Tag: Active Directory

Categories
exacqVision Client exacqVision Server

LDAP connection requirements

Description:-

In order to succeed in the remote client authentication via LDAP, We will need to make sure that we have the following three points.

  • ExacqVision Server uses an enterprise license and is connected to an AD/LDAP server.
  • ExacqVison Client is able to reach the Exacq Server via port 22609, and the LDAP via port 636 if LDAP with SSL or 389 if LDAP without SSL.
  • Active Directory server can reach the Exacq Server and Exacq Client workstation.

The way Kerberos tickets work is that we need all three points able to see and connect to each other, so we need to check these requirements before establishing the Exacq client connection to the Exacq server via the SSO method.

Categories
Knowledge Support Documentation Support exacqVision Client exacqVision Server Products

ExacqVision Server and Client support LDAP authentication with Azure Active Directory

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision software stack with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). It allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when being integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting ExacqVision Server on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Server & Client have the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Server Software version 22.12.5.0 and up
  • ExacqVision Client version 22.12.2.0 and up

Minimum Requirements for ExacqVision Server and Client software: 

  • Server and Client versions must be 22.12 or later
  • Your ExacqVision Server must have an Enterprise license to interact with Azure AD.
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • To configure Azure Active Directory integrations on an ExacqVision Server, you must have Azure Active Directory credentials with access to the following Active Directory parameters as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName,  sAMAccountName,  inetOrgPerson, krbPrincipalName

Configuration steps for ExacqVision Server and Client software: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and then log into the Client with administrative privileges
  • Navigate to Enterprise > ActiveDirectory/LDAP. Enable Directory Service and add the Azure AD Instance address in the Server Address field with the proper Port number, proper setting for USE SSL, Base DN and Bind account information in the corresponding fields – as supplied by your Local IT Department or Network Administrator NOTE: It is recommended to enable “Permission to Create SPN” when using Azure Active Directory LDAP authentication.
  • Apply the Changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Client & Server.

For more information on how to configure ExacqVision for use with LDAP authentication please see the ExacqVision Client User Manual.

Categories
Configuration Knowledge Support Documentation Support exacqVision Enterprise exacqVision Client exacqVision Server Products exacqVision Integrations Uncategorized

Enterprise Manager supports LDAP authentication with Azure Active Directory 

Azure Active Directory supports the LDAP interface when properly configured, and therefor LDAP can be used to sync the ExacqVision Enterprise Manager software with the Azure AD instance.

Background Information: Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), Video Management Software (VMS – ExacqVision), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory ( sometimes referred to as Azure AD) supports this pattern via Azure AD Domain Services (sometimes referred to as AD DS). This allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources to the cloud. ExacqVision has supported the use of LDAP authentication since early versions, and now has been enhanced to support the use of LDAP authentication when integrated with Azure Active Directory as a modern solution to cloud based computing.

When a network hosting Enterprise Manager on-premise has been properly configured for communication with an Azure Active Directory instance by verifying no port restrictions or other environmental variables inhibit communication – ExacqVision Enterprise Manager has the ability to support the use of LDAP authentication with Azure Active Directory as of December 15th, 2022 – and subsequent releases thereafter.  

Products 

  • ExacqVision Enterprise Manager version 22.12.0.0 and up

Minimum Requirements for ExacqVision Enterprise Manager Software: 

  • Enterprise Manager version must be 22.12.0.0 or later
  • Your network configuration must be properly configured to communicate with your Azure AD instance
  • you must have Azure Active Directory credentials with access to the following Active Directory parameters – as supplied by your Local IT Department or Network Administrator: objectClass (specifically “group” & “user”), userPrincipalName , sAMAccountName , inetOrgPerson , krbPrincipalName

Configuration Steps for Enterprise Manager: 

  • Properly configure the network to communicate with Azure Active Directory instance without restriction.
  • Verify you possess the minimum credential requirements needed to complete the integration as listed above (supplied by your Local IT Department or Network Administrator) and login to Enterprise Manager user interface with administrative privileges
  • Navigate to the Domain settings page
  • Under “Add Domain” enter the address of the Azure Active Directory instance in the “Hostname or IP” field and enter the above mentioned credential criteria with the proper port number, security protocol, Search Criteria information, and Attribute names information in their corresponding fields – as supplied by your Local IT Department or Network Administrator
  • Apply the changes.

