Page 1 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Setting-up Guide for bizhub C250/C351/C450/420/500/600/750
User Authentication In combination with
Active Directory environment NDS environment
SMB /NTLM environment
Page 2 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Page 3 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600 – SETTING-UP OF USER
AUTHENTICATION ON ACTIVE DIRECTORY........................................................................................... 4
PREPARATION ...................................................................................................................................................... 4 CHECK TCP/IP SETTINGS..................................................................................................................................... 4 CONFIGURE USER AUTHENTICATION (ACTIVE DIRECTORY) ................................................................................ 7
KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600– SETTING-UP OF USER
AUTHENTICATION ON NOVELL NDS........................................................................................................ 12
CONFIGURE USER AUTHENTICATION (NDS) ...................................................................................................... 12
KONICA MINOLTA BIZHUB C250 / C351 / C450 / 750 / 600– SETTING-UP SMB/NTLM USER
AUTHENTICATION ......................................................................................................................................... 17
CONFIGURE USER AUTHENTICATION (SMB/NTLM) ......................................................................................... 17
APPENDIX.......................................................................................................................................................... 22
WHERE TO FIND REQUIRED INFORMATION ......................................................................................................... 22 THINKS WHICH MAKES YOUR LIFE EASIER.......................................................................................................... 23 UPDATES IN THIS DOCUMENT RELEASE.............................................................................................................. 25
Page 4 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Konica Minolta bizhub C250 / C351 / C450 / 750 / 600 – Setting-up of User authentication on Active Directory
This chapter described the setting-up procedure for User Authentication function in combination with a MS Windows server supporting Active Directory. It’s mandatory that the C450 is connected to a TCP/IP network and the correct TCP/IP settings are applied to it.
Preparation
Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:
MFP’s Administrator password
MFP’s IP address
Subnet Mask
Default gateway (optional)
Priority DNS Server address
Substitute 1 DNS Server address (optional)
Substitute 2 DNS Server address (optional)
MFP’s DNS Host Name
MFP’s DNS Domain Name
Default Domain Name
Valid user account and Password for function check
Check TCP/IP settings
a) Press the Utility key on the Operation panel
Page 5 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
b) Select “Administrator Setting”
c) Enter the Administrator Password and touch the “OK”-button.
d) Select “Network Setting”
Page 6 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
e) Select “TCP/IP Settings”
f) Ensure that the right TCP/IP configuration is applied and select the Forward button (FWD. �)
g) Ensure that at least the Priority DNS Server IP address is set. If no DNS server address is
set, “User Authentication” and “LDAP search with GSS-SPNEGO authentication” will not work. Select the Forward button (FWD. �)
Page 7 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
h) Enter the DNS Default Domain Name and select the Forward button (FWD. �).
i) Enter the DNS Host Name and press “OK”
Configure User authentication (Active Directory)
a) Enter the Administrator Mode and select “User Authentication / Account Track”
Page 8 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
b) Select “General Settings”
c) Select User Authentication “ON (External Server)”
d) Choose “Active Directory”
Page 9 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
e) Select the field (button) “01” and touch “Registration” in order to register the domain name of
the domain against the user authentication shall take place.( up to 20 domain different domain names can be registered).
f) Enter the Domain Name and press “OK”
g) Leave the registration screen by touching “OK”
Page 10 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
h) Leave the External Server Authentication screen by touching “OK”
i) Leave the general settings screen by touching “OK”
j) In order to activate “User Authentication” this message has to be confirmed by touching the
[Yes] button. Please be aware that this will clear all previous programmed accounting and Authentication data.
Page 11 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
k) Try to login with a valid user account name and password. If you face any difficulties to login,
please re-check all settings and refer to the appendix – known issues.
Page 12 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Konica Minolta bizhub C250 / C351 / C450 / 750 / 600– Setting-up of User authentication on Novell NDS
This chapter described the setting-up procedure for User Authentication function in combination with a Novell Netware Server Ver. 5 and later. Preparation Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:
MFP’s Administrator password
Default NDS Tree Name
Default NDS Context Name
Valid user account name and Password for function check (admin credential will not work, due to Netware security setting)
Configure User authentication (NDS)
a) Press the “Utility” key on the Operation panel
Page 13 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
b) Select “Administrator Setting”
c) Enter the Administrator Password and touch the “OK”-button.
d) select “User Authentication / Account Track”
Page 14 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
e) Select “General Settings”
f) Select User Authentication ”ON (External Server)”
g) Choose “NDS”
Page 15 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
h) Select “Default NDS Tree Name”
i) Input the default NDS tree name and touch the “OK” button
j) Select “Default NDS context name”
Page 16 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
k) Input the default NDS context name and touch the “OK” button
l) Leave the administrator mode and switch off and on the main device
l) Try to login with a valid user account and password. If you face any difficulties to login, please re-check all settings and refer to the appendix – known issues.
Page 17 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Konica Minolta bizhub C250 / C351 / C450 / 750 / 600– Setting-up SMB/NTLM User authentication
This chapter described the setting-up procedure for User Authentication function in combination with a Windows PC or a Computer running Samba service. Preparation Before setting up user authentication, please collect following information. If you have difficulties to find the required information, please refer to the appendix “Where to find required Information:
MFP’s Administrator password
Default Domain Name
Valid user account and Password for function check (admin credential will not work, due to Netware security setting)
Configure User authentication (SMB/NTLM)
b) Please ensure a basic TCP/IP configuration of the MFP. IP-address and subnet mask must be
programmed. All other TCP/IP settings are optional. c) Press the Utility key on the Operation panel
Page 18 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
e) Select “Administrator Setting”
f) Enter the Administrator Password and touch the “OK”-button.
g) select “User Authentication / Account Track”
Page 19 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
h) Select “General Settings”
i) Select User Authentication “ON (External Server)”
j) Choose [NTLM v1] for user authentication against a SAMBA server, or [NTML v2] for user authentication against a Windows Server.
