Authentication for KeyControl User Accounts

KeyControl-Managed Account Authentication

KeyControl-managed accounts can be authenticated locally, with a password stored in the KeyControl Vault Management webGUI. Security Admins can configure the password requirements and expiration options, as well as the maximum number of login attempts that are allowed before the user account is disabled and an expiration date after which the account will be automatically disabled.

  • Locally, with a password stored in KeyControl. KeyControl Security Admins can configure the password requirements and expiration options, as well as the maximum number of login attempts that are allowed before the KeyControl account is disabled and an expiration date after which the account will be automatically disabled.

  • Externally, through a LDAP/Active Directory authentication server. Security Admins cannot change the password requirements or expiration options, but they can set the maximum number of login attempts that are allowed before the KeyControl-managed account is disabled and they can set an expiration date on the account itself so that it cannot be used after a certain date.

    For LDAP and Active Directory servers, Security Admins can specify one and only one domain for all user account authentication. You can, however, configure multiple domain controllers to provide failover in case one controller becomes unreachable.

  • KeyControl also supports user authentication through an OpenID Connect provider. If a provider is configured, the KeyControl login dialog contains not only the Sign In button but also a configurable button to start the authentication process using the provider. When the user has been authenticated via the OpenID Connect provider, the same username is used to obtain the LDAP permissions to KeyControl.

Active Directory-Managed Account Authentication

KeyControl requires customers to provide a service account in Active Directory settings. The service account is used for retrieving the list of AD objects to help Security Administrators configure members in KeyControl Groups. The service account configured in Active Directory settings requires the following read permissions in AD:

  • User object: attributes distinguishedName, cn, sAMAccountName, userPrincipalName, mail
  • Group object: attributes objectGUID, distinguishedName, cn, sAMAccountName

All Active Directory (AD)-managed accounts must belong to AD Security groups that are defined in the same AD domain. While you can specify multiple domain controllers to provide failover, all of the Security groups you want to use must be part of the same domain.

Note: An AD-managed user account cannot log into KeyControl for the first time if the KeyControl cluster is degraded. AD accounts that have already successfully logged in at least once will continue to work, but, in a degraded state, KeyControl cannot process a new AD user login.

If you plan to use a mix of KeyControl-managed user accounts that are authenticated through LDAP along with AD Security groups, you must use the same AD domain for both the KeyControl-managed accounts and the AD Security groups.