Active Directory Authentication with DASH SCCM Plug-in
Contents
1. The password selected for the created user OBJECTSID from the ACTIVEDIRECTORY GROUP The ADGroup created in procedure shown in Figure 3 Save the changed file In this example it was saved as DASHConfigExample xml Run DASHConfig utility on DASH system The DASHConfig utility can run on DASH systems manually or can be sent as package from SCCM Both methods are described in this paper Add user to the created group Under the Properties of the user created open Member Of tab and add the created group to it as shown in Figure 5 Administrator Properties E i 2 xl Security Environment Sessions Remote control Terminal Services Profile COM Attribute Editor Generel Address Acoouc Profle Telephones Organization Published Certificates Member Of Password Replication Dialin Object Member of Name Active Directory Domain Services Folder Administrators scom amd com Builtin Domain Admins sccm9 amd com Users Domain Users sccmS amd com Users Select Groups dixi Select tnis obect type Emus or Builtin securty pircioals Cbjact Types From his ocaticn eranc con Locatons Enterthe object names o select ganges Advarced Carcel D OK Cancel Apply Help Figure 5 Adding user to the created group Configure DASH Plug in a Open DASH Management Properties in DASH Plug in b Goto Authentication tab c Check Enable Active Di2. principal has a single SID for life and all properties of the principal including its name are associated with the SID Glossary The following terms are used to describe the components of Active Directory authentication and DASHConfig Desktop Mobile Architecture for System Hardware the new DMTF commercial client management standard produced by the DMTF DMWG Specifies the transport management protocol WS Man and DMTF CIM profiles used to manage desktop mobile PC A Dash capable system is a computer system that conforms to the DMTF DASH standard DASH DASH capable Machines with DASH enabled NICs systems Management tasks that are performed independent of the power or OS Out of band State on the managed client or system SCCM Microsoft System Center Configuration Manager 2007 MMc Microsoft Management Console AD Active Directory DASHConfig is a provisioning tool developed by AMD to configure DASHConfig DASH targets Conclusion Active Directory authentication with the DASHConfig utility provides greater security to administrators performing DASH operations Appendices Appendix A Case study Educational Institute Scenario In an Educational Institute there are three different departments Library Arts and Science They are in different geographical locations Each of the three departments have about 500 DASH compatible Hou machines The IT administrator defines three groups
3. 7 Add user to the created group ssssssssseeeeene eene nennen nnne nennen snnt nere nnne nenne 7 Configure DASH PlugzInsi etr eir e re e tecti atit d tfe das 8 Frequently Asked Questions sssssssssssssenee eene nennen nee nn nnrs rennen 8 User messagBs scrr ERE RR ER RRRRRKRRRRERRR RRRKRRR X RRRXRRR RR RR TR P RR ERR ERR E e c EN E CEP D ETE DT e De D a adag 8 LOSSY cscs os tess oes ace cani m P Pa D e c re a Fab i eer eet ect te 9 Conclusion emere terre TV Ter ae 9 Appendices n A E NE N AEA EEEE Pr Ee P e e pet tet e e be ee etes 9 Appendix A Case Study errar rr teet Lt Lt te Ee hr neg Era ined Era ise Eee a duae TRIAR 9 Appendix B XML file example ssssseseeenenennnenenn enne neret nnrn nnne nnns 11 MO UFO tient OF npe re es be es ess poke pe YE BER EE EE ees ERREUR ERE RETE RE PE RR ER ERR ER Dee eR NEUEN EAEE 12 DASH Plug in user manual and help file sse 12 Introduction Microsoft amp System Center Configuration Manager 2007 R2 SCCM is the solution for comprehensively assessing deploying and updating servers clients and devices across physical virtual distributed and mobile environments Optimized for Windows desktop and Windows server platforms it is widely considered the best choice for centralizing management from the data center to the desktop The DASH Plug in extends SCCM to support out of band management tasks using DASH DASH Plug in installs s
