PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server
search cancel

PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

book

Article ID: 171746

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Command Line PGP Encryption Suite PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Encryption Server 11 includes a feature for Active Directory integration so that it is no longer necessary to manage a separate password to login to the PGP Encryption Server.

This feature is called the PGP Active Directory Authentication feature, which uses the administrator's domain credentials to login.  This article will discuss how this works in the PGP Encryption Server 11 and above.

 

For more information on how to enable Directory Synchronization for the entire PGP Encryption Server, see the following article:

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

Resolution

With PGP Encryption Server, there are now two types of authentication for administrator accounts on the PGP Encryption Server:

Method 1 (Recommended): The first type of authentication for Administrators is the "Directory" method, or LDAP Directory. 
This option is great because the PGP admins never have to remember what their password was, because it's the same password as their AD account.

Method 2: The first has been used in all previous versions, called "Passphrase" authentication.  
This method is a little more difficult to use because the password is specific to the PGP Encryption Server, which will have different password requirements than AD.

Definitions: Some of these steps will show the new Web Console for the PGP Encryption Server.  We refer to the new console as "smc".  The old console is called the "omc". 
All functionality will eventually reside in the new smc, but that will be done in phases. 
For PGP 11.0.0, some new reporting aspects and dashboards are available, but most functionality will still exist in the omc.  

 



Authentication Method 1 (AD Password Authentication)

Importing a PGP Administrator using their account found in Active Directory.  This is the recommended method as it will adhere to the domain's password complexity requirements. 
It no longer requires the PGP Administrator's passphrase to be rotated by the PGP Encryption Server, so your domain credentials will always allow you access to the PGP Server as long as your account has been added.

 

Prerequisites: Before you use the new functionality to add admins from AD to the list, there is a known limitation of 1000 Active Directory Objects.
To work around this, if you create a security group for each of your PGP Administrators, then add the users to each of the respective groups, then you can easily add these security groups with this new functionality.  When you create these groups, precede each group name with "00" so that it appears at the top of the list of AD Objects.

We recommend creating a security group for each of the Administrator "Roles" that you would like to have.  For example, not everyone should be a Full Admin.  Some should be read only.  For more information about PGP Administrator roles, see the following article:

153670 - PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

Given the above roles, here are the names we recommend configuring in Active Directory:

00-Read-Only Administrator
00-WDRT-only Administrator
00-Service Control Only
00-Basic Administrator
00-Full Administrator

 

 

Steps to configure:

Step 1: When you login to the "omc" (old console).  Then click on System, Administrators to see the new functionality:

Notice "Active Directory Authentication..." on the bottom:

Step 2: Click the button to see the "Active Directory Authentication" for Administrators pop up:

Step 3: The configuration screen will appear.  Enter the FQDN of your Active Directory server and port 636 for LDAPS.
WARNING: Do not configure port 389/LDAP as this is not a secure protocol and information sent over this protocol will be sent in the clear.
It is important to use only port 636/LDAPS to ensure communications are secured over TLS:

As you can see in the above example, the FQDN was used "ad.example.com" and port 636. 

The Protocol used is "LDAPS".  Do not use LDAP for this configuration.

 

Step 4: Once you have all of the information entered above, click "Test Connection".

Step 5: Once successful, you can move into entering the credentials for the "Bind DN" user.
The Bind DN is is the user making a connection to your LDAP directory for the domain.
Enter "domain\username" for the syntax.  For more information on how to use this syntax, see the following article:

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

Step 6: Once you have the Active Directory Authentication configured, the message you saw earlier will no longer appear:

Step 7: Next, click on "Add Administrator(s)", and click on "Import AD Administrator(s)".

