Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Advanced LEM configurations > Set up Active Directory authentication in LEM

Set up Active Directory authentication in LEM

 

Set up Active Directory authentication to allow users to log in to LEM with their Active Directory credentials.

These steps apply to LEM version 6.3.1 and newer. To configure older versions of LEM for LDAP authentication, see Set up Active Directory authentication in LEM 6.3.0 and older

Gather some required information

Before you begin, gather the following:

  • Either the IP address or fully-qualified domain name (FQDN) of the Active Directory server.
  • The domain credentials for an account that LEM can use to log in to Active Directory. SolarWinds recommends using a service account with a non-expiring password. This account does not need elevated privileges.

To get directory server details, open a Windows command prompt on a computer on the correct network and type nslookup.

Create a user in Active Directory that LEM can use to log in

  1. Log in to the domain controller and open Active Directory Users and Computers.
  2. Create a user account that LEM can use to log in to Active Directory. SolarWinds recommends using a service account with a non-expiring password. This account does not need elevated privileges (such as Domain Admin privileges).

Create custom security groups in Active Directory for LEM to use

User access in LEM is based on Active Directory group membership.

  • If you have at least LEM version 6.3.1 Hotfix 2, you can use your existing Active Directory groups for alerts, reports, and so on. Skip this section and go to the next section: Configure or View LDAP configuration settings in LEM.  
  • If you have either LEM version 6.3.1, or LEM version 6.3.1 Hotfix 1, complete the steps in this section to create the required custom security groups in Active Directory. 

To create custom security groups:

  1. Log in to the domain controller and open Active Directory Users and Computers.
  2. Create at least one security group called ROLE_LEM_ADMINISTRATORS. Group names must be identical to the names given below, otherwise users cannot log in to the LEM console. SolarWinds recommends creating LEM group names using capital letters to help you quickly identify LEM groups in Active Directory.

    You can add up to six of the following LEM custom groups:

    • ROLE_LEM_ADMINISTRATORS  (Required if you are using LEM 6.3.1 Hotfix 1 or older.)
    • ROLE_LEM_ALERTS_ONLY
    • ROLE_LEM_AUDITOR
    • ROLE_LEM_GUESTS
    • ROLE_LEM_CONTACTS
    • ROLE_LEM_REPORTS

The ROLE_LEM_CONTACTS group is only used for email notification in rules. Users added to this group do not have login rights.

Configure or View LDAP configuration settings in LEM

 

Log in to the LEM Admin user interface with a user name and the fully-qualified domain name (FQDN). The user name and fully-qualified domain should be formatted as follows: user@example.com or example.com\user.

  1. Open a web browser and connect to the LEM Admin user interface using the following URL:

    https://<lem_manager_IP_address>:8443/mvc/login
     

    If you have not yet activated LEM, or if you reopened port 8080, use the following URL:

    http://<lem_manager_IP_address>:8080/mvc/login

     

    You can also configure LDAP configuration settings from a command line by entering admin at the cmc> prompt.

  2. Enter admin in the user name and password fields, and then click Login. You will use the same credentials to log in to the LEM web console.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/010/lem-ug-single-signon-log-in-using-sso2_397x152.png

  3. Click LDAP Configuration in the Authentication menu.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/010/lem-ug-single-signon-authentication-menu-new_397x195.png

  4. To create or edit the LDAP configuration, complete the form, and then click Save. Or click Cancel after you review your previously saved LDAP connection settings.

    Starting with LEM 6.3.1 Hotfix 2 you can configure LEM to use existing groups for alerts, audit, reports, and so on. Expand the "Advanced Settings" section to specify custom group names when creating or editing the LDAP configuration settings.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/010/010/lem-ug-single-signon-create-ldap-configuration-only_533x445.png

     

    Field Description
    LDAP Configuration Name Enter a friendly name of your choosing for the LDAP configuration.
    IP Address or Hostname Enter the IP address or host name of your LDAP server.
    Domain (LEM 6.3.1 Hotfix 2 and newer only) Enter the fully-qualified domain name for the account store.
    Directory Service Server User Name

    Use the format account_name@example.com.

    SolarWinds recommends using a Directory Service account to prevent integration issues if the software license expires. The user name does not require special privileges (such as Domain Admin) to be a Directory Service user.

    Directory Service Server Password Enter the password for the user account.
    Use SSL Encryption (Optional) Select to use the transport layer security protocol (LDAPS) for a secure connection. This option directs traffic from the LEM VM to a designated server (usually a domain controller) for use with the Directory Service tool.
    LDAP Port If this field is left empty, LEM uses the default LDAP port (port 389). Otherwise, enter the port number used by your domain controller. The default LDAP port with SSL encryption (LDAPS) is 636.
    Advanced Settings (LEM 6.3.1 Hotfix 2 and newer only)
    • Domain Aliases (Optional)
    Specify any Domain Alias names that should be authenticated using this LDAP configuration. (The role/group names configured on this page will also apply.)
    • NetBIOS Names (Optional)
    Specify any NetBIOS names that should be authenticated using this LDAP configuration. (The role/group names configured on this page will also apply.)
    • Admin Group (Optional)
    Specify the DS group in Active Directory to use for the LEM administrator role. If you do not specify a name, the default ROLE_LEM_ADMINISTRATORS group is used.
    • Alerts Only Group (Optional)
    Specify the DS group in Active Directory to use for the LEM alerts role. If you do not specify a name, the default ROLE_LEM_ALERTS_ONLY group is used.
    • Audit Group (Optional)
    Specify the DS group in Active Directory to use for the LEM auditor role. If you do not specify a name, the default ROLE_LEM_AUDITOR group is used.
    • Guest Group (Optional)
    Specify the DS group in Active Directory to use for the LEM guest role. If you do not specify a name, the default ROLE_LEM_GUESTS group is used.
    • Notify Only Group (Optional)
    Specify the DS group in Active Directory to use for the LEM notifications role. If you do not specify a name, the default ROLE_LEM_CONTACTS group is used.
    • Reports Group (Optional)
    Specify the DS group in Active Directory to use for the LEM reports role. If you do not specify a name, the default ROLE_LEM_REPORTS group is used.

Add an Active Directory user to LEM

To grant a user access to LEM, add the user to the appropriate role (security group) in Active Directory. 

Do not add a user to a security group nested inside another security group. Only add a user directly to the Active Directory security groups that LEM expects.

  1. Open Active Directory Users and Computers.
  2. Add the user to the appropriate role (security group) in Active Directory. Users added to the ROLE_LEM_CONTACTS group do not have sufficient privileges to log in to LEM.
    • For LEM 6.3.1 Hotfix 2 and higher, add the user to an Active Directory security group that is configured for use with LEM. To see which groups are configured for LEM, open the "LDAP Configuration Management" page and expand the list under "Advanced Settings." See Configure or View LDAP configuration settings in LEM for details.
    • For LEM version 6.3.1, or LEM version 6.3.1 Hotfix 1, add the user to one of the Active Directory security groups listed under Create custom security groups in Active Directory for LEM to use. At least one user should be assigned to the ROLE_LEM_ADMINISTRATORS security group.

When configuring user accounts, make sure the user's Primary group is not assigned to a custom group, otherwise the user cannot log in to LEM. The user will see an "Invalid username and password" message instead, and a message similar to the following will be logged:

[LemSpringSecurityAuthManager] {http-nio-8080-exec-1:349} Authentication failed: User is not member of any required role group!

 

 

 

Last modified
12:06, 24 Mar 2017

Tags

Classifications

Public