Windows Authentication Prerequisites
The Windows Authentication feature allows your users to log in to the AMS web interface using their existing Windows network user names and passwords. To enable this, you must install Authentication Manager a local machine in your environment that validates a user’s credentials with the local Windows subsystem using New Technology LAN Manager (NTLM).
Windows Authentication Requirements
The following are required to use Windows Authentication:
- At least two Authentication Managers must be installed, each in a different geographic region. More Authentication Managers provide redundancy and shorter login times.
- Any machine housing an Authentication Manager must be able to access a Domain Controller capable of authenticating a given user.
- Sites housing Authentication Managers must have dedicated internet connections to provide redundancy in case of a site failure.
- Support for Exchange Resource Forests vary depending on the type of trust between the Exchange and security forests.
| Type of trust | Description |
|---|---|
|
Two-way trust |
No changes beyond the normal requirements for deploying authentication controllers (redundancy, distributed, etc) should be required. |
|
One-way trust |
Treat one-way trusts as distributed environments, and be sure to deploy a sufficient number of auth controllers for redundancy purposes. |
When Support configures Windows Authentication in the data center, they set the parameters described in the table below. To change any of the default values, contact Support.
|
Parameter |
Description |
Default Value |
|
Cache Windows Password |
The number of hours a password is stored to speed subsequent logins. |
48 hours |
|
Max Password Attempts |
The number of failed login attempts allowed before the user is locked out. |
Typically set to one fewer than your organization’s network lockout policy, so that a user cannot be locked out of the network because of failed Email Continuity login attempts. |
|
Attempt Count Reset |
The number of minutes the system stores a failed attempt and counts it against the number of Max Password Attempts. |
30 minutes |
|
Lockout Period |
The number of hours an account remains locked. |
72 hours |
Windows Authentication Limitations
The following are known limitations for Windows Authentication:
- Disabled Active Directory accounts cannot log in.
- Windows NT login IDs cannot be used; there is no way to ensure that an NT ID is globally unique. The SMTP address is a unique identifier.
- In multidomain forests, sufficient trusts must be in place between accessible domain controllers between domains to authenticate users.
- By design, if an Active Directory account is locked, the user’s logon will fail for Email Continuity even if they have not exceeded the Max Password Attempts count.
- If a user changes the Active Directory password after having logged in and cached the password in Email Continuity, the cached password remains the Email Continuity password until the Cached Windows Password time-out expires.