Engine Editor > Advanced Settings > Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the Security Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the Application Access Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the Security Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Allow Username Lookup Using Long UserID Attribute When selected, the Security Engine uses the Long UserID to find or match the user in the Active Directory or LDAP Server.
Note: If Short UserID is configured, the engine first attempts to find the user using Short UserID from the domain found by domain part of the login name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The Security Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.
Root Password Login Select one of the following options:
  • Login Allowed via SSH and Console: The root password login to an engine is allowed via SSH and console.
    Note: By default, this option is selected if the engine is upgraded.
  • Login Allowed via Console Only: The root password login to an engine by using SSH is not allowed. But root password login by using console is allowed.
    Note: By default, this option is selected when we create a new engine.
  • Root Account Disabled (Super User Privileges through sudo): The root password login to an engine is disabled.
Authentication Method Select an authentication method element from the available options:
  • Local Password: Allows authentication using the local password.
  • [Select…]: Select this option to view the available radius authentication method elements.
    Note: The authentication method options are displayed as per the radius authentication server elements that are configured. For more details on how to create a radius authentication server element, refer to the Define Authentication Method elements for external servers topic.
SSH Passwordless Login Select one of the following options:
  • Allow: The SSH password less login is allowed.
  • Deny: The SSH password less login is denied.
Note: This applies only to administrators replicated on the engine. For more details on administrator account replication, refer to the Add administrator accounts topic.