Authentication for KeyControl User Accounts

KeyControl-Managed Account Authentication

KeyControl-managed accounts can be authenticated in the following ways:

Locally, with a password stored in KeyControl. KeyControl Security Admins can configure the password requirements and expiration options, as well as the maximum number of login attempts that are allowed before the KeyControl account is disabled and an expiration date after which the account will be automatically disabled.
Externally, through a RADIUS or LDAP/Active Directory authentication server. Security Admins cannot change the password requirements or expiration options, but they can set the maximum number of login attempts that are allowed before the KeyControl-managed account is disabled and they can set an expiration date on the account itself so that it cannot be used after a certain date.

For LDAP and Active Directory servers, Security Admins can specify one and only one domain for all user account authentication. You can, however, configure multiple domain controllers to provide failover in case one controller becomes unreachable.

For RADIUS, Security Admins can specify the default RADIUS server information, but that information can be overridden for a specific user account.

Active Directory-Managed Account Authentication

All Active Directory (AD)-managed accounts must belong to AD Security groups that are defined in the same AD domain. While you can specify multiple domain controllers to provide failover, all of the Security groups you want to use must be part of the same domain.

Note:

An AD-managed user account cannot log into KeyControl for the first time if the KeyControl cluster is degraded. AD accounts that have already successfully logged in at least once will continue to work, but, in a degraded state, KeyControl cannot process a new AD user login.

If you plan to use a mix of KeyControl-managed user accounts that are authenticated through LDAP along with AD Security groups, you must use the same AD domain for both the KeyControl-managed accounts and the AD Security groups.