User Authentication

MOVEit Transfer provides the ability to authenticate users to external LDAP and/or RADIUS servers. Microsoft Active Directory (AD) operates as an LDAP server, so MOVEit Transfer can authenticate to it natively. Both of these can be secured at the transport level (we encourage the use of LDAP over SSL) and related credentials are stored encrypted on MOVEit Transfer.

In addition to authenticating existing users against external sources, MOVEit Transfer can create new users, often as a clone of an existing template user. MOVEit Transfer also can split an organization's user base into External Users and Internal Users, with one group using an external authentication source and the other using the MOVEit Transfer built-in user database. When accessing an LDAP server, MOVEit Transfer can replicate group membership information and information such as email address from that LDAP server as well.

Single Signon

In enterprise environments, an externally authenticated MOVEit Transfer site can participate in Single Signon (SSO) arrangements in two different ways:

• CA SiteMinder. MOVEit Transfer can accept preauthenticated credentials from CA SiteMinder. More information about this feature is available in the Advanced Topics - Service Integration - SiteMinder Integration documentation.
• Common Access Card (CAC). MOVEit Transfer can authenticate users using hardware client certificates in CAC Smart Card environments. More information about this feature is available in the Advanced Topics - Service Integration - CAC Integration documentation.

Note: MOVEit now supports single signon using a SAML compliant federated identity provider as the authentication source. This feature can be used along with the existing user authentication sources, For more information, see Feature Focus - Single Signon.

Authentication Sources

An Authentication Source is any RADIUS, LDAP, or WS-Trust server the MOVEit Transfer queries. Multiple Authentication Sources may be configured within any particular organization, and each may be of a different type (for example, two RADIUS sources and three LDAP sources) and each may reference a different template user so users already belong to the appropriate groups when they are automatically added.

The following Authentication Source types are currently supported:

• RADIUS (Authentication Only): Incoming usernames and passwords will be tried against a remote RADIUS server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
• LDAP (Authentication Only): Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created as a clone of an existing template user.
• LDAP (Lookup and Authentication): Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user. However, user attributes such as email address and group memberships will be carried over from the LDAP server. (This is currently the most popular option.)
• WS-Trust (Authentication Only): Incoming usernames and passwords will be tried against a remote WS-Trust server. If authentication is successful, a new user may be created on the fly as a clone of an existing user template.

Complete documentation and examples for Active Directory, Novell eDirectory, IBM Domino and iPlanet LDAP servers are provided. Other LDAP servers (such as IBM Tivoli Access Manager - SecureWay) are also supported through the use of flexible connection and attribute templates. (RADIUS server configuration is relatively generic compared to LDAP server configuration.)

More Information

Connecting to external authentication resources often requires some additional firewall rules. The various rules associated with LDAP and RADIUS services, see MOVEit Transfer Firewall Configuration.

For settings that control how MOVEit Transfer accesses external authentication sources and how new user records are configured for external authentication users, see Authentication Method section of the Settings - Security - User Policy.

For settings that control how individual users access external authentication sources, see Authentication Method section of the Users - Profile.

For information about configuring individual authentication sources, see Web Interface - Settings - Security Policies - External Authentication documentation.

Securely Accessing Internal LDAP Servers (e.g., Active Directory)

There are two ways MOVEit Transfer can securely connect to internal LDAP sources from a DMZ segment. Both offer strong encryption of user credentials and information in transit, and neither requires anonymous access.

Direct, Authenticated SSL Connection to Internal LDAP Server

This scenario is quite common. First, an end user presents credentials to MOVEit Transfer over an encrypted SSH (FTP/SSH) or SSL (FTP/SSL or HTTP/S) link. MOVEit Transfer passes those credentials to the LDAP server over an encrypted SSL (LDAP/SSL) link to determine if the user can sign on to MOVEit Transfer. MOVEit Transfer does not retain the credentials in its store.

Depending how you have configured your system, MOVEit Transfer might sign on as an LDAP user with permission to browse the LDAP directory to replicate settings such as email and group membership. In this case, the credentials MOVEit Transfer uses to browse are encrypted on MOVEit Transfer using 256-bit AES.

To access an internal LDAP server directly from a DMZ-based MOVEit Transfer server, do the following:

• Set up your LDAP server to require authentication and SSL connections when receiving connections from the internal firewall's IP address, MOVEit Transfer server or DMZ segment.
• Set up an internal firewall rule to allow MOVEit Transfer to connect to the LDAP server on TCP port 636 (the standard port for LDAP over SSL)
• Set up an external authentication source on MOVEit Transfer. Provide credentials to access the LDAP server and specify LDAPS (LDAP over SSL) as the authentication protocol.