Expected Results 

The above steps when executed properly will sync with the Azure AD Instance, allowing LDAP authentication in ExacqVision Enterprise Manager.

For more information on how to configure ExacqVision Enterprise Manager for use with LDAP authentication please see the ExacqVision Enterprise Manager user manual.

Categories
Knowledge Support Support exacqVision Enterprise Categories

exacqVision Enterprise Manager Domain User Search Fails Even After Authenticating With AD

Searches in EM fail after authenticating to AD. When they do a search to add a new user, it will not search or filter by the users name or says ‘no results found’

Solr Apache is reporting a corruption with the indexed files, so we cleared the indexed data and recreated it.

Linux Steps…
1. Reboot the EM Server
2. Open a command prompt and type the following followed by the <ENTER> key

sudo service enterprise-datarolloff stop
sudo service enterprise-importer stop
sudo service enterprise-webservice stop
sudo service enterprise-sendemail stop

You also need to stop the Solr-Apache services

cd /usr/local/exacq/esm/apache_solr/apache-solr/bin

sudo ./solr stop -p 8983 if it doesn’t work, then try sudo ./solr stop -all

cd/usr/local/exacq/esm/apache_solr/apache-solr/server/solr/collection1/data

sudo mv data data2

Restart Start the EM Services

sudo service enterprise-datarolloff start
sudo service enterprise-importer start
sudo service enterprise-webservice start
sudo service enterprise-sendemail start


You also need to start the Solr-Apache services
cd /usr/local/exacq/esm/apache_solr/apache-solr/bin
sudo ./solr start -force (this forcefully restarts solr)

OR

Windows Steps…

  1. Open up Windows Services
  2. Stop all four EM services, SolrApache and SolrJetty
  3. Browse to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache-solr\server\solr\collection1
  4. Rename the Data folder to Data2
  5. Restart all four EM services, SolrApache and SolrJetty
  6. Go back in to EM and navigate to Domain and click on Refresh Domain, which will resync the domain
  7. Go to Users and click on Add New User and try to do a search
  8. Verify you can search by name

Categories
Documentation Quick Start Guides exacqVision Server Categories Products

Server & Client and Active Directory

exacqVision-Server_Client-Active-Directory.pdf
Categories
Knowledge Support Support exacqVision Server Categories Products

Automatic creation of Service Principal Name (SPN)

Starting with exacqVision 7.2, the server has the ability to automatically create its own service principal name (SPN). A valid SPN is required in order to enable single-sign-on. To enable this feature:

  1. Check the box next to “Permission to create SPN” on the LDAP/Active Directory settings page.
  2. Verify with your domain admin that the bind account has permissions to create service principal names. If not, this can be granted with the following command by the domain admin:

<br>

Automatic-creation-of-Service-Principal-Name-SPN.pdf
Categories
Knowledge Support Support Categories Products exacqVision Integrations

Active Directory & LDAP Best Practices

Introduction
a. Benefits of Integration
b. exacqVision Server must have Enterprise license
c. Use groups on domain

1.exacqVision to AD/LDAP Data Flow

2.Configuration

3.Troubleshooting

1. Introduction

For an organization using Active Directory (AD) for user management of information technology services, integrating exacqVision into the AD infrastructure can greatly simplify continuing maintenance of user access to your video management system (VMS). On each exacqVision Server, you can assign VMS permissions to one or more AD groups. Then, as you add user accounts to those groups through standard IT user management practices, those users will automatically have access to log in to the exacqVision Servers with appropriate permissions. User management directly through exacqVision becomes a one-time configuration requiring that you join the server to the domain and assign permissions and privileges to groups, and all additional user management occurs through AD.

To provide the ongoing benefits of using group-based permissions with exacqVision Server, the server must do more that simply authenticate login credentials of a user requesting access; it must be able to browse AD groups to present them as configuration options and to determine whether a user requesting access is a member of any configured groups.

