Configuring Vault Authentication

By default the vault is configured for local authentication. You can change the authentication method as required. For example, you can switch to Active Directory authentication.

In the current release, you can choose between local authentication and Active Directory.

If you change the authentication method, local authentication is no longer available. For example, if you configure Active Directory, local authentication cannot be enabled again (unless the vault is rescued, see Rescue a Vault).

Important: If you have access policies in place and you intend to switch from local authentication to Active Directory, you must delete all access policies other than the default Admin policy. You must also delete all users other than the default admin user. After switching to Active Directory, you set up the required access policies and users.

To configure the vault authentication method

  1. Sign in to the vault.

  2. Select the Settings icon at the top right of the vault page.

  3. From the Authentication Type menu, select the authentication type.

    If you select Active Directory:

  4. To configure Active Directory, select Configure Active Directory.

    You are asked to confirm that you want to continue as configuring Active Directory authentication. Once configured, local authentication cannot be reinstated unless the vault is rescued (see Rescue a Vault).

  5. Select OK. The Configure AD Authentication dialog appears.

  6. On the Domain tab, enter:

    Field

    Description

    Domain Name

    Enter the domain name for the service account.
    Domain Netbios Name Enter the netbios or subdomain of the DNS domain.

    Directory Service Type

    If you plan to use Microsoft AD directory services, select Microsoft AD.

    Select OpenLDAP for all non-Microsoft AD directory services.

    Select Configure Service Account and set the following

    Service Account Name

    Enter the name for the service account. This is the AD account that KeyControl Vault should use when logging into the AD server.

    Specify the account using one of the following formats:

    • Distinguished Name (DN). For example, CN=Administrator,CN=users,DC=hytrust,DC=com

    • User Principal Name (UPN). For example, administrator@hytrust.com.

    • Account username. For example, administrator.

    The AD account is usually an administrative user and it can have read only permissions on the AD server.

    Tip: See Finding LDAP/AD Distinguished Names.

    Service Account Password

    Enter the password for the service account.
    UID Attribute Enter the Security Manager Account Name (sAMAccountName) for the user. This is the attribute of the user or group object that would be queried during search.

  7. Select Continue. The Domain Controllers tab appears.

    To add a controller, select +. You can add up to two domain controllers per KeyControl Vault cluster. If you specify two domain controllers, make sure your primary controller appears first in this list. KeyControl Vault always tries to authenticate an AD user through the first domain controller listed.

    To edit an existing domain controller, select that controller and select the edit button.

    For each domain controller, specify the following:

    Field

    Description

    Server URL

    Enter the LDAP server IP address or hostname.

    From the menu, select the LDAP:// or LDAPS://.

    In the text field, enter the and enter domain name or IP address.

    To include a port number, enter <ip-address>:<port>.
    STARTTLS

    Select this if you want KeyControl Vault to use Transport Layer Security (TLS) protocol when communicating with the LDAP server.

    Note: This option is only available if the Server URL starts with LDAP://.

    CA Certificate

    The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format.

    KeyControl Vault uses the CA certificate to verify the SSL certificate used by the LDAP server/Active Directory.

    If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates.

    If you are using LDAPS:// or selected STARTTLS for LDAP://, select Browse. Navigate to and select the CA (Certificate Authority) certificate for the LDAP server.

    Select Advanced Settings and configure:

    User Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl Vault-managed account names that are authenticated through LDAP.

    For performance reasons, the base DN should be as specific as possible.

    For example, dc=ldapserver,dc=com.

    Group Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

    Timeout

    Set the timeout in seconds before connecting to an alternate domain controller.

    If multiple domain controllers are specified, this is the amount of time KeyControl Vault waits for a response before it re-sends the request to another domain controller.

    This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl Vault may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

  8. Add additional Domain Controllers, as needed.

  9. Select Add. The Domain Controllers are added to the list.

  10. Select Continue. The Admin tab appears.

    You can add either a User account or a Group. You enter one user or group at this step. Additional administrators can be added by editing the admin access policy.

    Select User or Group and enter the AD details:

    User

    User Name (UPN): Enter the user's Active Directory User Principle Name.

    Enter an email address for the user.
    Group

    Name (CN): Enter the group's Active Directory Common Name.

    Distinguished Name (DN): Enter the group's Active Directory Distinguished Name.

    Enter an email address for the group.

  11. Select Add. A dialog appears confirming if the configuration is successful.

    If there are any issues, double check the entries and retry.

  12. You are logged out and need to sign in with the Active Directory credentials to set up the vault.