Canon imagePRESS 1135 Series Service Manual page 217

2
Technology > MEAP > Login Service > Site internal access mode
CAUTION:
• To run domain authentication and Department ID management at the same time,
the options Net Spot Accountant, iW Accounting Manager or iW EMC Accounting
Management Plug-in are required. If domain authentication is selected as the
authentication method without linkage to these systems, login will be disabled and
Department ID management will not come ON. If Department ID management
cannot be turned ON when using domain authentication and login is disabled, switch
the login service to Default Authentication and turn Department ID management
OFF.
• When SSO is linked to Net Spot Accountant, iW Accounting Manager or iW EMC
Accounting Management Plug-in, and is to be used with Department ID management
turned ON, users belonging to the Domain Admin group need to be allocated to the
Security Agent service account.
• In order to link local device authentication and Department ID management
and manage print pages and scan pages per department ID, Department ID
management must be set ON.
To run local device authentication and Department ID management at the same time,
the information registered in local device authentication must match the Department
ID management user information (department ID and password).
• User information registered in SDL and that registered in local device authentication
are managed separately in the iR device. User information registered in one is not
reflected in the other.
• In local device authentication the card reader for the option control card cannot be
used. To use the card reader for the option control card, set SDL.
• Security Agent is only required when using the conventional SSO.
• To use the conventional SSO and Security Agent, they must be installed in the
computer belonging to the domain that includes the iR device.
• The Security Agent installer is included in the MEAP Administrator CD-ROM.
Linkage with Department ID management when using SSO-H
SSO-H has collaborative linkage with imageWARE access management, imageWARE
Accounting Manager and Net Spot Accounting. Only when used with 'Local device
authentication', can department ID/ passwords be allocated to users.
In the event that these are allocated, authentication can be performed even when the main
unit's department management is ON. Department ID and department passwords are not
allocated to domain users.
When the main unit's department management function is ON, domain users cannot be
authenticated.
2 Technology > MEAP > Login Service > Site internal access mode
NOTE:
With SSO, linkage with iWAM/ iWAM account summary manager was assumed and
department management linkage was enabled even in domain authentication, but with
SSO-H, this is now unsupported.
System administrator linkage (automatic allocation of ID to administrator)
[Restriction] With SSO, there was a function where ID programmed on SA would be allocated
to domain authentication administrators (Canon Peripheral Admins Group users) on SA, and
system administrators automatically authenticated, but with SSO-H this is now unsupported.
■ Site internal access mode
With SSO-H, access to Active Directory within site can be prioritized or restricted, so there is
a setting called 'Site internal access mode'. Sites programmed in Active Directory comprise
multiple subnets. In this mode, SSO-H uses site information to access the same site as the
device, or the subnet Active Directory.
• The SSO-H default setting is with the site internal access mode OFF.
• Access Active Directory within same site only.
• If there is no Active Directory within the same site, or if connection fails, there will be an
authentication error.
• Access another site if Active Directory within the same site cannot be located.
• If there is no Active Directory within the same site, or if connection fails, an Active Directory
external to the site will be accessed.
• If all attempts to access Active Directory fail, there will be an authentication error.
The operating specifications of the site internal access mode are as described below.
When first logging in to the login service after booting iR, the domain controller (DC) is
obtained from the site list.
However, upon the first login, even if the site functionality is active, connection to DC is
random. (This is because, if connection to DC should fail, the site to which the device belongs
cannot be ascertained.)
If the device IP address or the domain name are changed, the site settings are acquired once
more.
In this mode, at the first login (first authentication of domain to which the device belongs)
LDAP-Bind is performed directly to DC and site information acquired by LDAP from DC.
From the acquired site list, the site to which the device subnet belongs is extracted and this
becomes the site to which device belongs. Active Directory address is acquired (retrieved
from DNS)
2-169
2-169