Authenticated SSL Connection to Internal LDAP Server via RADIUS

This scenario is less common but still popular in situations where LDAP (even encrypted with SSL) is a banned protocol. First, an end user presents credentials to MOVEit Transfer over an encrypted SSH (FTP/SSH) or SSL (FTP/SSL or HTTP/S) link. MOVEit Transfer passes those credentials to a RADIUS server with encrypted RADIUS packets to determine if the user can sign in to MOVEit Transfer at that time. MOVEit Transfer does not retain the credentials in its own store. The RADIUS server (often Microsoft Internet Authentication Service, a.k.a. IAS) does not have its own user store, but is typically connected to a Windows Domain, Active Directory or other LDAP server.

The RADIUS protocol is UDP-based and all packets are encrypted with a key. This key is stored on MOVEit Transfer using 256-bit AES. MOVEit Transfer does not need to know anything about the LDAP server(s) that really hold the user information because the RADIUS server acts as a complete front end. RADIUS queries, by design, return less information about their users than a similar LDAP query.

To access an internal LDAP server securely via RADIUS from a DMZ-based MOVEit Transfer server, do the following:

Set up your RADIUS server to get authentication information from your LDAP server. (Often when using free add-on tools such as Microsoft's IAS server with Active Directory, this is your only option.)

Set up an internal firewall rule to allow MOVEit Transfer to connect to the LDAP server on UDP port 1645 (the standard port for RADIUS)

Set up an external authentication source on MOVEit Transfer. Fill in the appropriate key to encrypt RADIUS traffic for your particular RADIUS server.

Active Directory SSL Notes

People have reported that enabling SSL services on Active Directory LDAP services is harder than it ought to be. Specifically, implementing Microsoft's recommendation involving the deployment of an Enterprise Certificate Authority can take some time.

• #Q247078 - How To Enable Secure Socket Layer (SSL) Communication over LDAP for Windows 2000 Domain Controllers (External Link)

There is, however, an easier way to enable SSL on Active Directory - and it does not involve Enterprise Certificate Authority.

1. Get a CA-signed server certificate with the AD server's fully qualified domain name (FQDN) listed in as the certificate's common name (CN). For a server named ad.internal.mycorp.com, a server certificate named ad.internal.mycorp.com signed by any CA will do.
2. On the AD server, use the Certificates MMC plug-in (for Local Computer) to add the CA-signed server certificate into the Local Computer's Personal certificate store. Make sure the imported certificate has a private key listed on its property dialog.
3. On the AD server, use the Certificates MMC plug-in (for Local Computer) to add the CA certificate into the Local Computer's Trusted Root certificate store. The imported certificate should not have private key listed on its property dialog.
4. On the MOVEit Transfer server (or other LDAP client), use the Certificates MMC plug-in (for Local Computer) to add the CA certificate into the Local Computer's Trusted Root certificate store. The imported certificate should not have private key listed on its property dialog.
5. Restart the domain controller. AD will automatically find the current SSL server certificate to use based on its name and will make its LDAPS interface available accordingly.
6. At this point MOVEit Transfer (or other LDAP client) should be able to securely connect to Active Directory using LDAPS over TCP port 636.

There is more information about this procedure on Microsoft's site, but the primary difference between Microsoft's procedure and the one laid out here is that Microsoft's recommends the use of the Microsoft certreq add-on utility in place of OpenSSL.

• #Q321051 - How to enable LDAP over SSL with a third-party certification authority (External Link)

Finally, there are at least two alternatives to these procedures; both involve an SSL tunnel that adds SSL encryption to Active Directory's existing LDAP protocol.

• Configure your firewall to accept LDAP/SSL connections on TCP port 636 and forward them to Active Directory on port 389. In this case, an SSL certificate will be installed on your firewall. (Not all firewalls support this configuration.)
• Install a utility called STunnel (https://www.stunnel.org) on your Active Directory or any other internal machine that has access to Active Directory. Configure STunnel to accept LDAP/SSL connections on TCP port 636 and forward them to Active Directory on port 389. In this case, an SSL certificate will be installed on the machine which runs STunnel.

Contact our support staff for more information about any of these procedures.