Minimum Requirements

  • Your exacqVision Server must have an Enterprise license to interact with AD
  • The domain controller must be running on Windows Server 2003 or later.
  • To configure AD on an exacqVision Server, you must have Active Directory credentials with the following access to a minimum of the following AD parameters:
    * objectClass (specifically “group” & “user”)
    * userPrincipalName
    * sAMAccountName
    * inetOrgPerson
    * krbPrincipalName

<br>

2. exacqVision to AD/LDAP Data Flow



  1. exacqVision Client computer joined to the domain. Optionally, you can join the exacqVision Server to the domain.
  2. The Kerberos ticket (the operating system domain login credential) is passed from the client workstation operating system to exacqVision Client.
  3. exacqVision Client initiates communication with the exacqVision Server and passes the Kerberos ticket.
  4. The exacqVision Server validates the ticket and extracts the user information.
  5. The exacqVision Server passes the user to LDAP, which looks at the group and/or user associations for the passed user credential.
  6. The exacqVision Server passes the rights and privileges based on the user and groups associated with the user credential.

<br>

3. Configuration

  1. Log in to your domain controller and expand the tree.


  2. Create a new group that specifies privileges in the name nested under your desired Base DN.


  3. Give that Group a Name. This example creates an exacqVision Admin Group.


  4. Add domain users to the new group.


  5. Create additional groups. This example will create a Live and Search Only group.


  6. Add domain users to the group.


  7. Now you have multiple groups to query in the exacqVision Client. This allows you to assign permissions to users based on their Directory Group.



    NOTE: Check with the system administrator for the correct LDAP Base DN for your situation. User and Group OUs/containers must be below (nested under) the Base DN, not equal to or above the Base DN. Binding will succeed, but users will not be able to log in.

    Good:


    Better:


    Bad:

  8. Log in to the client workstation with an exacqVision user account.


  9. Open the exacqVision Client and select the System tab on the Config (Setup) page. Enter the Base DN and Binding DN for the directory.
    NOTE: Make sure the Base DN is at least one level above the Group container you will be querying.



    The status should now be Connected.
  10. To map each group created on the domain to an exacqVision user, select Users from the configuration tree and click Query LDAP. This will allow us to assign exacqVision permissions to all domain users in each group.

     
  11. Select the group returned by the query and assign permissions to that group. This example gives full admin rights to the exacqVision Admins group.


  12. Click Apply. The group and all its domain users now have permissions, and the type is specified as LDAP.


  13. On the Users page, click Query LDAP and search for the next group that was created.


  14. Add permissions for this specific group. This example selects the Live + Search permission for the Live and Search Only group.


  15. Now both groups are mapped on the exacqVision Server with the appropriate permission levels.


  16. On the Add System page, select Use Single Sign-On so that exacqVision Client will pass the client computer’s login credentials to the server for validation when it starts.


  17. Because you are logged in to the Client workstation with an exacqVision Admin user account, the system will automatically log in to the server with these credentials.


  18. Now you can log out of the Client Workstation with admin credentials and log in as a Live and Search Only user. Notice that the account does not have any of the server configuration options available when logged in to the Admin group account.

<br>

4. Troubleshooting


LDAP Not Connecting

On the Domain Controller, add and confirm rules for TCP/UDP ports 389 (standard clear text LDAP) and 636 (standard SSL LDAP).


Re-imaging or Replacing System (Including Virtual Machines)

  1. Use a different hostname and IP (recommended).
  2. If using the same hostname and IP, make sure all instances and references of this hostname, IP, and SPN have been removed from the DC.
  3. Import the exacqVision configuration file to restore settings and preferences.


Client-Side Kerberos Errors

Either the binding DN account does not have permission to set the SPN or you did not manually run the setspn command on all DCs, or it has not replicated to all DCs. If you entered the SPN manually, you can check on each DC by opening a command prompt on the DC and typing setspn -l hostname (the hostname of the exacqVision server). If your machine was on the domain, use setspn -l fqdn. If your machine was not on th domain, use setspn -l serial (where serial is the exacqVision Serial number, or mac_address for a 3rd party server).


