Note:

XenServer uses Likewise (Likewise uses Kerberos) to authenticate the AD user in the AD server, and to encrypt communications with the AD server.

How does XenServer manage the machine account password for AD integration?

Similarly to Windows client machines, Likewise automatically updates the machine account password, renewing it once every 30 days, or as specified in the machine account password renewal policy in the AD server. For more information, refer to http://support.microsoft.com/kb/154501.

Enabling external authentication on a pool

External authentication using Active Directory can be configured using either XenCenter or the CLI using the command below.

xe pool-enable-external-auth auth-type=AD \ service-name=<full-qualified-domain>\ config:user=<username> \ config:pass=<password>

The user specified needs to have Add/remove computer objects or workstations privileges, which is the default for domain administrators.

Note:

If you are not using DHCP on the network used by Active Directory and your XenServer hosts, use you can use these two approaches to setup your DNS:

1.Set up your domain DNS suffix search order for resolving non-FQDNs:

xe pif-param-setuuid=<pif-uuid_in_the_dns_subnetwork>\ “other-config:domain=suffix1.com suffix2.com suffix3.com”

2.Configure the DNS server to use on your XenServer hosts:

xe pif-reconfigure-ip mode=static dns=<dnshost>

3.Manually set the primary management interface to use a PIF that is on the same network as your DNS server:

xe host-management-reconfigure pif-uuid=<pif_in_the_dns_subnetwork>

Note:

External authentication is a per-host property. However, Citrix advises that you enable and disable this on a per-pool basis – in this case XenServer will deal with any failures that occur when enabling authentication on a particular host and perform any roll-back of changes that may be required, ensuring that a consistent configuration is used across the pool. Use the host-param-listcommand to inspect properties of a host and to determine the status of external authentication by checking the values of the relevant fields.

Disabling external authentication

Use XenCenter to disable Active Directory authentication, or the following xe command:

xe pool-disable-external-auth

User Authentication

To allow a user access to your XenServer host, you must add a subject for that user or a group that they are in. (Transitive group memberships are also checked in the normal way, for example: adding a subject for group A, where group A contains group B and user 1 is a member of group B would permit access to user 1.) If

8

Page 25 Page 27
Page 26
Image 26
Citrix Systems 6 manual User Authentication, Enabling external authentication on a pool, Disabling external authentication
Page 25 Page 27
Top Page Image Contents