Lexmark MX931 Security White Paper - Page 30

Benefits, Details, Active Directory user.

Get Lexmark MX931 PDF manuals and user guides View all Lexmark MX931 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 30 highlights

Secure Access 30 Benefits The benefits of using Active Directory are: • Simplify network setup and PKI enrollment • Automatically create and configure LDAP+GSSAPI and Kerberos authentication building blocks • Enhance fault tolerance with automatic detection of multiple domain controllers • Get certificate chains from the domain controller by automatic download • Support single sign-on sharing of authentication credentials Details With Active Directory, the joining process is greatly simplified. To join, you access the device web page through HTTPS and enter a few required settings (domain name, administrator user name and password). The setup process is complete. The required LDAP+GSSAPI and Kerberos setup is completed automatically using data from the Active Directory domain controller. The enhanced Active Directory support sets up the device using computer credentials, which creates a more secure connection because the IT administrator does not need to issue or manage device service accounts. Because the Kerberos file is internally generated with additionally discovered Active Directory environmental information, there is better affinity and reliability. Additional key distribution centers (KDCs) in the environment are included in the file and accessible, if required. This also permits devices to use the optimum selection from the domain controllers detected in the environment. The device automatically downloads domain controller CA certificate chains and will maintain this (if certificate monitoring is specified) by periodically verifying that the certificate chain is up-to-date. Active Directory participation permits the usage of single sign-on. If already logged in to the Active Directory environment, the device web page access can use Integrated Windows Authentication to automatically and securely authenticate the user, for example, using card reader authentication for device web page access. For the latest firmware updates, the process is further simplified so that you can select automatic setup of additional security services from the Active Directory joining screen. • If the LDAP address book is selected, the LDAP server address book information is configured with Active Directory server data. • If Standard Admin Groups and Security Templates is selected, then a security template called admin is selected with all permissions and a security template called Active Directory is automatically generated, ready to use. You need only to select Access Controls and apply the desired access restrictions for the Active Directory user. • If CA Certificate Monitoring is selected, then the CA certificates that are obtained from the domain controller are monitored for updates. Some other devices also participate in Active Directory environments, but they use device credentials, not computer credentials. The devices connect with the Active Directory server specified, but they do not search for the optimum server. A Kerberos file is created (but not retrieved from the domain controller server), and LDAP+GSSAPI authentication is automatically defined. The domain controller CA certificate chain is not automatically downloaded.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Benefits
The benefits of using Active Directory are:
Simplify network setup and PKI enrollment
Automatically create and configure LDAP+GSSAPI and Kerberos authentication building blocks
Enhance fault tolerance with automatic detection of multiple domain controllers
Get certificate chains from the domain controller by automatic download
Support single sign-on sharing of authentication credentials
Details
With Active Directory, the joining process is greatly simplified. To join, you access the device web page through
HTTPS and enter a few required settings (domain name, administrator user name and password). The setup
process is complete. The required LDAP+GSSAPI and Kerberos setup is completed automatically using data
from the Active Directory domain controller. The enhanced Active Directory support sets up the device using
computer credentials, which creates a more secure connection because the IT administrator does not need to
issue or manage device service accounts.
Because the Kerberos file is internally generated with additionally discovered Active Directory environmental
information, there is better affinity and reliability.
Additional key distribution centers (KDCs) in the environment are included in the file and accessible, if required.
This also permits devices to use the optimum selection from the domain controllers detected in the environment.
The device automatically downloads domain controller CA certificate chains and will maintain this (if certificate
monitoring is specified) by periodically verifying that the certificate chain is up-to-date.
Active Directory participation permits the usage of single sign-on. If already logged in to the Active Directory
environment, the device web page access can use Integrated Windows Authentication to automatically and
securely authenticate the user, for example, using card reader authentication for device web page access.
For the latest firmware updates, the process is further simplified so that you can select automatic setup of
additional security services from the Active Directory joining screen.
If the LDAP address book is selected, the LDAP server address book information is configured with Active
Directory server data.
If Standard Admin Groups and Security Templates is selected, then a security template called admin is
selected with all permissions and a security template called Active Directory is automatically generated,
ready to use. You need only to select Access Controls and apply the desired access restrictions for the
Active Directory user.
If CA Certificate Monitoring is selected, then the CA certificates that are obtained from the domain controller
are monitored for updates.
Some other devices also participate in Active Directory environments, but they use device credentials, not
computer credentials. The devices connect with the Active Directory server specified, but they do not search
for the optimum server. A Kerberos file is created (but not retrieved from the domain controller server), and
LDAP+GSSAPI authentication is automatically defined. The domain controller CA certificate chain is not
automatically downloaded.
Secure Access
30