You should have something like this:


Name Resolution Issues

You should be able to ping and resolve the exacqVision server from the client computer. If connecting using a hostname, DNS must be resolvable. In Command Prompt on the client computer, type ping exacqhostname.domain.xxx.


If it is still not resolving:

  1. Check DNS PTR records. Make sure the hostname and IP address are correct.
  2. Delete and add back the DNS record for the exacqVision server, if needed.
  3. Verify that you can resolve any FQDNs.
  4. Try logging in using your UPN name instead of Single Sign-On (Windows clients only). UPN=user@domain.xxx. If successful with the UPN name, restart the client computer and try Single Sign-On again.
  5. Verify that ports are open for 636 (secure LDAP) or 389 (LDAP).
  6. In Linux, check whether kinit returns an error stating it cannot find or connect to the KDC server. Ping your KDC server’s FQDN (usually your DC). If you cannot ping the KDC, this is a DNS issue. You can resolve by making sure you have set a valid internal DNS server via exacqVision Client, or by adding your KDC server to your HOSTS file.

Server-Side Kerberos Errors

  1. The exacqVision server log could contain the following error:

    StreamPI______Error______SSPIerror:SEC_E_TIME_SKEW

    This means the clocks on the client and server computers do not match. The exacqVision server time can be no more than five minutes off the DC’s time.
  2. Make sure the User and Group OU/Container are nested under the Base DN (see discussion earlier in this document).
  3. Can you ping all your DC FQDNs and resolve them from the client and server?
  4. You may have entered your Service Principle Name (SPN) incorrectly. You can verify the SPN from a command prompt on the DC, enter setspn -l hostname (the hostname or the exacqVision server). If your machine was on the domain, use setspn -l fqdn. If your machine was not on the domain, use setspn -l serial (where serial is the exacqVision Serial number, or mac_address for a 3rd party server).

<br>

Active-Directory-LDAP-Best-Practices.pdf
Categories
Knowledge Support Support exacqVision Server Categories Products

Configuring SSL on an exacqVision Server for Active Directory/LDAP (Linux)

exacqVision 7.2 and higher:

Check the box labeled “Use SSL” on the “ActiveDirectory/LDAP” configuration page, then press “Apply”.

<br>

exacqVision prior to 7.2:

This article contains procedures for configuring SSL on exacqVision servers so that you can make Active Directory operations more secure.

There are many ways to generate, install, and manage certificates in order to use SSL, but this document explains one simple option: exporting the trusted root certificate that already exists in your Active Directory domain and installing it on each exacqVision server.
<br>

Export Trusted Root Certificate for Your Domain

  1. Log in to any Windows workstation that has already been added to your domain. The login account must have at least local admin permissions.
  2. Start the Microsoft Management Console (mmc.exe).
  3. If you haven’t already, add the Certificates snap-in:

    a) On the File menu, click Add/Remove Snap-In.
    b) Select Certificates and click Add.
    c) When prompted, select the option to manage certificates for your user account (instead of the service or computer account).
    d) Click Finish.
    e) Click OK to complete this step.
  4. Expand Certificates – Current User in the left pane.
  5. Expand Trusted Root Certification Authorities.
  6. Select the Certficates folder to display your workstation’s currently installed CA certificates. The Issued To field should contain something similar to mydomain-ROOT-CA, where mydomain is your domain name.
  7. Select that Issued To entry, right-click All Tasks, and select Export.
  8. In the Certificate Export Wizard, select the format choice of Base-64 encoded binary X.509 (.CER). Save it to a local .cer file that you can relocate later. You will then install this same certificate file on every exacqVision Server for which you intend to use SSL.

