You can configure Windows Active Directory to authenticate administrator and node passwords for the IBM Spectrum Protect server. In this configuration, Active Directory is used as a Lightweight Directory Access Protocol (LDAP) server.
For general instructions about configuring IBM Spectrum Protect to use an Active Directory database, see Authenticating users by using an Active Directory database.
Links for Configuring your LDAP Server
General Windows Server 2008
Active Directory Domain Services
Active Directory Certificate Services
General Windows Server 2003
Designing and Deploying Directory and Security Services
Active Directory Operations Guide
Designing a Public Key Infrastructure
Windows Server 2003 PKI Operations Guide
- You need a signed server authentication certificate in the certificate store for Active Directory.
- The easiest way is to set up a Microsoft Certificate Services Enterprise Root certificate authority (CA) in the domain. The Domain Controller should automatically enroll and be issued a certificate. You can check the Microsoft CA type by using the following command:
- You can also create a certificate request and have it signed by any CA. For more information, see the following articles:
- Verify that the Domain Controller “Server Authentication” certificate was issued under "Certificates (Local Computer)" -> Personal -> Certificates.
- Verify that the “Issued by”/"Issuer" and “Issued to”/subject are the same and match the CA name.
- For Microsoft Certificate Services CAs, take one of the following actions:
- Export the root certificate from the "Certificates (Local Computer)" MMC snap-in (mmc.exe):
- Copy the certificate from C:\Windows\system32\certsrv\CertEnroll\*.crt. This file is in binary DER encoded X.509 format.
- Download from the Certificate Enrollment Web Services web interface http://<CA hostname>/certsrv/:
Setting TLS/SSL (Schannel) cryptographic algorithms and protocols
- A User or InetOrgPerson object can be used.
- You can use the dsquery user command to get the DN for SET LDAPUSER:
dsquery user -name tsmuser
- Containers cannot be used, as they cannot contain an OU:
- Use the dsquery ou command to get a list of DNs of all the OUs that can be used as the Base DN in the LDAPURL.
- Select Create a custom task to delegate.
- Delegate “Full Control” of all the objects in the OU.
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Complexity requirements
- Storage of passwords by using reversible encryption
- Account lockout duration
- Account lockout threshold
- Reset account lockout
Troubleshooting Links and Instructions
- Setting Schannel event logging level by using regedit:
7 for full logging or 3 for warnings and errors
0x0000 Do not log
0x0001 Log error messages
0x0002 Log warnings
0x0004 Log informational and success events
- Open Event Viewer.
- In the console tree, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.
- Right-click Operational, and click Enable Log.
13 March 2020