Views:
These settings apply to the entire Active Directory server and all its users.

Procedure

  1. Select AdminAuthentication and Authorization Authentication.
  2. Click the Active Directory tab.
  3. Click Edit under Active Directory Global Group Mapping.
  4. In the dialog, select a group mapping method and options for the SMS to use.
    Setting Description
    Authentication Mode
    Select one: Allow only users defined in the SMS to log in or Allow AD users to log in with or without an SMS account. If you choose to allow access for non-local users, you must also specify how the New Resource Group will be determined for those users. By default, users are allowed to choose a New Resource Group.
    Authorization Mode
    If you configured Authentication Mode to allow only users defined in the SMS to log in, then you can select either of two options: Use SMS local group mappings or Use active directory group mappings. Otherwise, Authorization Mode uses active directory group mappings.
    New resource group mapping mechanism
    Specify how the New Resource Group is set for Active Directory (AD) authenticated users:
    • Allow user to choose – users specify an SMS group as their New Resource Group
    • Use Active Directory Primary Group – automatically sets the AD primary group as the New Resource Group; users are unable to set the group manually. Typically, the default primary AD group is Domain Users.
    • Use Active Directory ... attribute – specify an AD attribute for the SMS to use in mapping a New Resource Group for all AD-authenticated SMS users.
    Mapping Failure Action
    Select an action to take when an Active Directory group cannot be mapped:
    • Reject Authentication
    • Accept Authentication with local SMS group mappings – available only if Authentication Mode is configured to allow only users defined in the SMS to log in.
    • Accept Authentication – Select an SMS user group to which the user is assigned for authorized access.
    Mapped Group Select a mapped group.
  5. Click OK.
    An X509 certificate is required for validating authentication responses over an SSL connection. The certificate is generated on the Active Directory server, and must be imported to the SMS. The SMS server accepts DER (binary) or PEM (Base64) encoded X509 certificates.