SSH

Domain Policy

On the Domain Policy page you can define how Tectia Server handles the user name when a client user tries to log in without specifying the prefix (indicating a local or domain user account). This setting defines where the server will look for the user account, and how it will fill in the missing prefix part.

On this page you can also define domain user accounts for domain access with one-way trust.

Tectia Server Configuration - Domain Policy page

Figure 4.7. Tectia Server Configuration - Domain Policy page


Domain Locations

Tectia Server automatically lists all domains the local machine is part of, and places them in the Locations not checked field.

Move the relevant domains to the Locations checked field and arrange them to an order of preference. When a user logs in without a prefix, the user name is searched under the listed domains from top down. When a match is found, the rest of the domains are discarded. If no matching user accounts are found, authentication fails.

Option Default domain means that a user without a specified prefix will be treated as a domain user, and the default domain name of the local machine is added to the user name (usernamedefaultdomain_name\username).

Option Local machine means that a user without a specified prefix will be treated as a local user (usernamelocalmachine_name\username).

You can move unwanted domains to the Locations not checked list. These domains are not checked when searching for the user account.

If nothing is defined in the Locations checked list, Tectia Server first checks if the user name is valid in the default domain, and if no match is found, the user will be treated as a local user with the local machine name as the prefix.

Domain Access with One-Way Trust

In Windows domains, you can configure Tectia Server for domain access with one-way trust. A one-way trust is a single, non-transitive trust relationship between two domains. In a one-way trust configuration between Tectia Server and a domain controller, the domain controller does not trust the Tectia Server process. The domain controller therefore refuses to give Tectia Server any information about the user that is trying to log on. Because Tectia Server does not know enough about the user, it refuses the logon procedure. You can use a domain user account to get this information from the domain controller.

Note that you can only define one domain user account per domain.

To add a new domain user account for domain access with one-way trust:

  1. Click Add. The Domain user information dialog box opens.
  2. Enter the Domain, Username and Password for the account. The password will be stored in the password cache (see Password Cache). Click OK.
Adding a new domain\user account.

Figure 4.8. Adding a new domain\user account.


To edit an account, select the account from the Domain\user accounts list and click Edit.

To remove an account, select the account from the Domain\user accounts list and click Delete.