6 Steps to Setup External Authentication for Remote Desktop Users

If you are a small company, the answer to why use external authentication may not be apparent immediately, but if you are a big company, then you probably know that introducing a new system can be quite challenging and may bring a lot of work related to user management. First, you need to create users, set their passwords and then consistently keep all that in sync with existing systems afterwards. The more users there are, the more complicated things get. However, you can skip all that if the new system supports external authentication, or in other words, has the ability to connect to your central directory, e.g. LDAP, and access your user information stored externally. ISL Online’s remote desktop, live chat and web conferencing system are in the latter group and thus supports authentication through central directories (Server License only).

Before we continue to set up external authentication, it might be wise to start with this checklist:

  • authentication server address (make sure you are allowed to access it from the machine where the ISL Online’s server application named ISL Conference Proxy is running!)
  • appropriate username/password for performing a query (if needed, depends on your security settings)
  • at least one test user, but it is much better to have two – one that should be allowed to log in and use ISL Online and one that should not (a positive and a negative test case)
  • special access conditions (if needed, e.g. if you only wish to allow login to ISL Conference Proxy to users who are members of a certain group)

If all conditions from the checklist are met, we can easily continue to the main question of how to set up external authentication for ISL Online remote desktop, live chat and web conferencing users (Server License only).

6 steps to setup external authentication

There are many ways of external authentication, but the most common ones and also supported by ISL Online Server License are OpenLDAP, Microsoft Active Directory, Novell eDirectory and RADIUS. The setup procedure basically involves the following six steps:

1. Log in to your ISL Conference Proxy administration (http://localhost:7615/conf).
2. Go to User management, click on the Domains tab.
3. Select the desired domain that will use external authentication (e.g. ldapusers).
4. Click on the Security tab.
5. Uncheck the External authenticator option and paste an appropriate modified line (with “;” as the delimiter – e.g. .NET LDAP direct bind approach example with modified HOST address(es) and MAPUSER).
6. Click on Save.

If you are like me, you must be wondering which modified line is appropriate and how to compose it. As this is a rather complex topic, I advise you to check this manual topic for more information and a few examples.

Here are also a few notes and hints to help you form the final string:

  • Direct bind approach is usually used for simple situations, but if you want to set certain conditions, go for the search approach.
  • If you require a special username and a password to connect (i.e. anonymous bind not allowed or it does not have enough privileges), then specify this username and password using BINDDN and BINDPASSWORD.
  • If you wish to specify group membership, it can be done like this:
    (&(uid=@USERNAME@)(groupMembership=cn=somegroup,ou=Groups,dc=Company))

In some cases you may wish to search for certain attributes and use them to decide whether to allow or deny the login. In general, you simply copy the desired custom search string from LDAP Admin or some similar tool and put the @USERNAME@ into the correct location. Here is an example of an external authenticator string ready to be pasted into ISL Conference Proxy settings:

authenticator\WinLdap.exe;HOST;1.2.3.4;BINDDN;abc\islsearch;BINDPASSWORD;topsecret;SEARCHBASE;dc=main,dc=company,dc=com;SEARCHFILTER;(&(uid=@USERNAME@)(memberOf=CN=AllowISL,OU=groups,DC=main,DC=company,DC=com));

A short explanation is necessary: This external authenticator string binds to server at 1.2.3.4 with the user abc\islsearch and password topsecret, then performs a search in dc=main,dc=company,dc=com with the specified SEARCHFILTER (i.e. search for the user with uid=@USERNAME@ that has the attribute memberOf set to a certain value). The username and the password are filled in by ISL Conference Proxy with the appropriate values from the product login.

Please note that it is also possible to have different external authenticators set for different ISL Conference Proxy domains, which can prove handy if your user tree is more like a forest with each tree representing a country, city, (sub)organization etc.

Useful hint: Even if you have “just” one tree, it might be useful to create a user or two in some other ISL Conference Proxy domain that does not use an external authenticator. This can act as a backup solution for cases when there is a temporary issue with the central directory.

How external authentication works
When the setup is finished, there are basically three steps ISL Online users should follow in order to login:

  1. Log into ISL Conference Proxy with a username and a password within a domain that has an external authenticator enabled.
  2. ISL Conference Proxy executes the provided external authenticator command for that domain and fills in the username and the password.
  3. If the external authenticator command returns OK, login is allowed. Otherwise, login is denied.

That’s it! You are done! In case your central directory is not supported out of the box by ISL Conference Proxy or if you encounter any problems, please contact us and we will gladly provide the help needed.

This entry was posted in Integrations, ISL Conference Proxy, isl online, technology and tagged , , , , , , , , , , , . Bookmark the permalink.

One Response to 6 Steps to Setup External Authentication for Remote Desktop Users

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s