Registering Server Information

To specify an Active Directory or LDAP server as an additional authentication device, you must register the information of the server used for authentication. Conduct a connection test as necessary.
Start the Remote UI. Starting the Remote UI
Click [Settings/Registration] on the portal page. Remote UI Screen
Click [User Management]  [Authentication Management].
Click [Server Settings]  [Edit...].
Set the authentication server and domain information.
[Use Active Directory]
Select the check box when using Active Directory.
[Set Domain List:]
Select whether the Active Directory information of the login destination is retrieved automatically or entered manually. To enter it manually, select [Set Manually] and add the domain of the login destination in [Active Directory Management...].
[Use access mode within sites]
Select the check box if there are multiple Active Directory servers and you want to assign access priority to the Active Directory located in the same site as the machine. Change the settings for [Timing of Site Information Retrieval:] and [Site Access Range:] as necessary.
Even when [Only site to which device belongs] in [Site Access Range:] is set, the machine may access sites outside the site it belongs to when performing domain controller access during the startup process. However, access to domain controllers in the same site as the machine is prioritized. As an exception, if domain controllers in the same site cannot be accessed but domain controllers outside the site can be accessed, priority is given to accessing domain controllers outside the site.
[Number of Caches for Service Ticket:]
Specify the number of service tickets that the machine can hold. A service ticket is an Active Directory function that acts as a record of a previous login, which reduces the amount of time it takes for the same user to log in next time.
[Use LDAP server]
Select the check box when using an LDAP server.
[Period Before Timeout]
Specify the time limit for attempting to connect to the authentication server and the time limit for waiting for a response. When [Save authentication information for login users] is enabled, if you cannot log in within the time limit specified here, login is attempted using the authentication information saved in the cache.
[Default Domain of Login Destination:]
Specify the domain that has connection priority.
Manually specifying the Active Directory domain
Registering LDAP server information
Enter the user information and set the privileges.
[Save authentication information for login users]
Select the check box to save the authentication information of users who log in via the control panel. Select the [Save user information when using keyboard authentication] check box to save the information of users who log in using keyboard authentication to the cache. After the settings are configured, the saved authentication information can be used for login, even if the machine is unable to connect to the server. Change the [Retention Period:] setting as necessary.
[User Attribute to Browse:]
Enter the data field (attribute name) on the referenced server that is used to determine user privileges (roles). Normally, you can use the preset value of "memberOf", which indicates the group that the user belongs to.
[Retrieve role name to apply from [User Attribute to Browse]]
Select the check box to use the character string registered in the data field on the server specified in [User Attribute to Browse:] for the role name. Before configuring, check the role names that can be selected on the machine, and register them on the server.
You can set the conditions that determine user privileges. The conditions below are applied in the order that they are listed.
[Search Criteria]
Select the search criteria for [Character String].
[Character String]
Enter the character string that is registered to the attribute specified in [User Attribute to Browse:]. To set the privileges based on the group that user belongs to, enter the group name.
Select the privileges that apply to users who match the criteria.
The [Conditions] settings when using Active Directory servers
"Canon Peripheral Admins" is set in advance as the Administrator user group. Assign different privileges to the other groups created on the server.
Click [Update].
Restart the machine. Restarting the Machine
DNS Settings
The following settings are required if the port number used for Kerberos on the Active Directory side is changed.
Information for the Kerberos service of Active Directory must be registered as an SRV record as follows:
Service: "_kerberos"
Protocol: "_udp"
Port number: The port number used by the Kerberos service of the Active Directory domain (zone)
Host offering this service: Host name of the domain controller that is actually providing the Kerberos service of the Active Directory domain (zone)