Active Directory Authentication

Active Directory (AD) authentication can be used on MassTransit HP and MassTransit SFTP servers. You can use this kind of authentication for the following contacts:

• on MassTransit HP servers – Web client contacts;
• on MassTransit SFTP servers – Client contacts.

To use AD authentication, you need to complete the following requirements:

• on MassTransit HP servers:
  • a configured domain;
  • MassTransit Web (MTWeb) configuration is already completed;

• on MassTransit SFTP servers:
  • a configured domain.

Configuring Active Directory Authentication

To enable and configure directory services, follow these steps:

1. Open the MassTransitEngine.cfg file located in the MassTransit installation directory. By default, this folder is placed on the system drive in:
   1. for MassTransit 7.6 and later:
      • on 64-bit machines:

      C:\Program Files (x86)\Acronis\MassTransit Server

   2. for MassTransit 7.1 to 7.6:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server

      • on 64-bit machines:

      C:\Program Files (x86)\Group Logic\MassTransit Server

   3. for MassTransit 7.0.x:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server 7

      • on 64-bit machines:
      • C:\Program Files (x86)\Group Logic\MassTransit Server 7

      Note: All lines beginning with "%%" in the MassTransitEngine.cfg file are considered commented and therefore ignored. Please ensure that all settings you change are uncommented (if you see "%%" characters at the beginning of any of the settings you modify, delete them).

2. To enable the directory services in general, find the Directory Services Settings section and set the DIRECTORY_SERVICES_ENABLED setting to TRUE, as shown bellow:
            DIRECTORY_SERVICES_ENABLED=TRUE
3. Under the same section, enter the name of the domain you want MassTransit to use; PRIMARY_DOMAIN= setting. This will be the domain that LDAP will append queries to. Include the fully qualified domain name, e.g., mydomain.com.
4. Set the IP address of the LDAP server; LDAP_SERVER_ADDRESS= setting.

   Note: For secure connections, you must specify the DNS (domain name system) name as it appears in the certificate for your LDAP server, not the IP address.

5. Set the port number that will be used for the communication with the LDAP server; LDAP_SERVER_PORT= setting. The default port number for non secure connections is 389. For secure connections, the default port is 636.
6. Specify whether the connection to the LDAP server is secured or not by configuring the LDAP_USE_SECURE_CONNECTION = setting:
   1. for an non secure connection, configure the setting as shown below:
                  LDAP_USE_SECURE_CONNECTION = false 
   2. for secure connection:
                  LDAP_USE_SECURE_CONNECTION = true
7. Configure the distinguished name and password of objects which will be used to bind them to the LDAP directory:
   1. To set the name that will be used, you need to specify its properties starting from the lowest LDAP directory level to the highest one: first, the account username, then, the group the account belongs to, and the levels above if there are any. Separate the properties with commas (,).
                  LDAP_BIND_DN=CN=USERNAME,CN=Users  
   2. Specify the password of the account that was set above:
                  LDAP_BIND_PASSWORD=PASSWORD

      Note: The LDAP_BIND_DN and LDAP_BIND_PASSWORD flags may be left blank to indicate that MassTransit will bind to the LDAP server as the currently logged in Active Directory user. In this case, the machine must be bound to the domain and the MassTransit service must be running as the AD user that MassTransit will use to bind to the LDAP server. To configure the MassTransit service, open the Services console, highlight the service named "MassTransit", right click and select Properties. Then, go to the Log On tab, select the "This account" option, enter the account name and password, and select OK.

8. If the bind user (stated under the LDAP_BIND_DN= setting) is not in the primary domain (configured under the PRIMARY_DOMAIN= setting), uncomment this line and specify the bind user's domain:
            LDAP_BIND_DOMAIN=bind.domain.com
9. When you create new contacts which will authenticate via Active Directory, you need to search for their accounts in the LDAP tree. You have to specify the location in the LDAP tree where you want MassTransit to search for the accounts; LDAP_SEARCH_BASE=CN= setting. If you want to specify multiple locations, you must separate them with a semicolon (;) (e.g. CN=Users;OU=Staff). If LDAP_SEARCH_BASE is left blank, searches will begin at the root of the tree.  A search base is not required, but may improve performance for large trees.
            LDAP_SEARCH_BASE=CN=Users
10. To control the scope of the LDAP searches, configure the LDAP_SEARCH_SCOPE= setting with one of the following values:
    1. LDAP_SEARCH_SCOPE=BASE – setting this value will allow MassTransit to search for AD objects only on the level specified in the LDAP_SEARCH_BASE= setting;
    2. LDAP_SEARCH_SCOPE=ONELEVEL – allows MassTransit to search for accounts on the level specified in the LDAP_SEARCH_BASE= setting and one level under it;
    3. LDAP_SEARCH_SCOPE=SUBTREE – allows MassTransit to search for accounts on the level specified in the LDAP_SEARCH_BASE= setting and on all levels under it.
11. If you want to make ActiveDirectory the default authentication method for Web client and Client contacts, set the USE_DIRECTORY_AUTHENTICATION_BY_DEFAULT= setting to TRUE. Otherwise, the default method will be MassTransit.
             USE_DIRECTORY_AUTHENTICATION_BY_DEFAULT=TRUE
12. Once you have completed the above steps, you will need to restart the MassTransit Engine for the changes to take effect.
    

