(imported topic written by cstoneba)
Can someone explain from a security perspective, how console authentication differers in 8.2 vs <8.2? Not just that it uses ldap, but what security advantages ldap has over the previous pvk process or vica versa, if the LDAP queries to the domain are SSL, are the old pvk files obsolete, etc? thanks
(imported comment written by BenKus)
Yes… I think we have a blog or wiki post coming out soon on this. Here are the basics:
8.1 and earlier:
8.2 and later – To facilitate central user management and integration with directory services, we had to centralize some of the user authentication in our system… so:
This central propagation mechanism also allows us to move some of the work to send out actions to the server rather than the console, which is why you might notice dramatically faster propagation in 8.2.
Hope that helps…
Ben
(imported comment written by p_wudthi)
Hi Ben,
The contents in wiki needs to update with these ports TCP/52310 and TCP/52313.
I cannot find these information in both Admin_guide and User_Guide please add this information into the document as well.
Regards,
Wp.
(imported comment written by BenKus)
Wiki page updated. Thanks for the note… We will continue to find and update references to this change…
Ben
(imported comment written by DJPerez)
Ben,
What is the mechanism to back up user keys now? In the event of server crash how do restore access to our users after a database has been restored? Also do they keys get replicated to the DSA server?
(imported comment written by SystemAdmin)
I’m having issues logging into the console after upgrading to 8.2 and this new login method. I have a “BigFix Administrator” I’m trying to login as and when I give it the credentials and the path to the private key location I get an error stating "The server failed to verify your login: The private key does not match the existing certificate. (error HTTP 400 in method /data/upgrade-login)
It’s the correct key and correct password. Any ideas??
(imported comment written by SystemAdmin)
Do these changes also mean no more AD authentication?? Previously we were able to log in with AD credentials. Now it seems only the private key password is used. Is this correct?
(imported comment written by BenKus)
Hi j2johnson,
You won’t be able to use NT Authentication for the login box anymore (since you aren’t connecting to the database anymore and thus there isn’t a concept of NT vs. SQL Server authentication anymore)… BUT… you CAN tie your console users to AD accounts. You will still need to type in your password when you login, but it is your AD password and there is no more private key file that you need to muck with…
Basically, what we did is to architect a standard and reasonable AD-user scheme rather than our previous sorta-hacky scheme…
Ben
(imported comment written by SystemAdmin)
Ben any idea on the error mentioned previously. I need to login as my bfadmin account (non-AD) but can not because of the error.
