PGP Administrator Password Complexity Enforcement via Directory Authentication for PGP Encryption Server
search cancel

PGP Administrator Password Complexity Enforcement via Directory Authentication for PGP Encryption Server

book

Article ID: 171746

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

PGP Encryption Server 11 include a feature for Active Directory integration so that it is no longer necessary to manage a separate password to login to the PGP Encryption Server.

This feature is called the PGP Active Directory Authentication feature, which uses the administrator's domain credentials to login.  This article will discuss how this works in the PGP Encryption Server 11 and above.

 

For more information on how to enable Directory Synchronization for the entire PGP Encryption Server, see the following article:

180239 - HOW TO: Enable Directory Synchronization - Symantec Encryption Management Server

Resolution

With PGP Encryption Server, there are now two types of authentication for administrator accounts on the PGP Encryption Server. 

 

Authentication Method 1: The first has been used in all previous versions, called "Passphrase" authentication.  This is where you set a specific password on the PGP Encryption Server.
PGP Encryption Server 10.5.1 MP2 and above do have password complexity enabled by default and so any password entered here will need to adhere to these requirements.

For more information on Administrator password complexity, see the following article:
227982 - PGP Encryption Server Passphrase Security Requirements for Administrators

 

Authentication Method 2: The second type of authentication for Administrators is the "Directory" method, or LDAP Directory. 
Importing a PGP Administrator using their account found in Active Directory.  This is the recommended method as it will adhere to the domain's password complexity requirements. 
It no longer requires the PGP Administrator's passphrase to be rotated by the PGP Encryption Server, so your domain credentials will always allow you access to the PGP Server as long as your account has been added.

Definitions: Some of these steps will show the new Web Console for the PGP Encryption Server.  We refer to the new console as "smc".  The old console is called the "omc". 
All functionality will eventually reside in the new smc, but that will be done in phases. 
For PGP 11.0.0, some new reporting aspects and dashboards are available, but most functionality will still exist in the omc.  

 

Steps to configure:

Step 1: When you login to the "omc" (old console).  Then click on System, Administrators to see the new functionality:

Notice "Active Directory Authentication..." on the bottom:

Step 2: Click the button to see the "Active Directory Authentication" for Administrators pop up:

Step 3: The configuration screen will appear.  Enter the FQDN of your Active Directory server and port 636 for LDAPS.
WARNING: Do not configure port 389/LDAP as this is not a secure protocol and information sent over this protocol will be sent in the clear.
It is important to use only port 636/LDAPS to ensure communications are secured over TLS:

As you can see in the above example, the FQDN was used "ad.example.com" and port 636. 

The Protocol used is "LDAPS".  Do not use LDAP for this configuration.

 

Step 4: Once you have all of the information entered above, click "Test Connection".

Step 5: Once successful, you can move into entering the credentials for the "Bind DN" user.
The Bind DN is is the user making a connection to your LDAP directory for the domain.
Enter "domain\username" for the syntax.  For more information on how to use this syntax, see the following article:

180239 - HOW TO: Enable Directory Synchronization - PGP Encryption Server

Step 6: Once you have the Active Directory Authentication configured, the message you saw earlier will no longer appear:

Step 7: Next, click on "Add Administrator(s)", and click on "Import AD Administrator(s)".

Step 8: The following screen will appear.   Click the "Directory" drop down:

Select "LDAP Server Admins":

Step 9: You will now see your domain's LDAP Directory. In this example, "example" is the domain name:

Step 10: In this example, we've configured a security group called "PGP Administrators".
Any time a user needs to be added as an administrator, this is where they will be located (in the "Users" container):

Step 11: Once we've found the Security Group in question, we can then drill down and select the user we want to have added (admin-user2):

Step 12: You will now see the administrator is added, and we now need to select their Administration role:

TIP: For a full explanation of the roles, look at the main administrators in the UI, or the following KB:

153670 - PGP Encryption Server Administrator Roles

 

Step 13: For this example, we will provide, "Basic Administrator" access:

Once this is configured, click Import.

Step 14: Now we have the administrator added:


You can see the proper role has been assigned:

Notice the Authentication type is "Directory":

You can change the administrator to a regular "Passphrase" user, but it's best to leave at Directory so the password policies for your domain will apply to this administrator as well. 

Step 15: Now that this administrator has been added, it is not possible to disable the "Active Directory Authentication" service as this would prevent all administrative login:

Step 16: Now that the user is added, you can now login with this account using domain syntax as you can see in both the omc and smc login portals:

Step 17: In the smc console, you can see the user logged in is a "Directory" administrator denoted by the domain name "example" in front of their username:

Step 18: Even though we added "admin-user1" and "admin-user2" to the "PGP Administrators" group, you will need to add them individually, because we did not select "Group" to do an entire group.

Step 19: Now that we understand how to add individual users, you can decide if adding an entire Security Group is appropriate.

The main thing to be concerned with here is when you do this, all administrators will be granted access immediately, and all the users will have the same role you assigned.

It may not be appropriate to do this if you need to add only a few administrators, so be cautious when adding an entire Group.

Step 20: For this example, we added a few more administrators to the list:

Now when we go to add the entire group, you will select "Group" instead of "Users":

Step 21: Now drill down to the security group, and you can check the Group.  Notice it's not possible to leave off any users:

Step 22: In this example, we are going to provide only "Read Only" access to the administrators, operating off of the principle of least privilege:

You can assign the needed roles after the fact if needed.

 

Note: PGP Encryption Server (Symantec Encryption Management Server) administrator accounts do not have password complexity requirements by default in releases prior to 10.5.  Versions 3.4.2 and older are now end of life, so to take advantage of full support and features, update to the latest versions today!  PGP Encryption Server version 11 is highly recommended due to the added functionality of Active Directory for Administrators!

___________________________________________________________________________________________________
If you would like to be able to configure a Login Banner, with a customized window for the PGP Encryption Server, please reach out to Symantec Encryption Support.
IMSFR-19
___________________________________________________________________________________________________

Additional Information