15.3  Local user database: external authentication and import of accounts

User in the local database can be authenticated either at the Active Directory domain or at the Windows NT domain (see chapter 15.2  Local user accounts, step one). To enable these authentication methods, corresponding domains must be set in the Local User Database section on the Authentication Options tab.

Setting domains for authentication of local accounts

Figure 15.9. Setting domains for authentication of local accounts


Active Directory

Use the Enable Active Directory authentication option to enable/disable user authentication at the local database in the selected Active Directory domain.

The following conditions must be met to enable smooth functionality of user authentication through Active Directory:

  1. The WinRoute host must be a member of this domain.

  2. The Active Directory domain controller (server) must be set as the primary DNS server.

Note: Users can also be authenticated in any domain set as trustworthy for the particular domain.

NT domain

Use the Enable NT domain authentication option to enable NTLM authentication for the domain selected.

Warning

  1. The host where WinRoute is installed must belong to this domain.

  2. Authentication through a corresponding NT domain must be allowed to enable NTLM authentication through web browsers (refer to chapter 10.1  Firewall User Authentication). For the Active Directory domain (Windows 2000/2003/2008) it is necessary to set authentication both through Active Directory and NT domain.

Automatic import of user accounts from Active Directory

If Active Directory is used, automatic import of user accounts can be applied. Specific WinRoute parameters (such as access rights, content rules, data transfer quotas, etc.) can be set by using the template for the local user database (see chapter 15.1  Viewing and definitions of user accounts) or/and they can be defined individually for special accounts. A corresponding user account will be imported upon the first login of the user to WinRoute.

Note: This type of user accounts import should, above all, help to keep compatibility with older versions of WinRoute. It is much easier and more recommended to use transparent support for Active Directory (domain mapping — refer to chapter 15.4  User accounts in Active Directory — domain mapping).

User accounts will be imported from the domain specified in the Active Directory domain name entry. Click Configure automatic import to set parameters for this function.

Configuration of automatic import of user accounts from Active Directory

Figure 15.10. Configuration of automatic import of user accounts from Active Directory


For imports of accounts, it is necessary that WinRoute knows the domain server of the corresponding Active Directory domain. WinRoute can either detect it automatically or it can always connect to a specified server. The automatic connection to the first server available increases reliability of the connection and eliminates problems in cases when a domain controller fails. The other option (specification of a controller) is recommended for domains with one server only (speeds the process up).

It is also necessary to enter login data of a user with read rights for the Active Directory database (any user account belonging to the corresponding domain).

Note: It is not possible to combine the automatic import with Active Directory domain mapping (see chapter 15.4  User accounts in Active Directory — domain mapping) as the local user database would collide with the mapped domain. If possible, it is recommended to use the Active Directory mapping alternative.

Manual import of user accounts

It is also possible to import special accounts to the local database from the Windows NT domain or from Active Directory. Each import of a user account covers creating of a local account with the identical name and the same domain authentication parameters. Specific WinRoute parameters (such as access rights, content rules, data transfer quotas, etc.) can be set by using the template for the local user database (see chapter 15.1  Viewing and definitions of user accounts) or/and they can be defined individually for special accounts. The Windows NT / Active Directory authentication type is set for all accounts imported..

Note: This method of user accounts import is recommended especially when Windows NT domain is used (domain server with the Windows NT Server operating system). If Active Directory domain is used, it is easier and recommended to use the transparent support for Active Directory (domain mapping — see chapter15.4  User accounts in Active Directory — domain mapping).

Click Import on the User Accounts tab to start importing user accounts. In the import dialog, select the type of the domain from which accounts will be imported and, with respect to the domain type, specify the following parameters:

  • NT domain — domain name is required for import. The WinRoute host must be a member of this domain.

    Importing accounts from the Windows NT domain

    Figure 15.11. Importing accounts from the Windows NT domain


  • Active Directory — for import of accounts, Active Directory domain name, DNS name or IP address of the domain server as well as login data for user database reading (any account belonging to the domain) are required.

    Import of accounts from Active Directory

    Figure 15.12. Import of accounts from Active Directory


When connection with the corresponding domain server is established successfully, all accounts in the selected domain are listed. When accounts are selected and the selection is confirmed, the accounts are imported to the local user database.