Using Alternate Credentials
|
|
About Active Directory Credentials
Note: The term 'credentials' used in this section refers to a username/password combination as defined by Active Directory, and generally used to 'logon' into Windows.
Active Directory does not provide any way for an application to authenticate to Active Directory at a domain or organizational unit level. The Microsoft recommended approach is to either run an application with an alternate set of credentials using the Windows 'RunAs' feature, or create multiple logon sessions, each with its own set of logon credentials. Neither solution is convenient at times. Since Hyena's console has always allowed management of any number of domains, there are instances where its either impractical or difficult to use all of Hyena's functionality with a single set of credentials.
Active Directory lacks a domain-level 'logon' capability other than logging in as a particular user or running an entire application under a particular security context ('Run As'). Instead, Active Directory allows an application to provide a username and password each time any directory object is accessed. By default, Hyena allows Windows to use the current username and password for any directory operation. Using an alternate set of credentials allows Hyena to specify a different username and password depending upon the object being managed.
Entering New Credentials
To enter an alternate set of credentials, right click on any Active Directory domain, and select 'Authentication Credentials...' The resulting dialog will prompt for a username and password combination. Its generally best to enter the username using the familiar 'domain name\username' format.
After clicking OK, Hyena internally stores the domain name and associated username/password combination. Since Active Directory does not support any "logon" capability, nothing more happens at this point. Hyena does NOT store the username/password combination to any file, registry, or other permanent storage location.
Using New Credentials
Once an alternate set of credentials have been entered for a domain, any access to any Active Directory object in that domain will use the alternate credential set. You may notice a delay when accessing Active Directory when using a new set of credentials for the first time; this is normal.
Changing Credentials
To change the username and/or password for a domain, simply repeat the process and enter your new set of credentials.
Removing Credentials
To remove a set of credentials for a domain, enter an empty username. Hyena will remove the credential entry in its internal table and Windows will default to the standard method of determining security access (ie current logon account or 'RunAs' account).
Limitations
1. Hyena uses the Active Directory path of an object to determine if its in the domain for which any alternate credentials have been provided. Because of this, only DNS styled paths can be used for the domain. Use Object Manager (File->Manage Object View) if you get an error message about the domain format needing to be in DNS format. A DNS formatted domain will have the format of:
LDAP://subdomain.domain.com (as an example)
2. Hyena currently cannot use alternate credentials in combination with an ADSI Server (manually entered for the domain in Object Manager) that uses an IP address for the server address.
3. Many operations that Hyena performs don't actually use Active Directory at all, or use a combination of Active Directory and non-Active Directory functionality. This is because the majority of Windows operations don't actually depend on Active Directory, such as service management, file and directory listings, disk space, registry access, event administration, etc. Hyena must reference a computer when using these Microsoft functions. If the account that Hyena is running under lacks the proper security credentials, the remote operation will fail. For Active Directory operations that rely on direct access to a server, Hyena will automatically establish a remote connection using the same alternate credentials established in the Authentication Credentials... function. This remote connection uses the same method (using the IPC$ remote share) as used by Hyena's Logon As... function.
For performance reasons, Hyena will not close these connections once established. They can be closed manually, however, by using the Disconnect All option on the IPC$ Connections object on the local workstation. Hyena will also now automatically disconnect all IPC$ connections when it terminates. While any Active Directory function that requires direct server access will automatically have an IPC$ connection established with alternate credentials, this does not apply to non-Active Directory functions. To perform a non-AD function on a remote computer, the Logon As... function must be used, which is available on any computer's context menu. An example will help clarify this functional difference:
Suppose you have a domain named 'untrusted.com' that is in Hyena's console. You use the Authentication Credentials function to supply an administrator's username and password. You expand the domain, then expand the Containers/OUs object under the domain. This operation will use the alternate credentials to access Active Directory to get a list of containers. Then, you expand an AD container named 'Computers' to get the list of computers for the domain. Again, this operation will use the alternate credentials supplied previously. Finally, you select a computer, right click, and select the View Shares... option. This last operation will probably fail, as the server function to list shares is not an Active Directory operation. To attempt this operation, you must first use the Logon As... function on the selected computer.