Summary
@ptitude Analyst v9 MR3 introduces a new feature that allows for the verification of Analyst users using their Active Directory password rather than the internally stored Analyst password.
This KBA describes the feature and addresses some of the more commonly asked questions regarding this feature.
What is it?
EUA utilizes password verification using the external Active Directory password as an alternative to the current method of verifying against the password stored in the Analyst database.
Can an Analyst Administrator require a user to log in using their Active Directory password?
Yes.
Analyst v9 MR3 adds a new control on the Customize \ Administrator dialogue’s User tab called Require external authorization. This attribute is set on a user-by-user basis, so some Analyst accounts can still use the old (internal) authentication method while others can be set to require authentication via Active Directory.
NOTE: The Customize \ Administrator dialogue is only available to Admin level security and higher.
Are there any restrictions on what the Analyst Username needs to be?
Yes.
The Analyst username must match exactly the SAMAccountName in Active Directory for the Analyst to authenticate using the Active Directory password.
Can I use the user’s Email address in Active Directory as an Analyst Username?
No.
With release v9 MR3, only the SAMAccountName can be used as an Analyst username.
Can Analyst login be automatically programmed with a set Domain Name?
Yes.
If the Analyst is configured with a “-ADDomain:DOMAIN_NAME” (or /ADDomain:DOMAIN_NAME) command line parameter, then the login dialogue displays the DOMAIN_NAME specified.
In addition, using this command line parameter sets the Verify using Active Directory password control to be checked and disables the ability to edit both the Checkbox state and the Domain Name control.
I currently use the -U:<Analyst_Username>,<Analyst_Password> command line parameter. Can I continue to use this?
It depends.
The -u:Username,password command line parameter is still valid in v9 MR3, but the password component of the command line parameter should only be used when not using Active Directory (either through -ADDomain or checking the option for the user to must use AD). In these cases, only use the -u:Username and remove the “,password” option.
Is there any special configuration needed for Analyst to activate this feature?
No special configuration is required from the Analyst side.
Certain security configurations of Active Directory might require that a secure connection to the corporate LDAP (Lightweight Directory Access Protocol) be established (i.e. a VAN connection) before Analyst’s calls to the LDAP can go through. Please verify with corporate IT if problems are encountered using this feature.
Does this mean that Analyst now supports ‘strong password’ and password
expiration dates?
Yes.
By using Active Directory password authentication, all standard password security methods are now available for Analyst.
What if a user forgets his Active Directory password?
If a user forgets his Active Directory password, that user should contact his corporate IT department to reset the password.,
What does the Analyst login process look like now?
The Analyst login dialogue has two new controls – “Verify using Active Directory password” and “Domain name”. If the “Verify using Active Directory password” control is checked, then the Domain name specified is used to determine if:
- the username exists in the Active Directory’s Security Account Manager (a valid sAMAccountName exists in the LDAP) and
- the password entered in the dialogue matches the password in the Active Directory.
Of Note: If the Analyst user has been set with the require external authorization flag set, the Verify using Active Directory password option automatically sets when the OK button is pressed.
Do I have to type in the Domain Name every time I log in?
No.
Like the last Username used to log into the application, the state of the AD password check and the last domain used to log into the application are stored in a configuration file and are used to default the controls in the log in dialog the next time the user logs on.
Does the ‘Reset Password’ function work for users set to ‘Require External Password”?
No.
Configuring a user to require external password authentication disables the ability to reset that user’s password. Password maintenance becomes the responsibility of the Active Directory administrator.
What status messages are shown in the dialogues status window, and what do they mean?
The following status descriptions are displayed:
Existing messages:
|
Status text |
Meaning |
|
All licenses are in use. Please try again later. |
All concurrent licenses are currently in use. |
|
Application user is in use. Please try again later. |
Another instance of Analyst (or Thin Client Transfer) is running under the user name. |
|
Connecting to database. Please wait... |
If using Internal authorization, this message appears during authentication. |
|
Database account is in use |
The database account name used to connect to the database is currently being used by another Analyst instance. |
|
Database installation error prevented login. |
Error connecting to the database during username verification. |
|
Incompatible database version. Use SkfAnConfigTool.exe to update database |
Update the database to match the current Analyst version. |
|
Invalid application password |
When using internal authorization, the password entered does not match the password in the Analyst database. |
|
Invalid application user name |
The username entered does not match a valid Analyst username. |
|
Password verification failed. Please try again. |
If the internal password is new/has been reset, the second password entered does not match the first. |
|
Please enter your login information |
General pre-authorization check message. |
|
Please verify the application password |
The internal password has either not been set previously or has been reset. Please verify the password entered by typing it in again. |
|
Unable to connect to database XXXX |
Error connecting to the database. |
New messages (when using external authorization):
|
Status text |
Meaning |
|
Failed to connect to Active Directory in Domain. |
Initial attempts to connect to the Active Directory domain failed. Please check the Windows Event Log (under SKF_Applications) for further information. |
|
Password entered does not match domain password. |
The password entered does not match the password of the SAMAccountName. |
|
This user requires the domain name to be specified. |
The Domain name cannot be blank. |
|
Username not active in domain. |
No SAMAccountName could be found matching the entered Username. |
|
Verifying password against Active Directory. |
This message appears during authentication |
Contacting SKF Technical Support Group
For further assistance please open a support case using the Technical Support group's self-help portal at www.skf.com/cm/tsg. Once your support case is submitted, a technician will contact you to begin working on your issue. For urgent issues we are available at these times by phone:
- Monday through Friday, 5:00 a.m. to 4 p.m. Pacific Time -
Phone: +1 800 523 7514 within the US or +1 858 496 3627 outside the US. - Monday through Friday, 8:00 a.m. to 4:00 p.m. Central European Time -
Phone: +46 31 337 65 00. - Monday through Friday, 7:30 a.m. to 4:30 p.m. India Standard Time -
Phone: +60 16 699 9506.
Comments
0 comments
Please sign in to leave a comment.