HomeWeb Management ToolEmploying the Active Directory authentication

Employing the Active Directory authentication

Overview

When you use Active Directory of Windows Server for user management, you can restrict users of this machine by authentication using Active Directory.

Employing the user authentication enables security- and cost-conscious advanced operations such as restricting users from accessing this machine, restricting users from using the functions by user, and managing the use status of this machine.

When employing the Active Directory authentication, follow the below procedure to configure the settings.

  1. Configure settings for connecting to the network such as setting of the IP address of this machine

    • For details on configuring the setting, refer to Here.

  2. Set the date and time for the machine

    • The date and time of this machine must match those of Active Directory. For details on how to set the date and time of this machine, refer to Here.

  3. Configure basic settings for the Active Directory authentication

    • For details on configuring the setting, refer to Here.

  4. Set the following options according to your environment

    Purpose

    Reference

    Send original data scanned by this machine easily to the login user's own address using E-mail (Scan to Me)

    Here

    Notify the login user's own address of the URL of the original data scanned by this machine by E-mail (Scan to URL)

    Here

    Send original data scanned by this machine easily to the login user's Home directory (Scan to Home).

    Here

    Use the single sign-on

    Here

    Construct a single sign-on environment for the SMB transmission

    Here

    Reinforce authentication processing when using Active Directory

    Here

    Securely execute a print job using the Web service in Windows 8.1/10

    Here

    Restrict available functions by user

    Here

    Restrict the access to destinations by user

    Here

    Change function keys displayed in the Touch Panel by user

    Here

    Specify the operations of the ID & Print function

    Here

    Specify the operations of this machine when you log out

    Here

    Restrict print jobs without authentication information

    Here

    Print data from the printer driver without using the password

    Here

Configuring basic settings for the Active Directory authentication

Register your authentication server on this machine. In addition, change the authentication method of this machine so that authentication is performed using the registered authentication server.

  1. In the administrator mode, select [User Auth/Account Track] - [External Server Settings] - [External Server Settings] - [Edit].

  2. Click [Edit] in [1st Server], then configure the following settings.

    Settings

    Description

    [External Server Name]

    Enter the name of your Active Directory (using up to 32 characters).

    Assign an easy-to-understand name to the Active Directory to be registered.

    [External Server Type]

    Select [Active Directory].

    [Default Domain Name]

    Enter the default domain name of your Active Directory (using up to 64 characters).

    [Timeout]

    Change the time-out time to limit a communication with the Active Directory if necessary.

    [60] sec. is specified by default.

  3. Click [Edit] in [2nd Server] as needed, then configure the following settings.

    Settings

    Description

    [2nd Server Setting]

    Select whether to use the secondary server.

    If you group two servers, you can switch to another server to perform authentication when a server shuts down.

    [OFF] is specified by default.

    [Round Robin function]

    Select whether to alternately connect to the primary and secondary servers.

    If you select [Enable], you can alternately connect the primary and secondary servers to distribute the server load.

    [Disable] is specified by default.

    [Reconnection Settings]

    Configure a setting to connect to the secondary server when the machine cannot be connected to the primary server. When the round-robin function is enabled, this setting can also be used to connect to the primary server when the machine cannot be connected to the secondary server.

    • [Reconnect for every login]: Connects to the primary server each time authentication is carried out on this machine. If the primary server is shutting down, this machine is connected to the secondary server.

    • [Set Reconnect Interval]: Connects to the secondary server when the primary server is shutting down at the time the machine is being authenticated. After this, this machine is connected to the secondary server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary server when machine authentication is occurring.

    [Set Reconnect Interval] is specified by default.

    [External Server Type]

    Select the type of the authentication server and set required information.

    For details on settings, refer to step 2.

  4. In the administrator mode, select [User Auth/Account Track] - [General Settings], then configure the following settings.

    Settings

    Description

    [User Authentication]

    When performing authentication using an external authentication server, select [ON (External Server)] or [ON (MFP + External Server)].

    If you want to configure setting so that you can log in to this machine using its authentication function in consideration of an occurrence of some sort of problem on the external authentication server, select [ON (MFP + External Server)].

    [Overwrite User Info]

    When the external server authentication is used, authenticated user information is also managed on this machine. If the number of users who have executed the external server authentication reaches the maximum number of users this machine can manage, authentication of any new users will not be permitted. Select whether to allow the user to overwrite registered user information for that case.

    If you select [Allow], the oldest authenticated user information is erased and the new user is registered.

    [Restrict] is specified by default.

    [Default Authentication Method]

    If you have selected [ON (MFP + External Server)] at [User Authentication], select the authentication method you use normally.

    [ON (External Server)] is specified by default.

    [Ticket Hold Time Setting (Active Directory)]

    Change the time to hold the Kerberos authentication ticket if necessary.

    [5] min. is specified by default.

    [When Number of Jobs Reach Maximum]

    Sets the maximum number of sheets that each user can print. Here, select an operation if the number of sheets exceeds the maximum number of sheets that can be printed.

    • [Skip Job]: Stops the job currently running, and starts printing the next job.

    • [Stop Job]: Stops all jobs.

