4 Replies Latest reply on Aug 22, 2011 3:50 PM by msawyer

    AD group authentication

    gibjim01

      Hi,

      I am trying to set Active directory authentication so I my users can log in Orion NPM with their AD accounts. However, my Orion NPM web server isn't member of a domain. Because I wanted him to be independent from any infrastructure component, I didn't set any domain for this server.

      Is there a way to set domain authentication for NPM with a standalone server? I am using NPM V10.1.2.

      Thanks!

        • Re: AD group authentication
          Andy McBride

          Is there a reason not to add it to the domain?

            • Re: AD group authentication
              gibjim01

              Yes there is one good reason for this. Orion needs to be independent from any infrastructure component, including the domain, the SAN and the corporate database server. If an incident happens to any of these infrastructure component, we need Orion to be fully functionnal so we could use it to diagnose the incident.

              For this purpose, we created a management network that is isolated from the production network. The NPM and the SQL servers are installed there. A firewall separates both networks, so if a security incident happens in the production network, the management network is protected and still available. There is no AD in the management network. For now, only local accounts are used.

                • Re: AD group authentication
                  Andy McBride

                  You can't use AD authentication services if you are not part of a domain.*

                  *Except....there is a function called LDS that would allow a work around but this would need to be implemented by an AD expert.

                  • Re: AD group authentication
                    msawyer

                    Keep in mind, that you can setup local users in SolarWinds regardless of whether you integrate AD.  If AD were not authenticating, you could still log in with a local SolarWinds account.  Most polling is done with SNMP and as such is seperate from AD. 

                    If you have security policies that prevent the joining the box to AD, which would be strange, then perhaps create a parent domain to host your management network.

                     

                    Michael Sawyer

                    Systems Engineer

                    NPM/APM/UDT/NCM/IPAM/IPSLA/NETFLOW