<br>

Certificate Database Location on exacqVision Server

Whenever exacqVision Server attempts to connect to an Active Directory server, it creates the following files in the installation directory, if necessary:

cert8.db
key3.db
secmod.db
<br>

Import Trusted Root Certificate into Each exacqVision Server

  1. On the exacqVision server, copy your trusted root certificate to the server’s installation directory at /usr/local/exacq/server.
  2. If you have not already verified your exacqVision Server’s LDAP configuration with SSL disabled, do this now. This will create your certificate database files if they do not exist already.
  3. Open a Terminal window and type the following:

    sudo openssl s_client -connect FQDN:636 -ssl3 | sed -ne “/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p” > ad.pem && sudo mv ad.pem /usr/local/exacq/server
    where FQDN is the fully qualified domain name of your Domain Controller.
  4. Press Enter twice to create the .pem file and move it to the Servers directory.
  5. Change to the exacqVision server’s directory with

    cd /usr/local/exacq/server
  6. Run the following two commands:

    sudo certutil -d . -A -t “C,C,C” -i MY_CERT_FILE -n adca

    where MY_CERT_FILE represents your trusted root certificate file; and

    sudo certutil -d . -A -t “u,u,u” -i ad.pem -n ad
  7. In a Terminal window, restart your exacqVision server with the following command:

    sudo service edvrserver restart
  8. On your exacqVision server, run exacqVision Client and open the Active Directory/LDAP tab. Select the SSL checkbox (the port should automatically change to 636), and then click Apply. Your exacqVision Server should then reconnect to your Active Directory domain controller.

<br>

Configuring-SSL-on-an-exacqVision-Server-for-Active-Directory-LDAP-Linux.pdf
Categories
Knowledge Support Documentation Support exacqVision Client Products

LDAP Server Signing Requirements

If your domain environment has the GPO “Domain controller: LDAP server signing requirements” enabled, you must connect to Active Directory or LDAP using SSL.

In Windows, follow the steps in Article 2160.

A similar Linux procedure is pending and will be posted here when available.

Categories
Knowledge Support Support exacqVision Client Products

Troubleshooting Active Directory Error Messages

Error: “Client Side Kerberos Authentication Failed”

Cause: The setspn command was not run on all Active Directory Servers, or there is a duplicate SPN.

Solution: On the DC, run the setspn command as directed in the appropriate ExacqVision Active Directory setup guide, or run setspn -X to check for duplicates. If a duplicate is found, remove the SPN attribute from all but one of the accounts.

Error: “User not authenticated in LDAP”

Cause: Windows 2000 or earlier Active Directory Domain Functional Level.

Solution: Upgrade the Functional Level of your Domain to Windows 2003 or higher.
See How to raise Active Directory domain and forest functional levels for details.

Alternate Solution:

  • If you are using ExacqVision 4.8 or newer, you can edit the StreamPI.xml file. Change the value of EnableActiveDirectoryUserDisabling from 1 to 0.
  • If you are using an ExacqVision version earlier than 4.8, contact support@exacq.com to obtain an updated DLL.

Error: The connection to the server always shows “Disconnected” in the ExacqVision Client.

Cause: The Binding DN is incorrect.

Solution: Complete the following procedure:

  1. Download Softerra LDAP Browser. (Be sure to click the tab for Browser, NOT Administrator.)
  2. Install and Run LDAP Browser.
  3. Click File and then New Profile.
  4. Enter a name for your new profile and click Next.
  5. Enter the hostname of your AD server in the Host field (or click the Lookup Servers button if you don’t know the host).
  6. Click Next.
  7. Select Currently Logged On User.
  8. Click Finish.
  9. Highlight the new profile you just created in the left panel.
  10. In the Find What box at the top of the right panel, enter the username used to connect to Active Directory in the ExacqVision software.
  11. Press Enter.
  12. After the search completes, find the correct user account.
  13. Right-click the user account and select Properties.
  14. Copy the string in the top portion of the Properties Panel (it should start with CN=).
  15. Paste this string into the Binding DN section of your ExacqVision Client and click Apply.

Error: “Connected, SPN not found”

While there are other possible causes, it’s common for a ‘Binding DN’ to be an extended string that is easy to mistype. For instance the following Distinguished Name will work, but must be typed exactly: 

CN=exacqSVC,OU=ServiceAccounts,OU=SecurityGroups,OU=Indiana,OU=US,DC=exacqts,DC=local

Any incorrect spacing or punctuation will not allow proper setting of the SPN and you will see the following Server log:

StreamPI Warning LDAP: Bind DN was not found. Unable to create SPN.

You can also try the Username instead. In this instance, the username (UPN) for that account is:

exacqSVC@exacqts.local

<br>