Configuring MassTransit to Authenticate Against LDAP Organizational Units

The directory services settings located within the MassTransitEngine.cfg configuration file are configured to search the Active Directory "Users" folder by default (step 9 of the Configuring Active Directory Authentication section); however, they may be modified to search Organizational Units (OUs) instead.

This may be an optimal configuration for administrators that wish to create a "MassTransit Users" organizational unit, without impacting the standard "Users" folder.

The following is a procedure to make the necessary modifications:

1. Open the MassTransitEngine.cfg file located in the MassTransit installation directory. By default, this folder is placed on the system drive in:
   1. for MassTransit 7.6 and later:
      • on 64-bit machines:

      C:\Program Files (x86)\Acronis\MassTransit Server

   2. for MassTransit 7.1 to 7.6:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server

      • on 64-bit machines:

      C:\Program Files (x86)\Group Logic\MassTransit Server

   3. for MassTransit 7.0.x:
      • on 32-bit machines:

      C:\Program Files\Group Logic\MassTransit Server 7

      • on 64-bit machines:
      • C:\Program Files (x86)\Group Logic\MassTransit Server 7

      Note: All lines beginning with "%%" in the MassTransitEngine.cfg file are considered commented and therefore ignored. Please ensure that all settings you change are uncommented (if you see "%%" characters at the beginning of any of the settings you modify, delete them).

2. Locate the configuration option: LDAP_SEARCH_BASE=CN=
3. Adjust the LDAP_SEARCH_BASE setting to reflect your custom Organizational Unit. For example:
            LDAP_SEARCH_BASE=OU=Your_Organizational_Unit,DC=Your_Domain,DC=COM

   Note: This configuration example reflects an Organizational Unit that resides within the root of the LDAP directory structure. If the Organizational Unit resides elsewhere, the OU= parameter will need to reflect the exact location of the OU within the tree.

The search base may actually contain any part of the directory tree. In such configurations, the AD Administrator must specify the Fully Qualified Domain Name (FQDN) without the DC= connection strings. For example:
         LDAP_SEARCH_BASE=CN=Development,OU=MassTransit

Creating a Contact with Active Directory Authentication

To create a contact with Active Directory Authentication in the MassTransit Administrator, follow these steps:

1. In the MassTransit Administrator, open the Contacts window by clicking on the Contacts button from the Navigation Bar or by selecting Contacts in the Window main menu.
2. Click on the Add Contact... button.
3. In the Contact Information window that appears, select the Web Client option from the Entry Is... drop-down menu in the General tab.
4. In the Authentication section of the General tab, select the Active Directory option.
5. In the Account field, enter the user login name in either of the following formats:
            - username@domain.com
            - DOMAIN\username.
6. Click on the Search button; once the user is found in the directory, a green light will appear which means that the contact is found in the Active Directory groups configured in the Configuring Active Directory Authentication section.
7. Once a contact configured to use Active Directory authentication has been found, the corresponding contact information from Active Directory will populate to the Contact Information fields on the General Tab. All of the populated information from Active Directory is read-only and cannot be modified in the MassTransit Administrator.
8. Configure the desired contact privileges following the steps on the Contacts page.
9. When you are ready with the contact configuration, click OK in the Contact Information window to save the contact to the Contacts list.
   

Logging on via MTWeb

Note: Logging on the MassTransit server via MTWeb is available on MassTransit HP servers only.

In order to log in the MassTransit server via MTWeb using an Active Directory user, follow these steps:

1. Open a supported web browser.
2. Open the login web page of the MassTransit server.
3. Enter your Active Directory logon name in any of the following formats:
   • username;
   • username@domain.com;
   • DOMAIN\username.
4. Enter your Active Directory password.
5. Click on the Login button to log into the server.

Now you should be able to use the designated for that contact MTWeb functionalities.

Logging on via FTP

In order to log in the MassTransit server via FTP using an Active Directory user, follow these steps:

1. Open a supported web browser or a stand-alone FTP client.
2. Open the FTP login page of the MassTransit server.
3. Enter your Active Directory logon name in any of the following formats:
   • username;
   • username@domain.com;
   • DOMAIN\username.
4. Enter your Active Directory password.
5. Click on the Login button to log into the server.

Now you should be able to use the functionality designated for that contact.