cancel
Showing results for 
Search instead for 
Did you mean: 
timmay
Level 7

MSAPI vs LDAP for Authentication against AD

Hi,

I'm setting up NCM for the first time.  Is there a Pro's \ Con's list or Best Practices doc that helps me understand why I should use MSAPI or LDAP  for authenticating NCM users? The Admin Guide briefly mentions MSAPI and LDAP but not in any detail.

Optimally I want to have an AD group that has some users and I only want members of that group to be able to login to the NCM web console.

Thanks for any tips.

Tim

0 Kudos
7 Replies
dave3
Level 10

Re: MSAPI vs LDAP for Authentication against AD

I haven't tried using MSAPI but I use LDAP and one of the limitations is that you can only bind to one AD server.  There is a work around by binding to a load balancer in front of a AD server you gain redundancy.  As are as NCM is concerned there is a lot of control over which groups have access to which features.  I use role based security and my network admin group is allowed full access to read configs, modify templates, and do operations on devices, while my helpdesk group is only allowed minimal functionality.

0 Kudos
timmay
Level 7

Re: MSAPI vs LDAP for Authentication against AD

Hi Dave,

I see the 1 LDAP server limitation.  That alone is a big deal. 

I'd rather not guess which one to use so if there is any documentation or why to use MSAPI or LDAP it would be helpful.   I've google searched MSAPI and the results are scarce.

Any help or guidance would be great.   Thanks!

Tim

0 Kudos
dave3
Level 10

Re: MSAPI vs LDAP for Authentication against AD

In looking at the settings with LDAP it appears you have more control over mechanism used to connect to the authentication source.  With LDAP you can use a SSL binding and pull groups from a specific cn.  I used LDAP because I wanted to use an SSL binding to the AD servers.

timmay
Level 7

Re: MSAPI vs LDAP for Authentication against AD

Hi Dave,

I see that but I still dont understand what MSAPI is.  Do you feel that MSAPI insecure? 

I opened a support ticket with SW and if I receive any good info Ill post it to this thread.

Thanks


TIm

0 Kudos
dave3
Level 10

Re: MSAPI vs LDAP for Authentication against AD

Ok check out these links.  If you use MSAPI then the webserver or polling server needs to be a member of the domain your AD users are in.  If you use LDAP then it doesn't need to be in the domain.

Enable users to authenticate through LDAP

Enable Windows Authentication with Active Directory

dave3
Level 10

Re: MSAPI vs LDAP for Authentication against AD

The webserver uses IIS as the webserver for the orion web pages.  IIS uses MSAPI to talk to AD to authenticate users meaning so your users will need to be in the same AD structure that your web server is in.  If you have users from other domains then the domains would need a trust relationship with the domain of your Orion web server in order to authenticate them.  If you use LDAP then you can link to the users in the other domain without having to setup a trust.

mat12
Level 11

Re: MSAPI vs LDAP for Authentication against AD

Hi timmay

Any updates with your support ticket?

see that but I still dont understand what MSAPI is.  Do you feel that MSAPI insecure? - this is the same question i have.

Thanks!

0 Kudos