Step 8: The following screen will appear.   Click the "Directory" drop down:

Select "LDAP Server Admins":

Step 9: You will now see your domain's LDAP Directory. In this example, "example" is the domain name:

Step 10: In this example, we've configured a security group called "PGP Administrators".
Any time a user needs to be added as an administrator, this is where they will be located (in the "Users" container):

Step 11: Once we've found the Security Group in question, we can then drill down and select the user we want to have added (admin-user2):

Step 12: You will now see the administrator is added, and we now need to select their Administration role:

TIP: For a full explanation of the roles, look at the main administrators in the UI, or the following KB:

153670 - PGP Encryption Server Administrator Roles

 

Step 13: For this example, we will provide, "Basic Administrator" access:

Once this is configured, click Import.

Step 14: Now we have the administrator added:


You can see the proper role has been assigned:

Notice the Authentication type is "Directory":

You can change the administrator to a regular "Passphrase" user, but it's best to leave at Directory so the password policies for your domain will apply to this administrator as well. 

Step 15: Now that this administrator has been added, it is not possible to disable the "Active Directory Authentication" service as this would prevent all administrative login:

Step 16: Now that the user is added, you can now login with this account using domain syntax as you can see in both the omc and smc login portals:

Step 17: In the smc console, you can see the user logged in is a "Directory" administrator denoted by the domain name "example" in front of their username:

Step 18: Even though we added "admin-user1" and "admin-user2" to the "PGP Administrators" group, you will need to add them individually, because we did not select "Group" to do an entire group.

Step 19: Now that we understand how to add individual users, you can decide if adding an entire Security Group is appropriate.

The main thing to be concerned with here is when you do this, all administrators will be granted access immediately, and all the users will have the same role you assigned.

It may not be appropriate to do this if you need to add only a few administrators, so be cautious when adding an entire Group.

Step 20: For this example, we added a few more administrators to the list:

Now when we go to add the entire group, you will select "Group" instead of "Users":

Step 21: Now drill down to the security group, and you can check the Group.  Notice it's not possible to leave off any users:

 

 

 

Step 22: In this example, we are going to provide only "Read Only" access to the administrators, operating off of the principle of least privilege:

You can assign the needed roles after the fact if needed.

 

 

Authentication Method 2 (PGP Admin Account)

The second method has been used in all previous versions, called "Passphrase" authentication.  This is where you set a specific password on the PGP Encryption Server.
PGP Encryption Server 10.5.1 MP2 and above do have password complexity enabled by default and so any password entered here will need to adhere to these requirements.

For more information on Administrator password complexity, see the following article:
227982 - PGP Encryption Server Passphrase Security Requirements for Administrators

Note: PGP Encryption Server (Symantec Encryption Management Server) administrator accounts do not have password complexity requirements by default in releases prior to 10.5.  Versions 3.4.2 and older are now end of life, so to take advantage of full support and features, update to the latest versions today!  PGP Encryption Server version 11 is highly recommended due to the added functionality of Active Directory for Administrators!

___________________________________________________________________________________________________

If you would like the ability to search for administrators instead of browsing to them as shown above, reach out to Symantec Encryption Support.
IMSFR-1000

If you would like to be able to configure a Login Banner, with a customized window for the PGP Encryption Server, please reach out to Symantec Encryption Support.
IMSFR-19
___________________________________________________________________________________________________

Additional Information

171746 - PGP Administrator Password Complexity Enforcement via AD Admins (Directory Authentication) for PGP Encryption Server

153670 - PGP Encryption Server Administrator Roles (Symantec Encryption Management Server)

180239 - HOW TO: Enable Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

180156 - Obtain the Base DN or Bind DN Attributes for LDAP Directory Synchronization for PGP Encryption Server

153668 - Enroll PGP Encryption Desktop clients using Directory Authentication with PGP Encryption Server (Symantec Encryption Management Server)

153425 - Troubleshooting: PGP Encryption Desktop Client Enrollment (Symantec Encryption Desktop)

171744 - PGP Administrator Password Complexity Enforcement via Passphrase Authentication (Manual Password Assignment)

216163 - Reset Password for Administrators on Symantec Encryption Management Server (PGP Server)

 

197991 - PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)

 

 

EPG-23736
EPG-23711
EPG-23710
ISFR-1795/EPG-23755
ISFR-2458/EPG-29427