About user authentication setup

<< Click to Display Table of Contents >>

Navigation:  Administration > Server Administration > Manage Users > User Authentication Setup >

About user authentication setup

We recommend that before you set up users and apply Field and Menu permissions, that you pre-plan the following items noted in the Setting Up User Authentication Checklist.

If you are using external authentication, you want to set up your users first in the Microsoft Active Directory and then import the users into the Administration Console when registering databases on a Concordance Desktop server.

If you are not using authentication, we recommend that you set up users in the Concordance Desktop Admin Console. This will allow each user to have access to all databases on that server or added to that server, unless you restrict user access using the User Management feature.

 

Checklist: Setting Up User Authentication

 

Pre-Planning for User Setup

Have you determined if external authentication will be implemented?

Do you have a method of assigning and tracking user IDs to help manage individual user accounts?

Have you implemented a process for adding users to the Concordance Desktop server?

Are these processes known to other administrators who are responsible for setting up users and managing databases?

Did you implement a folder template to store your databases and associated files?

 

Admin Console User Setup

Did you add additional administrator user accounts, and set full menu and field access rights?

Did you include an email address for each administrator who needs to receive watchdog and other notifications from the server?

Did you set up e-mail options and watchdog services under the Settings tab?

(All notifications will be sent to all administrators who have an e-mail address included in their user account/profile.)

For databases migrated to Concordance Desktop using the DB Smart Path directory:  Did you verify that all users associated with the database, now have user accounts in the Admin Console under the Management tab?

Did you associate your Concordance Desktop databases to the client and/or matter that applies for each database?

Note: Clients are for organizational purposes only.

Did you add additional contact information for each user, in the Admin Console under the Management tab, in the event that the user or main contact for a case needs to be contacted?

 

User Management Setup for Restricting User Rights in One or More Databases
* Only if you are restricting one or more user's rights in one or more databases.

Did you set the administrator credentials for the applicable databases in the User Management dialog box in Concordance Desktop, and did you give them full access to all fields and menu items? (Optional)

This should be done only if you are using the User Management feature to restrict user field rights and menu access on a per user per database basis.

Have you planned and designed user roles with pre-defined database field and menu settings based on the types of administrators and users that are accessing databases? (This is only applicable if you are going to setup user restrictions on a database by database basis.)

Have you created user role templates on which to base the same restrictions for one or more users across multiple databases?

Did you verify field rights and menu access as designed in user templates and customize per user, as needed?

Did you export a backup copy of the .csv file for reference, and save it to a specified location in the folder template?

Note: You can import the .csv file into other Concordance Desktop databases to save time with user restriction set up.

 

Authentication Options

When using Concordance Desktop, you have two primary user authentication options:

External - Concordance Desktop relies on an external source to validate users.

Internal -  Concordance Desktop determines whether a user has access to a database or to view matters.

Using External Authentication

When using Concordance Desktop with Microsoft Active Directory, Microsoft Windows NT or PDC (Primary Domain Controller) to authenticate users, a two-fold verification takes place. The user is first authenticated with one of the following: Active Directory, Windows NT or PDC. If the person is a valid user, they are then authenticated in the Concordance Desktop Admin Console and have permissions based on the user rights applied.

To use this method of user verification, the login IDs in Concordance Desktop must be identical to the login IDs used in the directory service on the network. User passwords must be set to "never expire" on the network.

To add outside users to the Concordance Desktop server when using this type of authentication, the user must be added to the directory service on the network. For security purposes, they can be assigned no rights at the network level – but they need to be listed in the network directory for the authentication to take place. In the Concordance Desktop Admin Console, users can be added and granted the appropriate rights they need for the case. The same rules apply with regard to matching log on IDs in both the Active Directory and Concordance Desktop Admin Console.

For more information about authentication types, see Setting authentication types.

Authentication Type Considerations

The Concordance Desktop server supports a variety of authenticators that determine what source grants or denies users from accessing resources and the hosted databases. Please read the following sections before you adjust settings for authentication types.

 

Supported Authentication Types

Internal Types

Description

Concordance Desktop

Concordance Desktop handles authentication. A valid user ID and password is required to connect.

External Types

Description

External by Domain

Authentication by NT Domain Controller (non-Active Directory)

External by NT Server

Authentication by stand-alone server (Member server)

External by Active Directory LDAP

Authentication by Lightweight Directory Access Protocol (Microsoft Active Directory)

If you are using external authentication, you must still use Concordance Desktop security.

 

Concordance Desktop

This authentication method verifies user credentials set in the Concordance Desktop Admin Console. Concordance Desktop gives users their designated field and menu access. Users who are not verified by the Concordance Desktop settings are refused access by the Concordance Desktop server.

External by Domain

Domain passwords take precedence over Concordance Desktop passwords:

If a user name or password is not recognized by the domain controller, then the user is refused access by the Concordance Desktop server.

If the user is verified by the domain controller, then the user is given access to all Concordance Desktop databases where Concordance Desktop rights allow access for that log on, regardless of the Concordance Desktop password.

The External by Domain setting typically requires use of several ports: 137 TCP, 138 UDP, 139 TCP, and 445 TCP. Please ensure that your firewall is not blocking these ports.

You can verify user credentials through your Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC).

External by NT Server

This authentication method verifies user credentials through your Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC), specified by the Internet or IP address. This method has the same restrictions and features as described above for the External by Domain method.

If you enter an IP address and the server's IP address changes, the Concordance Desktop server will not be able to communicate with the credential server until the address is manually updated.

Port addresses typically required by this method include 137 TCP, 138 UDP, 139 TCP, and 445 TCP. Please ensure that your firewall is not blocking these ports.

External by Active Directory

Microsoft Active Directory passwords take precedence over Concordance Desktop passwords.

This authentication method requires a Microsoft Active Directory compatible credentials server. User credentials are verified and used as described above for the External by Domain method.

If you enter an IP address and the server's IP address changes, the Concordance Desktop server will not be able to communicate with the credential server until the address is manually updated.

Firewall ports that need to be open for Active Directory include 389 (LDAP), 636 (secure LDAP), and NetBIOS ports for the change password feature.

When authenticating users against an Active Directory server in a domain other than where the Concordance Desktop server is located, make sure that the Concordance Desktop server is running on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

Concordance Desktop ASPs will want to set up a separate domain for their clients and then set up user accounts with passwords set to never expire. Firms and organizations hosting their own data can use their existing domain and user accounts.

When using external authentication, it is necessary that user IDs and passwords in a Concordance Desktop database are identical to those used in the Active Directory. To do this, you will need to create organization units (OU) in the Active Directory specifically for Concordance Desktop server users and set passwords to never expire so that you are not updating passwords in both the Active Directory and Concordance Desktop databases if passwords expire.

For more information about setting up users in Active Directory, please refer to Microsoft's help system.