Directory authentication is a Security Center option that forces all client and server applications on a given machine to validate the identity certificate of the Directory before connecting to it. This measure prevents manipulator-in-the-middle attacks.
When do I need Directory authentication?
The purpose of Directory authentication is to protect against manipulator-in-the-middle (MITM) attacks. If you do not have applications connecting to your system over the internet (or any untrusted network), the potential for this sort of attacks is very low. In that case, you are probably safe not to enable this option.
What is an identity certificate?
An identity certificate is a digital certificate used to authenticate one party to another in a secure communication over a public network. Identity certificates are generally issued by an authority that is trusted by both parties, called a certificate authority (CA).
How it works
When installing the Server components of Security Center, a self-signed certificate named GenetecServer-{MachineName} is automatically created in the Local Computer Certificate Store. You can view the current certificate in Server Admin, in your server page, under the Secure communication section.
Self-signed certificates identify the expansion servers to the main server. As a result, the password used to connect to the main server does not need to be stored locally on the expansion servers.
Directory authentication is enabled at Security Center installation when you choose the recommended security settings, or by selecting Always validate the Directory certificate when you choose the custom security settings.
If the self-signed certificate resides on the main server, the user must confirm that the Directory server can be trusted when connecting to the Directory from a workstation for the first time.
After a user confirms that the main server can be trusted, the certificate is added to an allowed list. As a result, the dialog box no longer appears.
The same confirmation is required on expansion servers. The first time you log on to the expansion server with Server Admin, this message is displayed on the dashboard.
Click Main server connection, and then click Accept certificate in the dialog box that appears.
After the main server is confirmed, you can change the password or the certificate on the main server or the expansion server. This means you no longer have to confirm your trust, as long as the two servers stay connected while you make the change.
Requirements
- DNS must be configured on the network. Servers and client workstations must be able to resolve the main server name.
- DNS must resolve the main server name to the common name on the Directory certificate.
- Client workstations and expansion servers must be able to trust the certificate provided by main server. Otherwise, a user intervention is always required to accept the certificate the first time a machine is used to connect to the main server.
How do I change this setting after installation?
To change the Directory authentication setting after software installation, you must edit the GeneralSettings.gconfig file on each computer where you want it changed.