Before users can access intranet resources, Mobile Enterprise Gateway (MEG) requires
users to authenticate against corporate directory services. Mobile Enterprise Gateway (MEG) integrates
with both Active Directory and LDAP servers for this type of user
authentication.
About this task
For integration with Active Directory for user authentication,
you must configure the gateway as a service account that is a domain
user for a particular domain. By default, the gateway authenticates
only users that belong to a particular domain within the forest. If
you want to run multiple Active Directory environments that use multiple
domains in a forest or multiple forests, use the Mobile Enterprise Gateway (MEG) implementation
for Active Directory for user authentication to enable trust for multi-forest/multi-domain
environments.
For example, your Active Directory
environment contains 2 forest and 3 domains that trust each other.
When
you enable user authentication for Active Directory, the default implementation
only authenticates users within the context of the service account
domain. To extend the authentication scope to all forests and domains,
you must manually modify a registry key to support multi-forest/multi-domain
authentication for the gateway.
Procedure
- Open the Registry Editor (regedit.exe)
on the Cloud Extender® server.
- From HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fiberlink\V360,
create a value in the V360 key: "ADD_REG_POLICY_GROUP"="UA_PLC”.
Note: If the ADD_REG_POLICY_GROUP value
exists, you must append UA_PLC to the list separated
by a semicolon (;).
- Create a key under the V360 key named UA_PLC.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fiberlink\V360\UA_PLC
- Create two new string values under UA_PLC:
“FQDNMapFilePath”=”C:\%ProgramData%\MaaS360\Cloud
Extender\AR\Data\FQDNMap.txt”
“SearchAllForests”=”Y”
- Create a mapping of all your trusted domains in new text
file called FQDNMap.txt by using any plain text
editor.
This mapping file is a text file that contains
one entry per line of text for each domain in the environment. Each
line entry in the file looks like the following example, with the
short domain to the left of the = (equals) sign
and the FQDN to the right of the = (equals)
sign: shortDomainName=FQDN and FQDN=FQDN (make
sure to map both combinations).
For example:
domainA = domainA.rootDomain1.mycorp.com
domainB = domainB.rootDomain1.mycorp.com
domainC = domainC.rootDomain2.mycorp.com
domainA.rootDomain1.mycorp.com = domainA.rootDomain1.mycorp.com
domainB.rootDomain1.mycorp.com = domainB.rootDomain1.mycorp.com
domainC.rootDomain2.mycorp.com = domainC.rootDomain2.mycorp.com
Each
line in the file must end with either a <CRLF> (DOS
line ending convention) or a <LF> (UNIX line ending convention.)
- Save the file as FQDNMap.txt.
- Copy the FQDN Map File FQDNMap.txt to
the folder C:\ProgramData\MaaS360\Cloud Extender\AR\Data\.
- Restart the Cloud
Extender service.
Note: If you are running a gateway
cluster in High Availability (HA) mode, follow these steps on all
gateways that implement the User Authentication service.