Citrix Systems 5.6 User authentication

1. Configure the DNS server to use on your XenServer hosts:

xe pif-reconfigure-ip mode=static dns=<dnshost>

2. Manually set the management interface to use a PIF that is on the same network as your DNS server:

xe host-management-reconfigure pif-uuid=<pif_in_the_dns_subnetwork>

Note:

External authentication is a per-host property. However, Citrix advises that you enable and disable this on a

per-pool basis – in this case XenServer will deal with any failures that occur when enabling authentication

on a particular host and perform any roll-back of changes that may be required, ensuring that a consistent

configuration is used across the pool. Use the host-param-list command to inspect properties of a host and

to determine the status of external authentication by checking the values of the relevant fields.

• Use XenCenter to disable Active Directory authentication, or the following xe command:

xe pool-disable-external-auth

User authentication

To allow a user access to your XenServer host, you must add a subject for that user or a group that they are

in. (Transitive group memberships are also checked in the normal way, for example: adding a subject for

group A, where group A contains group B and user 1 is a member of group B would permit access to user

1.) If you wish to manage user permissions in Active Directory, you could create a single group that you then

add and remove users to/from; alternatively, you can add and remove individual users from XenServer, or

a combination of users and groups as your would be appropriate for your authentication requirements. The

subject list can be managed from XenCenter or using the CLI as described below.

When authenticating a user, the credentials are first checked against the local root account, allowing you

to recover a system whose AD server has failed. If the credentials (i.e.. username then password) do not

match/authenticate, then an authentication request is made to the AD server – if this is successful the user's

information will be retrieved and validated against the local subject list, otherwise access will be denied.

Validation against the subject list will succeed if the user or a group in the transitive group membership of

the user is in the subject list.

Note:

When using Active Directory groups to grant access for Pool Administrator users who will require host ssh

access, the number of users in the Active Directory group must not exceed 500.

• To add an AD subject to XenServer:

xe subject-add subject-name=<entity name>

The entity name should be the name of the user or group to which you want to grant access. You

may optionally include the domain of the entity (for example, '<xendt\user1>' as opposed to '<user1>')

although the behavior will be the same unless disambiguation is required.

1. Identify the subject identifier for the subject you wish to revoke access. This would be the user or the

group containing the user (removing a group would remove access to all users in that group, providing

they are not also specified in the subject list). You can do this using the subject list command: