ad nds smb user authentication

of 25

AD_NDS_SMB userauthentication set-up_ver_1_10.doc

Setting-up Guide for bizhub C250/C351/C450/420/500/600/750

User Authentication In combination with

Active Directory environment NDS environment

SMB /NTLM environment

of 25


of 25


KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600 – SETTING-UP OF USER

AUTHENTICATION ON ACTIVE DIRECTORY........................................................................................... 4

PREPARATION ...................................................................................................................................................... 4 CHECK TCP/IP SETTINGS..................................................................................................................................... 4 CONFIGURE USER AUTHENTICATION (ACTIVE DIRECTORY) ................................................................................ 7

KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600– SETTING-UP OF USER

AUTHENTICATION ON NOVELL NDS........................................................................................................ 12

CONFIGURE USER AUTHENTICATION (NDS) ...................................................................................................... 12

KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600– SETTING-UP SMB/NTLM USER

AUTHENTICATION ......................................................................................................................................... 17

CONFIGURE USER AUTHENTICATION (SMB/NTLM) ......................................................................................... 17

APPENDIX.......................................................................................................................................................... 22

WHERE TO FIND REQUIRED INFORMATION ......................................................................................................... 22 THINKS WHICH MAKES YOUR LIFE EASIER.......................................................................................................... 23 UPDATES IN THIS DOCUMENT RELEASE.............................................................................................................. 25

of 25


Konica Minolta bizhub C250 / C351 / C450 / 750 / 600 – Setting-up of User authentication on Active Directory

This chapter described the setting-up procedure for User Authentication function in combination with a MS Windows server supporting Active Directory. It’s mandatory that the C450 is connected to a TCP/IP network and the correct TCP/IP settings are applied to it.

Preparation

Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:

MFP’s Administrator password

MFP’s IP address

Subnet Mask

Default gateway (optional)

Priority DNS Server address

Substitute 1 DNS Server address (optional)

Substitute 2 DNS Server address (optional)

MFP’s DNS Host Name

MFP’s DNS Domain Name

Default Domain Name

Valid user account and Password for function check

Check TCP/IP settings

a) Press the Utility key on the Operation panel

of 25


b) Select “Administrator Setting”

c) Enter the Administrator Password and touch the “OK”-button.

d) Select “Network Setting”

of 25


e) Select “TCP/IP Settings”

f) Ensure that the right TCP/IP configuration is applied and select the Forward button (FWD. �)

g) Ensure that at least the Priority DNS Server IP address is set. If no DNS server address is

set, “User Authentication” and “LDAP search with GSS-SPNEGO authentication” will not work. Select the Forward button (FWD. �)

of 25


h) Enter the DNS Default Domain Name and select the Forward button (FWD. �).

i) Enter the DNS Host Name and press “OK”

Configure User authentication (Active Directory)

a) Enter the Administrator Mode and select “User Authentication / Account Track”

of 25


b) Select “General Settings”

c) Select User Authentication “ON (External Server)”

d) Choose “Active Directory”

of 25


e) Select the field (button) “01” and touch “Registration” in order to register the domain name of

the domain against the user authentication shall take place.( up to 20 domain different domain names can be registered).

f) Enter the Domain Name and press “OK”

g) Leave the registration screen by touching “OK”

of 25


h) Leave the External Server Authentication screen by touching “OK”

i) Leave the general settings screen by touching “OK”

j) In order to activate “User Authentication” this message has to be confirmed by touching the

[Yes] button. Please be aware that this will clear all previous programmed accounting and Authentication data.

of 25


k) Try to login with a valid user account name and password. If you face any difficulties to login,

please re-check all settings and refer to the appendix – known issues.

of 25


Konica Minolta bizhub C250 / C351 / C450 / 750 / 600– Setting-up of User authentication on Novell NDS

This chapter described the setting-up procedure for User Authentication function in combination with a Novell Netware Server Ver. 5 and later. Preparation Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:


Default NDS Tree Name

Default NDS Context Name

Valid user account name and Password for function check (admin credential will not work, due to Netware security setting)

Configure User authentication (NDS)

a) Press the “Utility” key on the Operation panel

of 25


b) Select “Administrator Setting”

c) Enter the Administrator Password and touch the “OK”-button.

d) select “User Authentication / Account Track”

of 25


e) Select “General Settings”

f) Select User Authentication ”ON (External Server)”

g) Choose “NDS”

of 25


h) Select “Default NDS Tree Name”

i) Input the default NDS tree name and touch the “OK” button

j) Select “Default NDS context name”

of 25


k) Input the default NDS context name and touch the “OK” button

l) Leave the administrator mode and switch off and on the main device

l) Try to login with a valid user account and password. If you face any difficulties to login, please re-check all settings and refer to the appendix – known issues.

of 25


Konica Minolta bizhub C250 / C351 / C450 / 750 / 600– Setting-up SMB/NTLM User authentication

This chapter described the setting-up procedure for User Authentication function in combination with a Windows PC or a Computer running Samba service. Preparation Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:


Default Domain Name

Valid user account and Password for function check (admin credential will not work, due to Netware security setting)

Configure User authentication (SMB/NTLM)

b) Please ensure a basic TCP/IP configuration of the MFP. IP-address and subnet mask must be

programmed. All other TCP/IP settings are optional. c) Press the Utility key on the Operation panel

of 25


e) Select “Administrator Setting”

f) Enter the Administrator Password and touch the “OK”-button.

g) select “User Authentication / Account Track”

of 25


h) Select “General Settings”

i) Select User Authentication “ON (External Server)”

j) Choose [NTLM v1] for user authentication against a SAMBA server, or [NTML v2] for user authentication against a Windows Server.

