-
- Enthusiast
- Posts: 44
- Liked: never
- Joined: Mar 05, 2009 9:33 am
- Full Name: Falko Dohse
- Location: Hamburg
- Contact:
Windows authentication for Enterprise Manager
Is it possible to use Windows passthrough authentication for the Enterprise Manager to eliminate the need to enter credentials?
-
- Chief Product Officer
- Posts: 31816
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Windows authentication for Enterprise Manager
Falko, impersonation (which is what you are talking about) only works within the same server, however we are also using the entered credentials to determine whether the user is allowed to manage the jobs on specific server, but impersonation does not work remotely. Such check is performed each time when you try to Start/Stop/Retry the job in the web UI.
It is still possible to make the latter work, by only by leveraging "delegation", but this would require some changes to default IIS security settings, as well as updating some security-sensitive attributes on computer accounts in AD (TrustedForDelegation). This is not kind of changes we can do silently in setup, and instead we would have to require all users to do this. Which would in turn complicate the setup, and much fewer people would be able to make everything work and see the web UI. While our main task have been making everything as simple as possible.
Based on all of thesу factors, we have decided to go with the current implementation. We can still implement support for delegation down the road, and provide some guide you could use to enable the required settings manually, if your security guys will be OK about this of course (if you even have those)
It is still possible to make the latter work, by only by leveraging "delegation", but this would require some changes to default IIS security settings, as well as updating some security-sensitive attributes on computer accounts in AD (TrustedForDelegation). This is not kind of changes we can do silently in setup, and instead we would have to require all users to do this. Which would in turn complicate the setup, and much fewer people would be able to make everything work and see the web UI. While our main task have been making everything as simple as possible.
Based on all of thesу factors, we have decided to go with the current implementation. We can still implement support for delegation down the road, and provide some guide you could use to enable the required settings manually, if your security guys will be OK about this of course (if you even have those)
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Jan 13, 2015 12:04 pm
- Full Name: Morten Dall
- Contact:
Re: Windows authentication for Enterprise Manager
I am in a situtation where I need to change the Enterprise Manager IIS Authentication method, to do AD lookup without being on the domain (Digest Authentication eg.)
Does anyone have guidance, please?
Does anyone have guidance, please?
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Windows authentication for Enterprise Manager
For Windows authentication to work, Enterprise Manager should reside in the same domain with the account (or at least in the trusted domain).
Who is online
Users browsing this forum: Bing [Bot], Google [Bot], Semrush [Bot] and 48 guests