4. ASSWORD gt spnpassword lt SPNACCOUNT_PASSWORD gt lt ACTIVEDIRECTORY_GROUPS gt lt ACTIVEDIRECTORY_GROUP gt lt GROUPNAME gt DASH Admins lt GROUPNAME gt OBJECTSID S 1 5 21 000000169 0004209000 0005141000 1155 OBJECTSID ROLES lt ROLE gt Administrator Role ROLE lt ROLES gt lt ACTIVEDIRECTORY_GROUP gt lt ACTIVEDIRECTORY_GROUP gt lt GROUPNAME gt DASH Auditors GROUPNAME lt OBJECTSID gt S 1 5 21 000000169 0004209000 0005141000 1156 lt OBJECTSID gt ROLES lt ROLE gt Auditor Role lt ROLE gt lt ROLE gt Read Only Role lt ROLE gt lt ROLES gt ACTIVEDIRECTORY GROUP ACTIVEDIRECTORY GROUPS lt ACTIVEDIRECTORY gt lt MANAGEMENTTARGET gt DASHPROVISIONSETTINGS Figure 7 XML file example 11 More Information DASH forum http www amd com DASH How to configure Domain Controller in Windows Server http technet Microsoft com en us library cc779648 28v ws 10 29 aspx How to extend the Active Directory schema for Configuration Manager http technet Microsoft com en us library bb633121 aspx MYITForum http www myitforum com DASH Plug in user manual and help file The help file that gets installed with DASH Plug in provides detailed information on support for role based authorization in DASH Plug in The default location for the help file is C Program Files x86 SCCM DASH Plug in SCCMDASHPlug in chm This information can also be found in the user manual docu
5. Active Directory Authentication with DASH SCCM Plug in Document version 1 1 Feb 12 2013 White Paper Descriptor This whitepaper describes how to configure Active Directory authentication that can be adopted for performing desktop and mobile architecture for system hardware DASH operations on a DASH capable system from Microsoft System Center Configuration Manager 2007 using the DASH Plug in Copyright O 2012 Advanced Micro Devices Inc Table of Contents Introduction ores oe dvs Ses REDDE D ERNE RER dass shes eee bar bac hatten 3 AUCIGTICB c cci terme uenenum unu unn un seri Serie Ne ertet ME 3 Prior knowledge coeunt in ee 3 Pre requisites c ouo OH DR ER CORO EO RM RR RR RM Gm 3 OV STIG WW T wed chee eed ob ees eee hess De nese Pee ee Pane ee Peeve nee ne te le eee decane eee even Meee tees 3 Create SPN account in Active Directory nne erre nnne nennen enne 4 Register SPN for HTTP service on DASH system ssssssssseeeeee eene nnne nnne 4 Create group in Active Directory and obtain SID sssssssenm enne 5 Create a secun g OUD So RERUM RR Rae RCM 5 Obtain the security object ID for the LibrarySystems group seeenen 6 Use DASHConfig to set SPN account and SID in DASH system sssseeeeem eene 7 Update the DASHConfig provisioning XML file for distribution see 7 Run DASHConfig utility on DASH system sssssssssseeeeeeeen enne nennen nnne nnne nnne nens
6. LibrarySystems ScienceSystems and ArtsSystems All users allowed to manage Library department systems are added to DASHLib group A new member john h is hired to manage the DASHLib systems Problem The new hire should have ability to manage all the 500 systems Adding new hire login credentials to all the machines is cumbersome and time consuming because the systems are located in geographically diverse locations Solution Description The IT administrator adds john h in the LibrarySystemsgroups john h logs in with his credentials and can manage the DASH systems for all 500 machines under the Library department and he does not need to provision each system separately This also allows user role based access RBA in which the Library administrator may not have permission to perform DASH remote execution operations on systems located in Science department Steps 1 Create a SPN with unique username password who has very limited privileges on an Active Directory domain 2 Register the SPN for HTTP Service on all DASH systems under library group Administrators can use batch scripting to register all 500 systems 3 Obtain object SID value for the LibrarySystems group and assign the SID value on DASH targets using DASHConfig 4 Add john h to LibrarySystems group 10 Appendix B XML File example lt xml version 1 0 encoding utf 8 gt DASHPROVISIONSETTINGS gt MANAGEMENTTARGET GLOBAL
