How do I set up an external authentication source using Active Directory (NETIQKB27866)

  • 7727866
  • 02-Feb-2007
  • 29-Sep-2010


Netiq Secure Configuration Manager 5.8.1

NetIQ Secure Configuration Manager 5.8

NetIQ Secure Configuration Manager 5.7

NetIQ Secure Configuration Manager 5.6


How do I set up an external authentication source using Active Directory so that users can log on using their AD credentials?
How do I set up an Active Directory external authentication source?
How can a user use Active Directory credentials to log on to NetIQ Secure Configuration Manager?
How can a user log on to SCM with their Active Directory credentials?
Can a user use their Active Directory credentials to log on to Secure Configuration Manager?
Can a user log on to SCM with their Active Directory credentials?


To set up Active Directory (AD) as an external authentication source in the console, complete the following steps:

  1. In the tree pane, expand Console Permissions.
  2. Select Authentication Sources.
  3. In the bottom right pane, click New.
  4. Under Source Identification, type the source name in the Source Name field. For example, Active Directory.
  5. Type the fully qualified URL of the appropriate LDAP server in the LDAP Server URL field. The default LDAP port number is 389. For example, ldap://ldapservername:389.
  6. Type the distinguished name of the container holding the external Active Directory users in the User Base DN field. For example, for the OU Texas in the domain, specify OU=Texas,DC=Netiq,DC=com. Or if you need to specify a container you would do so in the following format CN=Users, DC=DomainComponent1, DC=DomainComponent2.
  7. Type the logon name that the LDAP server uses to uniquely identify the user account in the Username Attribute field.  To map to the logon ID, use the attribute SAMAccountName.
  8. For the Binding Credentials, type the full distinguished name of the user account that Vulnerability Manager should use to bind to the server.  For example, if using administrator, specify cn=administrator,cn=users,dc=Netiq,dc=com.
  9. Type the password used to log on to the LDAP server in the Password and Confirm Password fields.
  10. Click Verify to verify the information is correct.  A message will appear stating "The authorization source has been verified."
  11. Click OK.

Complete the following steps to create the console user account within the console and associate that user with the AD authentication source:

  1. In the tree pane, expand Console Permissions.
  2. Select Console Users.
  3. In the bottom right pane, click New.
  4. In the Username field, type the logon ID of the AD user account located in the User Base DN specified above. Ensuring that the case of the userid matches the User Base DN exactly. 
  5. Type the Full Name, Description, Phone,and  Email if desired.  It is not necessary to enter the Password, as the user will supply the AD password at logon.
  6. Click Use External Authentication.
  7. Select ActiveDirectory from the dropdown list.
  8. On the Member Of tab, select the desired roles for the user account.
  9. Click Create.

The user can now log on to Secure Configuration Manager using their AD credentials.


Secure Configuration Manager is setup to use accounts created and stored within the SCM database by default.  To enable this feature it must be configured to match your environment.

Additional Information

Formerly known as NETIQKB27866

  1. Ensure that the Binding account from step 8 is a member of the container that is specified in step 6 or the authentication will not be successful.
  2. Step 7 indicates you should use the attribute SAMAccountName and this is the exact term that needs to be typed.  Unless there is another attribute that is being used for login and in that case the name of that specific attribute should be entered here not a username. 
  3. When creating an account within SCM as noted in the second set of instructions ensure that the account matches the AD Account exactly.  For example if your AD user account name is BSmith then the SCM account should be BSmith not bsmith.  The user account name is case sensitive within SCM and will not authenticate successfully if the account does not match exactly.
  4. This article gives instructions for a standard method of AD Authentication using LDAP.  If you are using Secure LDAP then this will not apply a seperate set of instructions are required to make the authentication work. See NetIQKB704833 for LDAPS instructions.