OR
Page 20 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
k) Select “Default Domain Name”
l) Input the default Domain Name by using capital characters and touch the “OK” button
m) Leave the administrator mode and switch off and on the main device
Page 21 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
n) Try to login with a valid user account and password. If you face any difficulties to login, please
re-check all settings and refer to the appendix – known issues.
Page 22 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Appendix
Where to find required Information
Active directory
MFP’s Administrator password Try the standard Password or ask the Administrator.
MFP’s IP address Check TCP/IP settings of MFP or ask the Network Administrator
Subnet Mask Check TCP/IP settings of MFP or ask the Network Administrator
Default gateway (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator
Priority DNS Server address Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator
Substitute 1 DNS Server address (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator
Substitute 2 DNS Server address (optional) Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator
MFP’s DNS Host Name Check TCP/IP settings of MFP, use “tracer ip_address_of_the_MFP” and check the output information or ask the Network Administrator
MFP’s DNS Domain Name Check TCP/IP settings of MFP, use “tracer ip_address_of_the_MFP” and check the output information or ask the Network Administrator
Default Domain Name Check TCP/IP settings of MFP, check the TCP/IP setting of a nearby workstation by using “ipconfig /all” or ask the Network Administrator
Valid user account and Password for function check
Ask the Network Administrator
NDS
MFP’s Administrator password Try the standard Password or ask the Administrator.
Default Domain Name Ask the network administrator.
Valid user account and Password for function check (admin credential will not work, due to Netware security setting)
Ask the network administrator.
SMB/NTLM
MFP’s Administrator password Try the standard Password or ask the Administrator.
Default Domain Name Ask the network administrator.
Valid user account and Password for function check (admin credential will not work, due to Netware security setting)
Ask the network administrator.
Page 23 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Things which makes your life easier
User Authentication - Active Directory
• Following Network protocols are used during user authentication – Active Directory. Please ensure that the communication, for the listed protocols/ports, is not blocked by any firewall. If one ore more of the listed protocols/ports are blocked, user authentication will fail. In case of Windows 2003 Server, the Windows Firewall, which is enabled by default, is blocking all of the listed protocols/ports by default. To allow required communication, exceptions have to be configured.
• During Active Directory user authentication, our devices are trying to synchronize the time settings by connecting to the NTP service running on the Domain controller. Please be aware, NPT setting in Administrator mode do not have any influence to user authentication process. During User authentication the NTP service is required from the domain controller, which will be used for the user authentication process. In case that the connection can not be established, authentication will fail. Please ensure that the W32TIME service, which provides the NTP service, is running. If the W32TIME service is running can easily be checked from Windows command line, by the command “sc query w32time”.
Protocol Port
DNS (Domain Name Server) 53 / UDP
Kerberos 88 / UDP 88 / TCP
NTP (Network Time Protocol) 123 / UDP
LDAP (Lightweight Directory Access Protocol) 389 / TCP
Page 24 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
• During User Authentication the Kerberos protocol is involved. Usually Kerberos communication will take place over UDP port 88. In seldom cases, if the Kerberos network package becomes too big, transport protocol changes from UDP to TCP. Our general firmware does not support the Kerberos over TCP transport protocol. The size of a Kerberos package is influenced by the User accounts group memberships. If the user account belong to more than 25~30 groups, this issue may occur. For bizhub C250/C252/C300/C351/C352/C450 a special firmware, to provide Kerberos over TCP protocol support, is available. For other models, please ask your technical support department. To identify this issue, please make a network trace and check the Kerberos packages for the error message [KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG].
User Authentication - NDS
• Due to security setting of the Novell Netware server, Admin credential can not be used for user authentication.
User Authentication - SMB
• Following Network protocols are used during user authentication – SMB (NTML). Please ensure that the communication, for the listed protocols/ports, is not blocked by any firewall. If one ore more of the listed protocols/ports are blocked, user authentication will fail. In case of Windows 2003 Server, the Windows Firewall, which is enabled by default, is blocking all of the listed protocols/ports by default. To allow required communication, exceptions have to be configured.
• Before Phase 3.0 firmware for bizhub C250/C252/C300/C351/C352/C450 and Phase 2.0 firmware for bizhub 420/500/600/750 SMB signing is not supported. This means that the default security settings of a Windows 2003 Domain Server will not allow our MFP’s to carry out User authentication via SMB (NTML) with earlier firmware version. If you face any difficulties with SMB (NTML) authentication, please ensure that the applicable system is running with the latest firmware.
• For bizhub 250/350 there will be no support for “SMB signing”. To get user authentication, via SMB (NTML), working following "Default Domain Controller Security Settings" must be changes:
From ���� "Microsoft network server: Digitally sign communications (always)" enabled To ���� "Microsoft network server: Digitally sign communications (always)" disabled
• At least SMB Scanning or SMB printing must be enabled to use SMB user Authentication.
Protocol Port
NBSS (NETBIOS Session Service) 139 / UDP
Page 25 of 25
AD_NDS_SMB userauthentication set-up_ver_1_10.doc
Updates in this Document release
• LCD screen pictures are updated to Color Phase 3.0 / Bizhub 420/500/600/750 Phase 2.0 firmware LCD screen pictures
• NTP (Net time protocol) setup instruction has been removed. Time synchronisation is done automatically without further setting up. Please refer to KNOWN ISSUE - User Authentication - Active Directory
• Samba server support mentioned in SMB/NTLM User Authentication section
• KNOWN ISSUES has been updated