Configuring the AR System server for external authentication

After you install an AREA plug-in, you can set up the AR System server to use external authentication. Users can be authenticated externally in the following ways:

• To the operating system (UNIX only) — The AR System server authenticates to the operating system. The authentication string has no effect when authenticating to a UNIX operating system.
• To the server domain (Windows) — The AR System server authenticates to the Windows server domain. If a value is entered in the Authentication String field, that value is used as the domain name to which the AR System server authenticates.
• To the AREA service — If you have configured external authentication to an AREA service, the user name, password, and authentication values entered are provided to the AREA service.

Before configuring external authentication for an AREA service, you must configure your server to use plug-ins (see Configuring-a-server-to-use-plug-ins). You must also start the plug-in server (see AR-System-server-components-and-external-utilities).

After the service is started, set up the server for external authentication as described in the following procedure.

To configure the AR System server for external authentication

1. In a browser, open the AR System Administration Console, and click System > General > Server Information.
2. In the AR System Administration: Server Information form, click the EA tab.
3. To enable authentication using an AREA service, set the External Authentication Server RPC Program Number to 390695.
    Entering 390695 enables authentication using an AREA service. Entering no value or 0 disables authentication using an AREA service.
    If you enter 0, the AR System server makes no attempt to communicate with the AREA server.
4. Set the RPC and SYNC time-outs for External Authentication.
   External Authentication Timeout (seconds)is the amount of time within which the AREA server must respond to a call from the Plug-in server before an error is returned. The options are
   • RPC — Used when making calls to the AREA server
      If set to 0, the AR System server does not invoke the call to the external authentication server. The default is 40 seconds.
   • Need To Sync — The interval for periodically invoking the AREA server's AREANeedToSyncCallback() call. If set to 0, the AR System server does not invoke the call to the external authentication server. The default is 300 seconds.
5. Select one or both of the following settings:
   • Authenticate Unregistered Users — Specifies that all users in the User form can log on and be authenticated internally; users not in the form are authenticated externally. If this option is cleared, AR System stops the validation process and manages the user as a guest user.
   • Cross Ref Blank Password — Specifies that all users in the User form can log on and be authenticated externally if the Password field in the form is left blank for that user. If Cross Ref Blank Password is cleared, a blank Password field in the User form is treated as no password for that user, and that user is allowed to log on.

6. Optionally, specify an authentication chaining mode.

   Authentication chaining modes
7. Specify Group Mapping options:
   • Ignore Excess Groups — Specifies that authentication requires that, for a given user, at least one LDAP group must match a BMC Remedy AR System group. Non-matching groups are ignored. If this option is cleared, authentication occurs only when each LDAP group matches a BMC Remedy AR System group.

   • Group Mapping— Specifies mappings between LDAP groups and BMC Remedy AR System groups. This eliminates the need for one-to-one matches between LDAP and BMC Remedy AR System groups. If you do not map groups, each LDAP group must have an exact BMC Remedy AR System group match.

     Tip

     For maximum benefit, use Ignore Excess Groups and Group Mapping together.

8. Save your settings.
    The settings you specify persist across server restarts.