Using External Authentication on Windows

The External Authentication feature enables operators to log in to ConsoleWorks using usernames and passwords already validated on your authentication server.

• Review the External Authentication Basics article to get an understanding of the External Authentication feature.
• For detailed step-by-step instructions on configuring External Authentication in ConsoleWorks, see the ConsoleWorks Online Help (search for auth).

For ConsoleWorks invocations running on a Windows® platform, the External Authentication feature uses the Windows external authentication library, with usernames and passwords verified on a Windows domain, e.g., Active Directory. Running External Authentication on Windows requires that the CONWRKS-FE-EXTAUTH and the CONWRKS-FE-EAWINDOWS licenses be loaded into ConsoleWorks.

The following section describes the parameters you supply to ConsoleWorks to enable it to use the Windows external authentication library when validating an External Authentication record.

• Parameter 1 – The list of domains. If no domains are specified, the domain the computer belongs to is used by default. If the computer does not belong to a domain, then the local accounts on the computer are used.
• Parameter 2 – The prefix for the name of the AD groups that contain the users you want authenticated. If you enter a prefix, you should use a CW_ prefix for groups on the domain to avoid a namespace conflict with the ConsoleWorks Profiles. You can use this prefix to further restrict access to a sub-group, identified by this prefix, of the group you name for the Required Profile parameter.
• Parameter 6 – Specifies verbose mode. To run the Windows external authentication library in verbose mode, enter 1. Verbose mode sends lots of logging data to stdout and returns it in the message buffer passed back to ConsoleWorks. These data appear in your ConsoleWorks.log file.
• Required Profile – Enter the name of the group to which the user must belong to be granted access to ConsoleWorks. If Parameter 2 was passed in, the prefix is added to the Required Profile. For example, if Parameter 2 = CW_ and Required Profile = CONWRKS, then the Windows group CW_CONWRKS must be found and the user must be a part of it to be granted access to ConsoleWorks.
• Template User – Specifies the User configuration automatically used for a new User upon first login.

Usage Example

Let’s take a company that has Active Directory (AD) set up as their domain authentication service, has a set of users, and wants to set up ConsoleWorks to use AD as the external authentication and authorization source.

In AD, they create a group named CW_ACCESS. This group is the group that gives its member users access to ConsoleWorks. Next, they set up AD groups for each of their AD Profiles, adding the CW_ prefix (e.g., CW_CONSOLE_MANAGER, CW_DEFAULT, CW_OPERATOR, CW_ADMIN, etc.). The company ensures that AD has the groups spelled out in all UPPERCASE letters and that they match the ConsoleWorks Profile names exactly (minus the prefix), as not doing so blocks the access their users should have. Next, as a test, they take a couple users and add them to the CW_ACCESS group and two of the AD profile groups, so they can check that it works the way they expect.

Now, working in ConsoleWorks, they open the External Authentication page, enable the External Authentication feature, and choose the assume external authentication for existing accounts option. Then, because they need to create the External Authentication record, they click the Add button.

In the resulting dialog, they give the record a friendly name, such as AD_AUTH, select the Enabled check box, choose the Windows library, and fill in the parameters:

• For Parameter 1, they enter the domain they want to authenticate user records against.
• For Parameter 2, they enter a prefix of CW_, so as to avoid naming conflicts.
• For Required Profile, they enter ACCESS, because that's the group they specified a user must be in to gain access to ConsoleWorks.

Next, they select a User account to act as the template User configuration, and click the Next button.

On the dialog that appears, they enter a Username and Password to test the authentication. Being a conservative company, they use the Prev and Next buttons to move easily back and forth within the External Authentication feature and test a few more user validations. When satisfied that they have configured the required records correctly, they save the records by clicking Next until they get to the Save button. Any changes to the EA record will require doing this.

Now, they log out of ConsoleWorks and back in using their domain account, one of the ones they added to the groups in AD. Once back in ConsoleWorks, they check that they have the Profiles they expect and the access they need.

Satisfied with this test, they now start adding to the CW_ACCESS group all domain users needing ConsoleWorks access. These users are also added to each profile group that they need.