7. e Attributes list box until you find the objectSID attribute item Figure 4 NOTE Record the security ID string in the value field for the objectSID attribute Depending on screen size you may need to scroll to obtain the whole string In this example the security ID used was S 1 5 21 372084433 2080421639 3642503678 1111 LibrarySystems Properties 2j xl General Members MemberOf Manaced amp y Attributes objectCategory CN Group CN Schema CN Configuration Di objectClass top group objectGUID 7922ec411659 4031 b232 5225a54ee 1d2 S 1 5 21 84433 2080421639 18406471 abject Version lt not set operatorCount not set otherWellKnownObje not set gt partialAttributeDeletio not set partialAttribute Set not set if promied Object Name lt not set gt proxyAddresses lt not set gt replPropertyMetaData AID Ver Loc USN Org DSA replUpToDateVector lt not set gt repsFrom lt not set gt Figure 4 Obtaining SID value Use DASHConfig to set SPN account and SID in DASH system Update the DASHConfig provisioning XML file for distribution Obtain the DASHConfigExample xml file this can also be found in Appendix B at the end of this paper from the DASHConfig package and open it in the text editor of your choice Modify the following XML nodes with information from the previous procedures ACTIVEDIRECTORY SPNACCOUNT The SPN account created in the procedure shown in Figure 1 SPNACCOUNT PASSWORD
8. imply over SCCM and enables SCCM to perform out of band operations such as power boot options redirection etc on a DASH capable system Active Directory authentication offers users a faster more secure and more scalable authentication mechanism By using the Kerberos authentication protocol Secure Global Desktop SGD can authenticate any user securely against any domain in a forest DASH Plug in supports both Digest and Active Directory authentication This document will cover how to use Active Directory authentication with DASH SCCM Plug in Audience This document is intended for IT administrators interested in using Active Directory authentication for DASH 1 0 and 1 1 capabilities such as discovery remote power control boot control media redirection text console serial redirection etc It provides a technical overview of how to use Active Directory Authentication with DASH SCCM Plug in Prior Knowledge The administrator using this guide should have prior knowledge of the following technologies e System Center Configuration Manager 2007 e Working knowledge of Active Directory settings in Windows Server 2003 2008 e DASH Plug in for SCCM e DASHConfig Tool Pre requisites It is assumed that the following network system including authorization to access administrative consoles is setup and ready to use e Administrative access to Domain Controller e System with Microsoft SCCM 2007 running on it e DASH Plug in for SCCM Ove
9. le HTTP TGTONE The second value is in the form HTTP lt FQDN gt Example HTTP tgtone sccmtest bigcorp com NOTE For a large group of DASH systems it is faster to use the SETSPN utility inside of script or batch file When using the SETSPN utility use the following two command line invocations Setspn A HTTP lt MACHINENAME gt lt spnacctname gt Setspn A HTTP lt FQDN gt lt spnacctname gt In our example MACHINENAME is TGTONE lt FQDN gt is tgtone sccmtest bigcorp com and spnacctname is spnacctname CESS ree axl File Action Published Certificates Member Of Password Replication Dialin Object Security Environment J Active Dir El A Savec E d Built in account for admini Value to add DASHTargetsSPN HTTPAgtone pc scontest bigcorp com 805306368 NORMAL Values pela ae HTTP TGTONE PC not set not set not set not set not set gt not set not set not set not set Figure 2 Set SPN Create group in Active Directory and obtain SID Create a security group Enter a custom defined group under the Group Name edit control Figure 3 Si x 8 Create in sccm9 amd com Users EL Group name Group name pre Windows 2000 Figure 3 Create group Obtain the security object ID for the LibrarySystems group Under Properties menu for the group created in Figure 3 select Attribute Editor tab Scroll down th
