Configuring domain authentication automatically

• Easy Config—Configures the server-side SteelHead in Active Directory integrated mode for Windows 2003 or Windows 2008 to enable secure protocol optimization for CIFS SMB1, SMB2/3, and encrypted MAPI for all clients and servers.

– Add Delegation Servers—Configures a list of the Exchange and CIFS servers that have permission to delegate AD access privileges.

– Remove Delegation Servers—Removes Exchange and CIFS servers from the list of delegation server accounts with permission to delegate AD access privileges.

Configuring domain authentication using Easy Config

Configuring domain authentication for delegation

Configuring the delegation account with AD delegation privileges

Configuring the replication account

Configuring domain authentication manually

Domain authentication automatic configuration simplifies the server-side SteelHead configuration for enabling latency optimizations in a secure environment. Using this widget automates the majority of the required configuration tasks, avoiding the need to perform step-by-step operations in different configuration tools and using the command line on the Windows AD platforms.

Use this widget to configure the server-side SteelHead in integrated Active Directory mode for Windows 2003 or 2008 and later, and enable secure protocol optimization for CIFS SMB1, SMB2, and SMB3 for all clients and servers. To enable secure protocol optimization for MAPI and encrypted MAPI, you need to enable MAPI protocol optimization on all clients after running the widget.

Domain Authentication Automatic Configuration performs these tasks:

If any of the tasks fail during the configuration, the system automatically rolls back to the previous configuration.

You do not necessarily need to use the replication user or delegate user facility to optimize secure Windows traffic if you deploy the server-side SteelHead so that it joins a domain in the Active Directory environment. To integrate the server-side SteelHead into Active Directory, you must configure the role when you join the SteelHead to the Windows domain.

When you integrate the server-side SteelHead in this way, it does not provide any Windows domain controller functionality to any other machines in the domain and does not advertise itself as a domain controller or register any SRV records (service records). In addition, the SteelHead does not perform any replication nor hold any Active Directory objects. The server-side SteelHead has just enough privileges so that it can have a legitimate conversation with the domain controller and then use transparent mode for NTLM authentication.

Specifies the name of the domain administrator. RiOS deletes domain administrator credentials after the join.

Specifies the password for the domain administrator account. This control is case sensitive.

Specifies the fully qualified domain name of the Active Directory domain in which to make the SteelHead a member. Typically, this is your company domain name. RiOS supports Windows 2000 or later domains.

Specifies the hosts that provide user login service in the domain, separated by commas. (Typically, with Windows 2000 Active Directory Service domains, given a domain name, the system automatically retrieves the DC name.)

Specifies the short (NETBIOS) domain name.

You can identify the short domain name by pressing Ctrl+Alt+Delete on any member server. You must explicitly specify the short domain name if it doesn’t match the leftmost portion of the fully qualified domain name.

Enables encrypted MAPI optimization on the server-side SteelHead. After running this widget, you must also choose Optimization > Protocols: MAPI on the client-side SteelHead and select Enable MAPI Exchange Optimization and Enable Encrypted Optimization.

Enables optimization on SMB-signed connections on the server-side and client-side SteelHeads.

Enables optimization on SMB2-signed connections on the server-side and client-side SteelHeads.

Enables optimization on SMB3-signed connections on the server-side and client-side SteelHeads.

Specifies which account type the server-side SteelHead uses to join the domain controller.

You can optimize the traffic to and from hosted Exchange Servers. You must configure the server-side SteelHead in integrated Active Directory mode for Windows 2003 or Windows 2008 and higher domains. This mode allows the SteelHead to use authentication within the Active Directory on the Exchange Servers that provide Microsoft Exchange online services. The domain that the server-side SteelHead joins must be either the same as the client user or any domain that trusts the domain of the client user.

When you configure the server-side SteelHead in integrated Active Directory mode, the server-side SteelHead doesn’t provide any Windows domain controller functionality to any other machines in the domain and doesn’t advertise itself as a domain controller. In addition, the SteelHead doesn’t perform any replication nor hold any AD objects. When integrated with the Active Directory, the server-side SteelHead has just enough privileges so that it can have a legitimate conversation with the domain controller and then use transparent mode for NTLM authentication.

Select one of these options from the drop-down list:

Configures the server-side SteelHead in Active Directory integrated mode. If the account for the server-side SteelHead was not already present, it’s created in organizational unit (OU) domain controllers. If the account existed previously as a domain computer then its location doesn’t change. You can move the account to a different OU later.

You must have Administrator privileges to join the domain.

This option doesn’t support cross-domain authentication where the user is from a domain trusted by the domain to which the server-side SteelHead is joined.

Configures the server-side SteelHead in integrated Active Directory mode for Windows 2008 DCs and higher and supports authentication across domains. This is the default setting.

You must explicitly specify the Windows 2008 DCs as a comma-separated list in the Domain Controller field. The list should contain either the name or IP address of the Windows 2008 DCs.

You must have Administrator privileges to join the domain. Additionally, if the user account is in a domain that is different from the domain to which the join is being performed, specify the user account in the format domain\username. Do not specify the user account in the format username@realmname. In this case, domain is the short domain name of the domain to which the user belongs.

Even though the SteelHead is integrated with Active Directory, it doesn’t provide any Windows domain controller functionality to any other machines in the domain.

Configures domain authentication.

