Configuring Windows Users as Enterprise Server Administrators

With this configuration:

  • Windows users are stored in Active Directory.
  • Enterprise Server uses Windows user authentication to authenticate administrators. You can restrict access to ES/MSS to a subset of Windows users by setting the appropriate ES/MSS resource permissions.

    Windows manages passwords (so Windows password policies will apply).

  • Enterprise Server administrators sign on with their Windows usernames and passwords
  • Other user attributes (for example operator class) are stored as additional attributes of the Windows user objects in AD.

For many installations, this provides the best of both worlds: mainframe-compatible security for Enterprise Server, but there is only one set of user accounts, and they're managed with standard Windows tools.

This configuration uses two ESM modules. Both use Active Directory, but through different interfaces, and they perform different tasks.

  • The OS ESM module processes user sign-on (Verify) requests by calling standard Windows APIs for user login and (if requested) password change. Windows handles these calls by communicating with the domain controller, which reads and updates Active Directory.
  • The MLDAP ESM module makes LDAP requests to AD to get user attributes and resource access control rules.

As with most ESF security configurations, this type can be used for some or all enterprise server instances and/or for MFDS.