Secure Global Desktop Administration Guide > Users and authentication > The Active Directory login authority
The Active Directory login authority allows users to log in to Secure Global Desktop if they have an account in an Active Directory domain.
This login authority uses a combination of Kerberos authentication and LDAP searches of Active Directory servers, which makes it faster and more secure than the LDAP login authority. It is also more scalable and flexible as users can be authenticated against any domain in a forest and Active Directory is used to provide information about users instead of ENS.
This login authority is disabled by default.
The user types a user principal name (an account logon name and a domain name joined by the "@" sign, for example "indigo@indigo-insurance.com") and password.
Once a user has been authenticated, Secure Global Desktop searches an Active Directory server in the domain for an LDAP person object for the user.
The identity is the LDAP person object and has the form
.../_service/sco/tta/ldapcache/LDAP-person.
The first match of the following is used:
cn=Indigo Jones,cn=Administration,dc=Indigo Insurance,dc=com
is found, this login authority would search ENS for dc=com/dc=Indigo Insurance/cn=Administration/cn=Indigo Jones
.cn=LDAP Profile
, in the same OU as the LDAP person object. For example, dc=com/dc=Indigo Insurance/cn=Administration/cn=LDAP Profile
.cn=LDAP Profile
, in any parent OU for the LDAP person object. For example, dc=com/dc=Indigo Insurance/cn=LDAP Profile
.o=Tarantella System Objects/cn=LDAP Profile
.Emulator sessions and password cache entries belong to the LDAP person object.
Copyright © 1997-2006 Sun Microsystems, Inc. All rights reserved.