Setting external authentication options
Use the EA (External Authentication) tab to specify the parameters necessary for BMC Remedy AR System to authenticate users with external systems.
To set BMC Remedy AR System Administration: external authentication parameters
- In a browser, open the BMC Remedy AR System Administration Console, and click System > General > Server Information.
The AR System Administration: Server Information form appears.
- Click the EA tab.
AR System Administration: Server Information form — EA tab
(Click the image to expand it.)
Edit the options, as needed:
EA tab fields
Area name Field Name Description External Authentication Server RPC Program Number
Enables an external authentication (AREA) server. The RPC program number for the plug-in service is 390695. Entering no value or 0 disables authentication using an AREA service, and the BMC Remedy AR System server accesses the operating system for authentication purposes.
You must have an AREA server built and prepared before you set the RPC Socket number here.
For more information about how to set up an external authentication server,see Configuring the AR System server for external authentication (AREA). For information about configuring an AREA LDAP plug-in, see Using the AREA LDAP plug-in.
External Authentication Server Timeout (seconds) RPC Sets the time limit (in seconds) within which the plug-in server must respond to the BMC Remedy AR System server when making external authentication (AREA) calls before an error is returned. If this is set to 0, BMC Remedy AR System server uses the default of 40 seconds. Need To Sync Sets the interval for periodically invoking the AREA server's AREANeedToSyncCallback() call. If this option is set to 0, BMC Remedy AR System server does not invoke the call to the external authentication server. The default is 3600 seconds. For more information about the external authentication server, see Configuring a server to use plug-ins, and AR System external authentication. Authenticate Unregistered Users
Defines how BMC Remedy AR System validates a user who has no record in the User form. When a user logs in to BMC Remedy AR System, the server tries to validate the user against registered users (users who are listed in the User form). If a match is found, that user definition and the permissions specified in the matching User record are used. If no match is found, BMC Remedy AR System continues trying to validate the user or stops the validation process depending on whether this option is selected. If the check box is
- Selected, and External Authentication is not configured — (Default on UNIX servers) On a UNIX server, BMC Remedy AR System searches the /etc/passwd file or NIS password map for a match. If a match is found, the user is considered a valid user (not a guest) of the system. The UNIX group specification from the file or NIS is retrieved, and the user is considered a member of the BMC Remedy AR System group whose Group ID matches the UNIX group. On a Windows server, BMC Remedy AR System authenticates to the default domain. The optional authentication string that the user enters when logging in is used as the Windows domain name for authentication purposes. On Windows servers, the user is considered a member of the group whose Group ID is 0.
- Selected, and External Authentication is configured — BMC Remedy AR System sends a request to the external authentication server to authenticate the user. If a match is found, the user is considered a valid user (not a guest user) of the system. See Configuring a server to use plug-ins. The authentication string entered by the user when logging in is passed to the external authenticator for its use.
- Cleared — (Default on Windows servers) BMC Remedy AR System stops the validation process and manages the user as a guest user if Allow Guest Users is enabled.
For information about configuring external authentication, see To set server ports and queues.
Cross Ref Blank Password
Defines how BMC Remedy AR System authenticates a user whose User form record has no password. When a user logs in, BMC Remedy AR System searches its own database for that user. If the user has a password, the system uses it. If the Password field is empty and this option is
- Selected — BMC Remedy AR System tries to validate the password against one of the following items:
- An external authenticator if one is configured
- The password in the Windows server domain
- The UNIX server's /etc/passwd file
- Cleared — (Default) BMC Remedy AR System concludes that an empty password field means that the user has no password.
In the Login window, users see an Authentication field. If your AR System server is running on Windows, the contents of this field are used as a domain name when the server authenticates the user with the operating system. If the server is instead configured to use an external authenticator, the contents of this field are passed to the authenticator. See Setting up an authentication alias. If you enable the Cross-Reference Blank Password option, make sure that it does not conflict with the User Password Management feature. If you enforce a password policy, BMC Remedy AR System periodically forces users to set a password that cannot be blank. If a user's password is authenticated outside of BMC Remedy AR System and that user sets a non-blank password, BMC Remedy AR System performs the authentication. This is not an issue if enforcement of a password policy is not enforced. If a policy is enforced, you must disable the policy for users whose passwords should be blank. For information about enforcing password policies, see Enforcing a password policy introduction. To disable the policy for users whose passwords should be blank, see Disabling password management for individual users.
Authentication Chaining Mode
Specifies the order in which BMC Remedy AR System tries to authenticate users when they log on:
Default — Disables authentication chaining.
ARS - AREA — 1) the User form; 2) the AREA plug-in.
AREA - ARS — 1) the AREA plug-in; 2) the User form.
ARS - OS - AREA — 1) the User form; 2) Windows or UNIX authentication; 3) the AREA plug-in.
ARS - AREA - OS — 1) the User form; 2) the AREA plug-in; 3) Windows or UNIX authentication.
Group Mapping LDAP Area name The name of the LDAP group to map to the BMC Remedy AR System group in the same row of the Group Mapping table. AR Group Name The name of the BMC Remedy AR System group to map to the LDAP group in the same row of the Group Mapping table. Ignore Excess Groups Enables BMC Remedy AR System to authenticate a user when any single LDAP group to which the user belongs matches a BMC Remedy AR System group.