For HCP to support AD, you need to configure HCP to identify the domain in the AD forest to be used for HCP user authentication and provide credentials for an existing AD account in that domain. This AD user account is used to configure HCP in the AD domain.
All AD domain controllers configured for the domain used for HCP user authentication must be able to communicate with HCP over the [hcp_system] network. Therefore, each AD domain controller must have at least one IPv4 or IPv6 address that is routable from the [hcp_system] network.
You also need to specify or accept the defaults for the existing organizational unit (OU) in which computer accounts will be created for the HCP nodes, along with the name of a computer account that HCP will use when querying AD for groups and other information. That computer account will be in the same AD groups as the user account you specify.
You can choose to enable secure communication between HCP and AD for the configuration of the computer account that HCP will use for querying AD. In this case, HCP needs a copy of the SSL certificate that allows clients to connect securely to the LDAP server used by AD. You need to export this certificate from AD as a base-64-encoded X509 certificate and then upload it to HCP on the Active Directory page.
For secure communication with AD when configuring computer accounts for HCP nodes, you can configure HCP to use NTLM or NTLMv2. The Use NTLMv2 authentication option appears only if you have selected Enable Authenticated CIFS Support. If you want HCP to use NTLM instead, deselect Use NTLMv2 authentication. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.
Additional considerations
•If you have more than one HCP system for which you are enabling support for AD, one or more of those systems may need to be reconfigured to prevent conflicts. Before enabling support for AD for any of the HCP systems, contact your authorized HCP service provider. Your provider can determine whether any reconfiguration is required and then make the necessary changes.
•For authenticated AD users to use a tenant- or namespace-level interface, such as the Tenant Management Console and the namespace access protocols, the tenant must also be configured to support AD authentication.
•If you disable support for AD after it has been enabled, tenants that support only AD authentication will not be able to access the Tenant Management Console. Therefore, before disabling AD support, you should ensure that all tenants support local authentication. Additionally, you should notify all tenant administrators that they need to create at least one locally authenticated user account with the security role.
•For HCP to use AD for user authentication:
oHCP must be able to contact at least one DNS server that can resolve the AD domain name.
oThe AD time must be within five minutes of the HCP system time. A good practice is to configure HCP and AD to use the same time server.
oAll the domains in the AD forest HCP uses for user authentication must minimally be at the 2008 functional level.
•To ensure that AD users have continuous access to HCP, the AD infrastructure should have a robust and fault tolerant configuration.
© 2015, 2020 Hitachi Vantara LLC. All rights reserved.