Active Directory Authentication

Active Directory authentication is available only for Dr.Web Servers running Windows OS included in the target domain.

Authentication via Active Directory requires the configuration of users and user groups with access to Dr.Web Servers directly in the Active Directory snap-in. Initial configuration must be done using the additional drweb-modify-ad-schema-<package_version>-<build>-<OS_version>.exe and drweb-aduac-<package_version>-<build>-<OS_version>.msi packages available in the Dr.Web Server repository under Dr.Web enterprise products.

Before enabling Active Directory authentication for any account, make sure that this account is not a member of the Protected Users group. Since Dr.Web Server is a service, an attempt to authenticate an account that is added to the Protected Users group will fail. Please visit the Microsoft official website for details on the Protected Users group.

1.Select Administration in the main menu of the Control Center, then select Authentication in the control menu → Microsoft Active Directory.

3.If necessary, set the Allow only HTTPS connections flag to forbid connecting to Dr.Web Server using Active Directory authentication over an insecure HTTP connection.

When authenticating administrators from Active Directory, only the permission to use this authentication method and the secure connection option are configured in the Control Center.

The properties of Active Directory administrators are edited manually on the Active Directory server.

The following operations must be performed on a computer where the Active Directory Service snap-in is available.

1.To be able to edit administrator parameters, perform the following operations:

a)To modify the Active Directory schema, run the drweb-modify-ad-schema-<package_version>-<build>-<OS_version>.exe package (included in the Dr.Web Server distribution kit).

Modifying the Active Directory schema may take some time. Depending on your domain configuration, it may take up to 5 minutes or more to synchronize and apply the modified schema.

If the Active Directory schema was modified earlier using this utility that comes with Dr.Web Server version 6, there is no need to perform the modification again using the utility that comes with Dr.Web Server version 13.

b)To register the Active Directory Schema snap-in, run the regsvr32 schmmgmt.dll command as an administrator, then run mmc and add the Active Directory Schema snap-in.

c)Using the Active Directory Schema snap-in, add the auxiliary DrWebEnterpriseUser class and the additional DrWebAdmin attribute to the User and (if necessary) Group classes.

If the schema modification and application process is not finished, the DrWebEnterpriseUser class may be not found. In this case, wait for a few minutes and retry to add the class as described in step c).

d)Run the drweb-aduac-<package_version>-<build>-<OS_version>.msi file (included in the Dr.Web Enterprise Security Suite 13.0 distribution kit) as an administrator and wait for the installation to complete.

2.To edit the attributes using the graphical interface, navigate to the Active Directory Users and Computers control panel → the Users section → the Administrator Properties window for editing settings of the selected user → the Dr.Web Authentication tab.

3.The following parameter is available for editing (the attribute value can be yes, no, or not set):

User is administrator indicates that the user has full administrator privileges.

The algorithms for the principle of operation and attribute parsing during authentication are described in the Appendices document, section B1. Active Directory Authentication.

To continue working with the Active Directory account, log in to the Dr.Web Server Control Center using the credentials of an Active Directory user for whom the corresponding Dr.Web Authentication attribute has been set. After that, the user account will appear in the Newbies group in the Administration → Administrators section.