    • [Delete Job]: Deletes the active job.

    [Skip Job] is specified by default.

    [Temporarily Save Authentication Information]

    To temporarily save authentication information in the main unit against a case where an external authentication server shuts down, select [Enable].

    [Disable] is specified by default.

    [Reconnection Settings]

    If necessary, change the time to reconnect to the authentication server.

    • [Reconnect for every login]: Connects to the authentication server at the time authentication is carried out on this machine. If the authentication server is in the shutdown state at the time authentication is carried out on this machine, first confirm that the authentication server is down, and use the temporarily saved authentication information to log in to this machine.

    • [Set Reconnect Interval]: Connect to the authentication server at the time specified in [Reconnection Time], and check the status of the authentication server. If the authentication server is in the shutdown state, use the authentication information temporarily saved in the main unit to log in.

    [Set Reconnect Interval] is specified by default.

    [Expiration Date Settings]

    Select [Enable] to set the expiration date to the temporarily saved authentication information. If [Enable] is selected, enter the expiration date.

    [Disable] is specified by default.

  • To check the status of the connection of the primary authentication server and the secondary authentication server, select [User Auth/Account Track] - [Authentication Server Connection status] - [External Server Authentication] in the administrator mode. If [Connection Enabled] is displayed, you can connect to both the primary and secondary authentication servers.

Sending to Your Computer (Scan to Home)

Scan to Home is a function that easily sends the original data scanned in this machine to a shared folder on a server or that on your computer.

To use the Scan to Home function, the following settings are required.

  • Register the Home directory in Active Directory as registration information of the user (When using the host name, enter it using uppercase letters).

  • Enable the Scan to Home function of this machine.

In the administrator mode, select [User Auth/Account Track] - [Scan to Home Settings], and then set [Scan to Home Settings] to [Enable] (Default: [Disable]).

  • For details on how to use the Scan to Home function, refer to Here.

Using the single sign-on

This machine supports the single sign-on of Active Directory.

If this machine joins the domain of Active Directory, the user authenticated by Active Directory can use the functions of this machine transparently. For example, once you log in to your computer, you can print data from this machine without setting authentication information in the printer driver.

  1. In the administrator mode, select [Network] - [Single Sign-On Setting] - [Domain Login Setting], then register the domain this machine joins.

    Settings

    Description

    [Permission Setting]

    Select [ON] to use the single sign-on function.

    [OFF] is specified by default.

    [Host Name]

    Enter the host name of this machine (using up to 253 characters, including only - and . for symbol marks).

    In the administrator mode, select [Network] - [TCP/IP Setting] - [TCP/IP Setting] - [DNS Host Name], to enter a host name.

    [Domain Name]

    Enter the domain name of Active Directory (using up to 64 characters).

    [Account Name]

    Enter the account name that has a privilege to participate users in the Active Directory domain (using up to 64 characters).

    [Password]

    Enter the password of the account you entered in [Account Name] (using up to 64 characters, excluding ").

    [Timeout]

    Change the time-out time of domain joining processing if necessary.

    [30] sec. is specified by default.

  2. After entering required information in Step 1, click [OK].

    The domain joining processing is executed.

  3. In the administrator mode, select [Network] - [Single Sign-On Setting] - [Auto Log Out Time], then change the time to hold authentication information on this machine.

    • Since the user can reuse authentication information while it is held on this machine, they can use the services of this machine without performing authentication again.

    • [1 hour] is specified by default.

  • In the administrator mode, select [Network] - [Single Sign-On Setting] - [Applications and Settings] to view the list of services of this machine that joins the domain of Active Directory.

Reinforcing authentication processing when using Active Directory

This machine is available to verify authentication information (ticket) obtained from Active Directory when it joins the Active Directory domain. This allows this machine to join a secure site via Active Directory.

  1. In the administrator mode, select [User Auth/Account Track] - [Self-Verification Setting in AD Authentication] to configure the following settings.

    Settings

    Description

    [Self-Verification Setting in AD Authentication]

    Select [ON] to reinforce authentication processing when using Active Directory.

    [OFF] is specified by default.

    [Domain Setting]

    Specify the Active Directory domain this machine joins.

    [Host Name]

    Enter the host name of this machine (using up to 253 characters, including only - and . for symbol marks).

    In the administrator mode, select [Network] - [TCP/IP Setting] - [TCP/IP Setting] - [DNS Host Name], to enter a host name.

    [Domain Name]

    Enter the domain name of Active Directory (using up to 64 characters).

    [Account Name]

    Enter the account name that has a privilege to participate users in the Active Directory domain (using up to 64 characters).

    [Password]

    Enter the password of the account you entered in [Account Name] (using up to 64 characters, excluding ").

    [Timeout]

    Change the time-out time of domain joining processing if necessary.

    [30] sec. is specified by default.

  2. Click [OK].

    The domain joining processing is executed.

  • If you change [Host Name] or [Domain Name] and click [OK] while Active Directory's single sign-on is enabled on this machine, [Network] - [Single Sign-On Setting] - [Domain Login Setting] - [Permission Setting] in the administrator mode is changed to [OFF].