10. lt ENABLEDASHTARGET gt true lt ENABLEDASHTARGET gt lt HTTPS gt lt ENABLESUPPORT gt true lt ENABLESUPPORT gt lt TCPIPPORT gt 664 lt TCPIPPORT gt lt HTTPREALM gt Broadcom Management Service lt HTTPREALM gt lt HTTPSTARGETTOCONSOLE gt lt CERTIFICATEPATH gt DASHAD cer lt CERTIFICATEPATH gt lt HTTPSTARGETTOCONSOLE gt lt HTTPSCONSOLETOTARGET gt lt CERTIFICATEPATH gt DASHAD cer lt CERTIFICATEPATH gt lt HTTPSCONSOLETOTARGET gt lt HTTPS gt HTTP ENABLESUPPORT true ENABLESUPPORT LIMITTODISCOVERY true LIMITTODISCOVERY 7 lt TCPIPPORT gt 623 lt TCPIPPORT gt lt HTTPREALM gt Broadcom Management Service HTTPREALM lt HTTP gt lt GLOBAL gt lt USERS gt USER lt USERID gt Administrator lt USERID gt lt PASSWORD gt adminpassword lt PASSWORD gt lt ORGANIZATION gt IT lt ORGANIZATION gt lt ENABLE gt true lt ENABLE gt lt ROLES gt lt ROLE gt Administrator Role lt ROLE gt lt ROLES gt lt USER gt USER lt USERIO gt Auditor lt USERID gt lt PASSWORD gt readpassword lt PASSWORD gt lt ORGANIZATION gt IT lt ORGANIZATION gt lt ENABLE gt true lt ENABLE gt ROLES ROLE Auditor Role lt ROLE gt lt ROLE gt Read Only Role ROLE lt ROLES gt lt USER gt lt USERS gt lt ACTIVEDIRECTORY gt lt ENABLESUPPORT gt true lt ENABLESUPPORT gt lt ACTIVEDIRECTORY_SPNACCOUNT gt DASHSpnUser lt ACTIVEDIRECTORY_SPNACCOUNT gt lt SPNACCOUNT_P
11. ment in the installer package Trademark Attribution AMD the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices Inc in the United States and or other jurisdictions Other names used in this presentation are for identification purposes only and may be trademarks of their respective owners 12 2013 Advanced Micro Devices Inc All rights reserved 13
12. rectory Authentication to enable Active Directory d Enter the DASH systems user created earlier Figure 1 as domain user and specify correct password for that account e Check Use Active Directory as Default Authentication to select Active Directory as default f Click OK when done 4 DASH Management Properties USB Redirection Enable Global Digest Authentication Inventory E Global Digest Authentication Digest Account Authentication Advanced About IV Enable Active Directory Authentication Active Directory Authentication Domain User Account Username sccm9tiohn h Domain User Password eesese000 sits IV Use Active Directory as default Authentication Enable User Permission Checking OK Cancel Help Figure 6 Authentication tab Frequently Asked Questions User Messages Q What is SPN in Active Directory A A service principal name or SPN is the name by which a client uniquely identifies an instance of a service If you install multiple instances of a service on computers throughout a forest each instance must have its own SPN A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication Q What is Object SID value and why it is required A A security identifier commonly abbreviated SID is a unique immutable identifier of a user user group or other security principal A security
13. rview For an IT Administrator to manage DASH systems effectively a proper authorization setting needs to be implemented in both Active Directory domains as well as in the DASH targets The administrator needs to set the service principal name SPN in the Active Directory so only authorized users can communicate with the assigned DASH targets The next section offers a brief description of how to create SPN account in groups and users Create SPN account in Active Directory Input the name of an account in the Full name and User Logon name edit fields Record this account name for use in a later procedure Choose a password for this and record it Follow your company s security policy while selecting and modifying the security settings for user credentials and passwords NOTE For higher security this user can have restricted access such as no desktop logon access 2 Create in sccmS amd com Users First name fo Initials Last name Full name Ls ecu c Oj User logon name sccm9 amd com User logon name pre VWindows 2000 Figure 1 Create User Register SPN for HTTP service on DASH system Under the Properties for the user created in Figure 1 select the Attribute Editor tab Add two values for each DASH system under the servicePrincipalName attribute item which is expected to use AD authentication see Figure 2 The first value is in the form HTTP lt MachineName gt Examp
Download Pdf Manuals
Related Search