Canon imageRUNNER ADVANCE C350 series Service Manual page 201

2
Technical Explanation > MEAP > Enhanced System Application Management > Server authentication (Active Directory authentication)
CAUTION:
Since department ID and password are not assigned to domain users, distributing
setting information where the department ID is enabled to a device where the server
authentication is enabled may make the device unable to be logged in. If the device has
become unable to be logged in, follow "Remedy to Be Performed When the Device Has
Become Unable to Be Logged in" in this manual.
● Access Mode in Sites
With SSO-H, access to Active Directory within site can be prioritized or restricted, so there
is a setting called "Access Mode in Sites". Sites programmed in Active Directory comprise
multiple subnets. In this mode, SSO-H uses site information to access the same site as the
device, or the subnet Active Directory.
• The SSO-H default setting is with the site internal access mode OFF.
• Access Active Directory within same site only.
• If there is no Active Directory within the same site, or if connection fails, there will be an
authentication error.
• Access another site if Active Directory within the same site cannot be located.
• If there is no Active Directory within the same site, or if connection fails, an Active Directory
external to the site will be accessed.
• If all attempts to access Active Directory fail, there will be an authentication error.
The operating specifications of the site internal access mode are as described below.
When first logging in to the login service after booting iR, the domain controller (DC) is
obtained from the site list.
However, upon the first login, even if the site functionality is active, connection to DC is
random. (This is because, if connection to DC should fail, the site to which the device belongs
cannot be ascertained.)
If the device IP address or the domain name are changed, the site settings are acquired once
more.
In this mode, at the first login (first authentication of domain to which the device belongs)
LDAP-Bind is performed directly to DC and site information acquired by LDAP from DC.
From the acquired site list, the site to which the device subnet belongs is extracted and this
becomes the site to which device belongs. Active Directory address is acquired (retrieved
from DNS)
2 Technical Explanation > MEAP > Enhanced System Application Management > Server authentication (Active Directory authentication)
Note:
• The Active Directory subnet is assumed to be the same subnet as the device subnet.
• In the Active Directory addresses, the Active Directories of the same site are listed.
• Active Directories of the same subnet as the device are listed first.
• If there is no Active Directory with the same subnet as the device, Active Directories
belonging to different subnets than the device are listed.
• The Active Directories within the same site are accessed in order. Note, however, that
where there are multiple Active Directories within the same site, access to those Active
Directories will be in the order in which the address list was obtained.
• If there is no Active Directory within the same site, if access outside of the site is
programmed, Active Directories outside of the site will be accessed in the order in which
the address list was obtained.
Site list acquisition
After booting up, upon the first login by LLS or ILS/ RLS, the site list is obtained from the
Active Directory. In order to obtain the site list from the Active Directory, Active Directory
needs to be accessed in LDAP, so SASL-Kerberos-Bind is used by the login user account. If
authentication by Active Directory should fail, an authentication error will be generated and
the site list will be acquired again from Active Directory upon the next login.
In SSO-H, the Active Directory to be accessed when acquiring the site list cannot be
specified. In other words, if there is no site list, which site's Active Directory is accessed
depends upon the order of the Active Directory addresses returned by DNS. Therefore, when
acquiring the site list, LDAP may access the Active Di rectory of a different site. Therefore, in
such cases, it is sometimes necessary to access across sites or subnets, which means that
LDAP protocol needs to have continuity across sites (subnets) (normally, LDAP is port No.
389). Further, if connection with Active Directory fails when acquiring site information, another
Active Directory will be accessed.
Site information, once it has been acquired, is cached within the device. The life settings of
the cache can be set so that site information in the cache is updated upon the first login after
the device boots up, or so that the cache is not updated once acquired.
2-158
2-158