Nutanix supports user authentication. To configure authentication types and directories and to enable client authentication or to enable client authentication only, do the following:
Caution: The web console (and nCLI) does not allow the use of the not secure SSLv2 and SSLv3 ciphers. To eliminate the possibility of an SSL Fallback situation and denied access to the web console, disable (uncheck) SSLv2 and SSLv3 in any browser used for access. However, TLS must be enabled (checked).
- In the gear icon pull-down list of the main menu (see Main Menu Options), select Authentication.The Authentication Configuration window appears.
Figure: Authentication Window
Note: The following steps combine three distinct procedures, enabling authentication (step 2), configuring one or more directories for LDAP/S authentication (steps 3-5), and enabling client authentication (step 6). Perform the steps for the procedures you need. For example, perform step 6 only if you intend to enforce client authentication.
- To enable server authentication, click the Authentication Types tab and then check the box for either Local orDirectory Service (or both). After selecting the authentication types, click the Save button.The Local setting uses the local authentication provided by Nutanix (see User Management). This method is employed when a user enters just a login name without specifying a domain (for example, user1 instead email@example.com). The Directory Service setting validates user@domain entries and validates against the directory specified in the Directory List tab. Therefore, you need to configure an authentication directory if you select Directory Service in this field.
Figure: Authentication Window: Authentication Types
Note: The Nutanix admin user can log on to the management interfaces, including the web console, even if the Local authentication type is disabled.
- To add an authentication directory, click the Directory List tab and then the New Directory button.A set of fields is displayed. Do the following in the indicated fields:
- Name: Enter a directory name.This is a name you choose to identify this entry; it need not be the name of an actual directory.
- Domain: Enter the domain name.Enter the domain name in DNS format, for example, nutanix.com.
- Directory URL: Enter the URL address to the directory.The URL format is as follows for an LDAP entry (the only type supported currently): ldap://host:ldap_port_num. The host value is either the IP address or fully qualified domain name. The default LDAP port number is 389. Nutanix also supports LDAPS (port 636) and LDAP/S Global Catalog (ports 3268 and 3269). The following are example configurations appropriate for each port option:
Note: LDAPS support does not require custom certificates or certificate trust import.
- Port 389 (LDAP). Use this port number (in the following URL form) when the configuration is single domain, single forest, and not using SSL.
- Port 636 (LDAPS). Use this port number (in the following URL form) when the configuration is single domain, single forest, and using SSL. This requires all Active Directory Domain Controllers have properly installed SSL certificates.
- Port 3268 (LDAP – GC). Use this port number when the configuration is multiple domain, single forest, and not using SSL.
- Port 3269 (LDAPS – GC). Use this port number when the configuration is multiple domain, single forest, and using SSL.
Note: When constructing your LDAP/S URL to use a Global Catalog server, ensure that the Domain Control IP address or name being used is a global catalog server within the domain being configured. If not, queries over 3268/3269 may fail.
- Directory Type: Select Active Directory from the pull-down list.Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is the only option currently available.
Note: Users with the “User must change password at next logon” attribute enabled will not be able to authenticate to the web console (or nCLI). Ensure users with this attribute first login to a domain workstation and change their password prior to accessing the web console. Also, if SSL is enabled on the Active Directory server, make sure that Nutanix has access to that port (open in firewall).
- Connection Type: Select LDAP from the pull-down list.Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services. It is the only option currently available.
- When all the fields are correct, click the Save button (lower right).This saves the configuration and redisplays the Authentication Configuration dialog box. The configured directory now appears in the Directory List tab.
- Repeat this step for each authentication directory you want to add.
All users in an authenticated directory are granted full administrator permissions by default. You can refine the granted permissions by specifying roles for the users in that directory (see Assigning Role Permissions
Figure: Authentication Window: Directory List
- To edit a directory entry, click the Directory List tab and then click the pencil icon for that entry.After clicking the pencil icon, the Directory List fields reappear (see step 3). Enter the new information in the appropriate fields and then click the Save button.
- To delete a directory entry, click the Directory List tab and then click the X icon for that entry.After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is removed from the list.
- To enable client authentication, do the following:
- Click the Client tab.
- Select the Configure Client Chain Certificate check box.
Figure: Authentication Window: Client Tab (1)
- Click the Choose File button, browse to and select a client chain certificate to upload, and then click the Openbutton to upload the certificate.
Note: Uploaded certificate files must be PEM encoded. The web console restarts after the upload step.
Figure: Authentication Window: Client Tab (2)
- To enable client authentication, click Enable Client Authentication.
- To modify client authentication, do one of the following:
Note: The web console restarts when you change these settings.
- Click Enable Client Authentication to disable client authentication.
- Click Remove to delete the current certificate. (This also disables client authentication.)
Figure: Authentication Window: Client Tab (3)
Client authentication enforces that the Nutanix cluster gets a valid certificate from the user. Normally, a one-way authentication process occurs where the server provides a certificate so the user can verify the authenticity of the server (see Installing an SSL Certificate). When client authentication is enabled, this becomes a two-way authentication where the server also verifies the authenticity of the user. A user must provide a valid certificate when accessing the console either by installing the certificate on his or her local machine or by providing it through a smart card reader.
Note: The CA must be the same for both the client chain certificate and the certificate on the local machine or smart card.
- To specify a service account that the web console can use to log in to Active Directory and authenticate Common Access Card (CAC) users, select the Configure Service Account check box, and then do the following in the indicated fields:
Figure: Common Access Card Authentication
- Directory: Select the authentication directory that contains the CAC users that you want to authenticate.This list includes the directories that are configured on the Directory List tab.
- Service Username: Enter the user name in the user firstname.lastname@example.org format that you want the web console to use to log in to the Active Directory.
- Service Password: Enter the password for the service user name.
- Click Enable CAC Authentication.
Note: The web console restarts after you change this setting.
If you map a Prism role to a CAC user and not to an Active Directory group or organizational unit to which the user belongs, specify the EDIPI (User Principal Name, or UPN) of that user in the role mapping. A user who presents a CAC with a valid certificate is mapped to a role and taken directly to the web console home page. The web console login page is not displayed.
- Click the Close button to close the Authentication Configuration dialog box.