Active Directory authentication setting

Setting flow

When you use Active Directory of Windows Server for user management, you can restrict users of this machine by authentication using Active Directory.

Employing the user authentication enables security- and cost-conscious advanced operations such as restricting users from accessing this machine, restricting users from using the functions by user, and managing the usage status of this machine.

When employing the Active Directory authentication, follow the below procedure to configure the settings.

1. Configuring network settings of this machine (Here)

2. Specifying the date and time of this machine (Here)

3. Configuring basic settings for Active Directory authentication (Here)

4. Configuring settings to suit your environment

   • Using the single sign-on (Here)

   • Reinforcing authentication processing when using Active Directory (Here)

Configuring basic settings for the Active Directory authentication

Register your authentication server on this machine. In addition, change the authentication method of this machine so that authentication is performed using the registered authentication server.

1. Select [User Auth/Account Track] - [External Server Settings] - [External Server Settings] - [Edit] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine).

2. Click [Edit] of [1st Server], and configure the following settings.

   Setting	Description
   [External Server Name]	Enter the name of the authentication server (using up to 32 characters).
   [External Server Type]	Select [Active Directory].
   [Active Directory]	Register server information when Active Directory is used as the authentication server. [Default Domain Name]: Enter the default domain name of your authentication server (using up to 64 characters). [Timeout]: Change the timeout interval for communication with Active Directory, if required (default: [60] sec.).

3. Click [Edit] of [2nd Server] as needed, and configure the following settings.

   Setting	Description
   [2nd Server Setting]	When using the secondary server, set this option to ON (default: OFF).
   [Round Robin function]	When using the round-robin function, set this option to ON (default: OFF). If you select round-robin function, you can alternately connect the primary and secondary servers to distribute the server load.
   [Reconnection Settings]	Configure a setting to connect to the secondary server when the machine cannot be connected to the primary server (default: [Set Reconnect Interval]). When the round-robin function is enabled, this setting can also be used to connect to the primary server when the machine cannot be connected to the secondary server. [Reconnect for every login]: Connects to the primary server each time authentication is carried out on this machine. If the primary server is shutting down, this machine is connected to the secondary server. [Set Reconnect Interval]: Connects to the secondary server when the primary server is shutting down at the time the machine is being authenticated. After this, this machine is connected to the secondary server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary server when machine authentication is occurring.
   [External Server Type]	Select the type of the authentication server and set required information. For details, refer to the registration contents of the primary server.

4. Select [User Auth/Account Track] - [Authentication Type] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

   Setting	Description
   [User Authentication]	When performing authentication using an external authentication server, select [ON (External Server)] or [ON (MFP + External Server)]. If you want to configure setting so that you can log in to this machine using its authentication function in consideration of an occurrence of some sort of problem on the external authentication server, select [ON (MFP + External Server)].
   [Default Authentication Method]	If [User Authentication] is set to [ON (MFP + External Server)], select the preferential authentication method (default: [ON (External Server)]).
   [Ticket Hold Time Setting (Active Directory)]	Change the retention time for a Kerberos authentication ticket if Active Directory is used as an authentication server (default: [5] min.).
   [When Number of Jobs Reach Maximum]	Sets the maximum number of sheets that each user can print. Here, select an operation if the number of sheets exceeds the maximum number of sheets that can be printed (default: [Skip Job]). [Skip Job]: Stops the job currently running, and starts printing the next job. [Stop Job]: Stops all jobs. [Delete Job]: Deletes the active job.
   [External Authentication server setting]	Set server authentication operations. [Temporarily Save Authentication Information]: To temporarily save authentication information in the main unit against a case where an external authentication server shuts down, set this option to ON (default: OFF). [Reconnection Settings]: Specify the timing to reconnect to the authentication server (default: [Set Reconnect Interval]). [Reconnect for every login]: Connects to the authentication server at the time authentication is carried out on this machine. If the authentication server is in the shutdown state at the time authentication is carried out on this machine, first confirm that the authentication server is down, and use the temporarily saved authentication information to log in to this machine. [Set Reconnect Interval]: Connect to the authentication server at the time specified in [Reconnection Time], and check the status of the authentication server. If the authentication server is in the shutdown state, use the authentication information temporarily saved in the main unit to log in. [Expiration Date Settings]: When specifying the validity period to the temporarily saved authentication information, set this option to ON (default: OFF). Also, enter the expiration date. [Overwrite User Info]: When the external server authentication is used, authenticated user information is also managed on this machine. If the number of users who have executed the external server authentication reaches the maximum number of users this machine can manage, authentication of any new users will not be permitted. Select whether to allow the user to overwrite registered user information for that case (default: [Restrict]). If you select [Allow], the oldest authenticated user information is erased and the new user is registered.

Using the single sign-on

When user authentication by Active Directory is enabled, single sign-on can be set on this machine.

1. Select [Network] - [Single Sign-On Setting] - [Domain Login Setting] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

   Setting	Description
   [Permission Setting]	When using Single Sign-On, set this option to ON (default: OFF).
   [Host Name]	Enter the host name of this machine (using up to 253 characters). Enter the host name you specified in [TCP/IP Setting1] - [DNS Host].
   [Domain Name]	Enter the domain name of Active Directory (using up to 64 characters).
   [Account Name]	Enter the administrator's account name of the Active Directory domain (using up to 64 characters).
   [Password]	Enter the administrator's password of the Active Directory domain (using up to 64 characters).
   [Timeout]	Change the time-out time of domain joining processing if necessary (default: [30] sec.).

2. After entering required information in step 1, click [OK].

   The domain joining processing is executed.

3. Select [Network] - [Single Sign-On Setting] - [Auto Log Out Time] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

   Setting	Description
   [Auto Log Out Time]	When the user uses services of this machine in the Active Directory domain, change the time to hold the user's authentication information on this machine (default: [1 hour]). Since the user can reuse authentication information while it is held on this machine, they can use the services of this machine without performing authentication again.

Reinforcing authentication processing when using Active Directory

Specify whether to verify authentication information (ticket) obtained from Active Directory on this machine when logging in to this machine while Active Directory is used as the authentication server.

1. Select [User Auth/Account Track] - [Self-Verification Setting in AD Authentication] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

   Setting	Description
   [Self-Verification Setting in AD Authentication]	When verifying authentication information (ticket) obtained from Active Directory on this machine, set this option to ON (default: OFF).
   [Host Name]	Enter the host name of this machine (using up to 253 characters).
   [Domain Name]	Enter the domain name of Active Directory (using up to 64 characters).
   [Account Name]	Enter the administrator's account name of the Active Directory domain (using up to 64 characters).
   [Password]	Enter the administrator's password of the Active Directory domain (using up to 64 characters).
   [Timeout]	Change the time-out time of domain joining processing if necessary (default: [30] sec.).

2. Click [OK].

   The domain joining processing is executed.