Setting up Active Directory Authentication
The following steps detail the procedure for enabling Active Directory Authentication to verify credentials against Active Directory.
Active Directory Configuration Domain Overviews Page
- In AD Users > Domain Overview, enter the complete domain of your domain controller in the Domain field. Optionally, you may add a label to the Label field if you will have multiple domains specified and you want an easy way to tell them apart. Cerberus will bind to the first domain controller to respond. The Controller field is merely to inform you as to which domain controller Cerberus has bound to and is not editable. Cerberus will re-bind anytime you restart the Cerberus service.
- Optionally, you can also configure a Security Group for AD users. This will cause Cerberus FTP Server to check that the Active Directory user attempting to authenticate is a member of the listed Active Directory Global security group before allowing login. If selected, only members of the security group will be allowed to log in.
Define which Default Directory Mapping Mode you wish to use. For more information on what each mode does, including the use of the Cerberus Default Group, please refer to these articles:
- Default Virtual Directory Mapping Modes for Active Directory and LDAP
- Active Directory Configuration Scenarios
Binding Options Page for Active Directory Configurations
By default, when an AD user authenticates, or when you are searching for AD users and AD groups when setting up mappings, Cerberus makes queries and binds to objects in the domain using the credentials for the account running the Cerberus FTP Server Windows Service. Often the account running Cerberus does not have adequate permissions to search and bind to objects in the domain. If that is the case, you can provide alternative credentials and options here to customize which account Cerberus uses when binding to objects in the domain.
Some possible scenarios for needing to do this are if you have multiple domains that don't have a trust if you are pulling accounts from multiple domains, or if you have a security-constrained environment and you don't wish to have the Cerberus service running using an admin account that has broad access. Specifying an Active Directory admin account here limits the amount of access Cerberus has to just what it needs for Active Directory and nothing else. You will use the sAMAccountName for the username in the bind options.
User MFA Settings
This page allows an admin to select an Active Directory user from the selection box below to view and disable 2FA on their account. This is used when an Active Directory user gets a new phone or authenticator app and needs to set up 2FA again.
User & Group Custom Mappings
By default, all AD users are assigned the same virtual directories and permissions. These defaults are configured on the Domain Overview tab of the AD Users page. However, if you wish to customize the directory and permission mappings for individual AD users then you can do so by going to this tab. You can select individual AD accounts and map them to Cerberus group accounts, or, you can map AD group accounts to Cerberus group accounts. Configuring an AD user to group mapping will override the Default Cerberus Group and Directory Mapping for the mapped AD user. For more details, please see Active Directory Mappings.