After you click Configure Domain Auth, the status indicates whether the domain authentication was successful. If the authentication succeeds, secure protocol optimization for CIFS (SMB1), SMB2, and SMB33 is enabled for all clients and servers. Encrypted MAPI is enabled for all servers. To enable encrypted MAPI for all clients, you must enable encrypted optimization on the client-side appliance.

Although a user with generic domain administrator privileges meets the requirements for replication, generic privileges could have some security implications.

• Delegation—Using delegation mode to optimize SMB-signed or encrypted MAPI traffic requires additional configuration (beyond joining the server-side SteelHead to a domain) because delegation mode uses the Active Directory constrained delegation feature. You must configure both the server-side SteelHead and the Windows domain that it joins.

Constrained delegation is an Active Directory feature that enables configured services to obtain security related information for a user. Configuring constrained delegation requires the creation of a special delegate user account in the Windows domain. The account allows the delegate user the privilege of obtaining security information for use with specific applications (like CIFS and MAPI), and then configuring the delegate user credentials on the server-side SteelHead.

• Replication—You can assign a restricted set of privileges to a user, known as a replication user. You can configure the replication user on a per-forest basis so that the user assigned to it can retrieve machine credentials from any domain controller in any trusted domain within the forest. Remember that a forest can comprise multiple domains with trusts between them.

Automatic configuration simplifies setting up your SteelHead for delegation or replication. Use these widgets to:

The configure delegation account widget configures a user with trusted delegation rights for a domain under Optimization > Active Directory: Auto Config. Under Auto Config, select Configure Delegation Account. On the server-side SteelHead, these configuration options are available:

Admin User specifies the delegate username. The maximum length is 20 characters. The username can’t contain any of these characters:

/ \ [ ] : ; | = , + * ? < > @ "

The system translates the username into uppercase to match the registered server realm information.

You can only add one delegate user per domain. A delegate user is required in each of the domains where a server is going to be optimized.

Specifies the user account password.

Specifies the delegation domain in which you want to make the delegate user a trusted member from the drop-down list.

Configures the account.

After you click Configure Delegation Account, the status indicates whether the configuration was successful. For details, see Status and logging.

The configure replication account widget adds a user with trusted replication rights to a domain under Optimization > Active Directory: Auto Config.

Under Auto Config, select Configure Replication Account. On the server-side SteelHead, complete the configuration with these options:

Specifies the replication username. The maximum length is 20 characters. The username can’t contain any of these characters:

/ \ [ ] : ; | = , + * ? < > @ "

The system translates the username into uppercase to match the registered server realm information.

You can only add one replication user per domain. A replication user is required in each of the domains where a server is going to be optimized.

Specifies the user account password.

Specifies the replication domain in which you want to make the replication user a trusted member from the drop-down list. You must preconfigure the replication domain; it no replication domain exists, the list displays None.

Configures the account.

After you click Configure Replication Account, the status indicates whether the replication account configuration was successful.

The add delegation servers widget adds delegation servers from either the CIFS or Exchange MDB service under Optimization > Active Directory: Auto Config. Under Auto Config, select Add Delegation Servers. On the server-side SteelHead, complete the configuration with the options:

Specifies the delegate username. The maximum length is 20 characters. The username can’t contain any of these characters:

/ \ [ ] : ; | = , + * ? < > @ "

The system translates the username into uppercase to match the registered server realm information.

You can only add one delegate user per domain. A delegate user is required in each of the domains where a server is going to be optimized.

Specifies the user account password.

Specifies the delegation domain in which you want to make the delegate user a trusted member from the drop-down list.

Specifies a service type for delegation: CIFS or Exchange MDB service.

Specifies the CIFS or MAPI servers as the local hostname, separated by commas.

After you add the delegation servers, the status indicates whether the configuration was successful.

The remove delegation servers widget removes delegation servers from either the CIFS or Exchange MDB service under Optimization > Active Directory: Auto Config. Under Auto Config, select Remove Delegation Servers. On the server-side SteelHead, complete the configuration with these options:

Specifies the domain administrator name assigned to the delegation server. The maximum length is 20 characters. The administrator name can’t contain any of these characters:

/ \ [ ] : ; | = , + * ? < > @ "

Specifies the user account password.

Specifies the delegation domain in which you want delegate user is a trusted member.

Specifies the delegation service type: CIFS or Exchange MDB service.

Specifies the CIFS or MAPI servers as the local hostname, separated by commas.

After you remove delegation servers, the status indicates whether the servers were removed.

After you run a widget, the status indicates one of these states:

• Failed—The last time the operation executed, the results were unsuccessful. The operation was not carried out because it ran into an error condition.

• In Progress—The operation is actively running. In this state, the browser constantly polls the back end to see if the operation has completed. Once the operation completes, the browser stops polling.

Last Run displays the amount of time elapsed since the last execution and then the time and date the operation completed. The time is meaningful only if the status is success or failed.

Logging Data displays log output for the operation. You might want to view the log if the status indicates an operation failure. Two log files follow an operation:

You can control the logging data display using the tabs.

Select Hide Log to remove the logs from the display.

Select the Summary and Full Log tabs to view the logging data. The system displays a line count for the number of lines in the logging data. The system omits the tab if the log file is empty.

• For the summary and full log tabs, an abbreviated form of the time stamp appears in the left margin of each line. Mouse over a time stamp and view the entire time stamp in a tooltip.

Not all log lines have time stamps, because some of the logging data is generated by third-party (non-Riverbed) applications.