM Authentication- EFT queries the local system to get the list of users and groups.
-
-
In the Domain area, do one of the following:
-
Click Default if you want to use the authentication database from the computer's current domain.
-
Click Specify, then in the box, provide the domain name that contains the authentication database.
-
-
In the Group area, do one of the following:
-
To allow access to every user in the domain's database, click Everyone.
-
To allow access to only a specific AD Group, click Specify, then in the box, type the AD Group name for users that will have access to the Server.
-
-
In the Use this user attribute as the logon name box, click the list to specify the attribute to use (only available when AD authentication is selected):
-
NT 4 Account Name - Domain name (for example, "globalscape\bsmith" or "bsmith")
-
Display Name - (DN) When a new user is created in Active Directory, the Full name field is always generated in FirstName LastName format (but can be changed manually). This field sets the Display Name field upon account creation.
-
User Principal Name - (UPN) Login name in email format. For example, your_user_name@mycompany.com
-
Common Name - (CN) Dynamic name. Usually the same as Display Name. However if Display Name is blank, then it will be NT4 account name.
-
-
In the When creating home folders for newly added users area, specify whether you want the Site to Create a virtual folder pointing to the user's home folder as defined by AD or Create a physical folder under the site root folder using the user's login name.
(These options are not available if the Automatically create home folder for new users check box is cleared on the Security tab of the Site. This setting affects all users on this Site, including existing user accounts.) -
The Use [account] rather than [domain].[account] for folder naming format check box is selected by default when you are using the NT4 Account Name as a logon attribute and if Create a physical folder under the site root folder is selected. Without the check box selected, the user's folder in the VFS is named with the domain and the user account (domain.username). Selecting the check box removes the domain from the folder name. Refer to Removing Domain from the User Folder Name for more information.
-
To verify your settings, click Test. The Authentication Manager Test Results dialog box appears and EFT attempts to connect to the domain controller to get the user list. If it is successful, the list of registered users appears in the tree under the Settings Template. To close the dialog box, click Close or press ESC.
-
Click OK to save the settings. Any users who were logged in to the Site will be disconnected, because the Site will stop and then restart.
-
Click Apply to save the changes on EFT.