OR

of 25


k) Select “Default Domain Name”

l) Input the default Domain Name by using capital characters and touch the “OK” button

m) Leave the administrator mode and switch off and on the main device

of 25


n) Try to login with a valid user account and password. If you face any difficulties to login, please

re-check all settings and refer to the appendix – known issues.

of 25


Appendix

Where to find required Information

Active directory

MFP’s Administrator password Try the standard Password or ask the Administrator.

MFP’s IP address Check TCP/IP settings of MFP or ask the Network Administrator

Subnet Mask Check TCP/IP settings of MFP or ask the Network Administrator

Default gateway (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator

Priority DNS Server address Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator

Substitute 1 DNS Server address (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator

Substitute 2 DNS Server address (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator

MFP’s DNS Host Name Check TCP/IP settings of MFP, use “tracer ip_address_of_the_MFP” and check the output information or ask the Network Administrator

MFP’s DNS Domain Name Check TCP/IP settings of MFP, use “tracer ip_address_of_the_MFP” and check the output information or ask the Network Administrator

Default Domain Name Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator

Valid user account and Password for function check

Ask the Network Administrator

NDS


Default Domain Name Ask the network administrator.


Ask the network administrator.

SMB/NTLM


Default Domain Name Ask the network administrator.


Ask the network administrator.

of 25


Things which makes your life easier

User Authentication - Active Directory

• Following Network protocols are used during user authentication – Active Directory. Please ensure that the communication, for the listed protocols/ports, is not blocked by any firewall. If one ore more of the listed protocols/ports are blocked, user authentication will fail. In case of Windows 2003 Server, the Windows Firewall, which is enabled by default, is blocking all of the listed protocols/ports by default. To allow required communication, exceptions have to be configured.

• During Active Directory user authentication, our devices are trying to synchronize the time settings by connecting to the NTP service running on the Domain controller. Please be aware, NPT setting in Administrator mode do not have any influence to user authentication process. During User authentication the NTP service is required from the domain controller, which will be used for the user authentication process. In case that the connection can not be established, authentication will fail. Please ensure that the W32TIME service, which provides the NTP service, is running. If the W32TIME service is running can easily be checked from Windows command line, by the command “sc query w32time”.

Protocol Port

DNS (Domain Name Server) 53 / UDP

Kerberos 88 / UDP 88 / TCP

NTP (Network Time Protocol) 123 / UDP

LDAP (Lightweight Directory Access Protocol) 389 / TCP

of 25


• During User Authentication the Kerberos protocol is involved. Usually Kerberos communication will take place over UDP port 88. In seldom cases, if the Kerberos network package becomes too big, transport protocol changes from UDP to TCP. Our general firmware does not support the Kerberos over TCP transport protocol. The size of a Kerberos package is influenced by the User accounts group memberships. If the user account belong to more than 25~30 groups, this issue may occur. For bizhub C250/C252/C300/C351/C352/C450 a special firmware, to provide Kerberos over TCP protocol support, is available. For other models, please ask your technical support department. To identify this issue, please make a network trace and check the Kerberos packages for the error message [KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG].

User Authentication - NDS

• Due to security setting of the Novell Netware server, Admin credential can not be used for user authentication.

User Authentication - SMB

• Following Network protocols are used during user authentication – SMB (NTML). Please ensure that the communication, for the listed protocols/ports, is not blocked by any firewall. If one ore more of the listed protocols/ports are blocked, user authentication will fail. In case of Windows 2003 Server, the Windows Firewall, which is enabled by default, is blocking all of the listed protocols/ports by default. To allow required communication, exceptions have to be configured.

• Before Phase 3.0 firmware for bizhub C250/C252/C300/C351/C352/C450 and Phase 2.0 firmware for bizhub 420/500/600/750 SMB signing is not supported. This means that the default security settings of a Windows 2003 Domain Server will not allow our MFP’s to carry out User authentication via SMB (NTML) with earlier firmware version. If you face any difficulties with SMB (NTML) authentication, please ensure that the applicable system is running with the latest firmware.

• For bizhub 250/350 there will be no support for “SMB signing”. To get user authentication, via SMB (NTML), working following "Default Domain Controller Security Settings" must be changes:

From �� "Microsoft network server: Digitally sign communications (always)" enabled To �� "Microsoft network server: Digitally sign communications (always)" disabled

• At least SMB Scanning or SMB printing must be enabled to use SMB user Authentication.

Protocol Port

NBSS (NETBIOS Session Service) 139 / UDP

of 25


Updates in this Document release

• LCD screen pictures are updated to Color Phase 3.0 / Bizhub 420/500/600/750 Phase 2.0 firmware LCD screen pictures

• NTP (Net time protocol) setup instruction has been removed. Time synchronisation is done automatically without further setting up. Please refer to KNOWN ISSUE - User Authentication - Active Directory

• Samba server support mentioned in SMB/NTLM User Authentication section

• KNOWN ISSUES has been updated

ad nds smb user authentication

Documents