Setup Kerberos Authentication Profile

  1. Click [System] → [Security] → [Authentication Profile] to open the [Authentication Profile] tab.

  2. Click [Add].

  3. Select [Kerberos] from the [Type] menu on the [General] tab.

  4. Enter the name of the authentication profile. The name will be displayed on the login screen when an administrator a user login to the application or the MFP.

  5. Enter the Kerberos server information on the [Kerberos] tab. Make sure to click (Save) to create the profile.

    Item

    Description
    KDC

    Enter the Kerberos Key Distribution Center (KDC) server.

    Example: mycompany.com
    Realm

    Enter the name of the Kerberos realm.

    Example: MYCOMPANY.COM
    Trust Relationship Domain button Specify the domain server address and domain name used to establish a trust relationship.
    Server Name Enter the IP address or hostname of the server that performs LDAP authentication.
    Port

    Enter the port number.

    The default is 389.

    The port number is automatically changed from 389 to 636 when the SSL setting is enabled.
    SSL Specify whether to enable or disable SSL.
    Domain Enter the domain name of the Kerberos server.
    Alt UPN Suffix

    Enter the alternate UPN suffix. This appends the suffix to the username.

    Input example: mycompany.com
    Base DN

    Enter the start point for searching for an account name

    Starting from the base DN, the search is performed toward the end of the branches.

    Example: ou=member,dc=mycompany,dc=com
    Search Scope

    Specify the search range from the base DN.

    • [Subtree]: The search is performed in the base DN and all levels in the hierarchy under the Base DN.

    • [Single level]: The search is performed in the hierarchy that is a level below the base DN.
    Search Condition

    Enter the search condition. Enter the following string as the default value:

    (&(objectClass=organizationalPerson)(|(userPrincipalName=^)(userPrincipalName=^alt)))

    In the following example, the search targets are entries with an objectClass attribute that includes "organizationalPerson" and an sAMAccountName attribute that includes an account name entered when login to RICOH Streamline NX is performed. Example: (&(objectClass=organizationalPerson)(sAMAccountName=^))
    Card Search Condition

    Enter the search condition to be used for user's Card ID search. The following string is set as the default value: (&(objectClass=organizationalPerson)(cardID=^))

    The following characters should be escaped with a backslash (\): "(", ")", "*", "\", "/"
    PIN Code Search Condition

    Enter the search condition to be used for user PIN code search. The following string is set as the default value: (&(objectClass=organizationalPerson)(PINCode=^))

    The following characters should be escaped with a backslash (\): "(", ")", "*", "\", "/"
    Proxy User Name Enter the name of the proxy user.
    Proxy User Password Click the [Change Password] button, and then enter the password of the proxy user.
    Enable DNS Round Robin

    Specify whether or not to enable the DNS round robin function.

    The DNS round robin function assigns multiple IP addresses to a single domain name and disperses the connection workload among multiple servers.
    Timeout

    Specify the operation timeout of Kerberos.

    The default is 5 seconds.
    Login User Name

    Enter the attribute to identify the login user name. Enter the following string as the default value:

    sAMAccountName
    Display Name

    Enter the display name. Enter the following string as the default value:

    displayName
    Email Address

    Enter the attribute of the e-mail address of the user. Enter the following string as the default value:

    mail
    Fax Destination

    Enter the attribute of the fax destination. Enter the following string as the default value:

    facsimileTelephoneNumber
    Group

    Enter the attribute of the group name. Enter the following string as the default value:

    memberOf
    Home Folder

    Enter the attribute of the user home folder. Enter the following string as the default value:

    homeDirectory
    Card ID Enter the attribute of the card ID.
    User PIN Enter the attribute of the PIN code. Only single-byte alphanumeric characters can be used.
    Account Limit

    Enter the user attribute to determine the account limit.

    This item is displayed when [Managed in Authentication Server] is enabled in [Enforce Account Limit] in [User Management and Accounting Settings].
    Department Enter the attribute of the department.
    Cost Center Enter the attribute of the cost center.
    Group Search Condition Enter the attribute to search for a group. Specify this setting when selecting [Full Search] in [Group Search Method For Administrator Role] or [Group Search Method For User].
    Group Search Method For Administrator Role

    Select the method to identify the group member.

    • [Simple Search]: Search is performed based on the identifier (DN)

    • [Full Search]: Search is performed based on the user login group attribute.

    The default is [Full Search].
    Group Name Attribute For Administrator Role Enter the attribute to obtain the group name. Specify this setting when selecting [Full Search] in [Group Search Method For Administrator Role].
    Group Search Method For User

    Select the method to identify the group of a user.

    • [Simple Search]: Searches for a group to which the user is directly assigned.

    • [Full Search]: Searches for a group when a user with an authentication profile retrieves a group.

    The default is [Simple Search].

To check if the connection to the created authentication profile works, click the (Check Connection) button. You will be asked to enter a username and a password. The credential will be used to connect to the external authentication server. If the result returns unsuccessful, please check your input in the [Kerberos] tab and try again.