Log on using security context

This feature allows DS-User to automatically connect to a DS-Client using the current security context of the user (i.e. the current Windows logged on user). It does this by using the Microsoft Security Support Provider Interface (SSPI). The SSPI APIs require a Target Name that points to a Service Principal Name (SPN), or to the security context of the destination server. This feature will use the Microsoft Negotiate security package, which selects between Kerberos and NTLM. Negotiate normally selects Kerberos, unless it cannot be used by one of the systems involved in the authentication. Kerberos requires Domain membership.

Therefore, when a DS-Client is not under any Domain, the “Target Name” is optional and can be left blank, particularly if you are only connecting to the local DS-Client. It is only used if this DS-User tries to connect to a DS-Client in the same Active Directory Domain or in a completely separate domain. These involve modifications to the Windows network settings, therefore make sure any changes conform to your network security policies.

The default Target Name is CloudBakSvc. To enable this for use, you must use the Microsoft Networking Tool (setspn.exe) to give this name the authentication and trust required to log into the desired DS-Clients on your network(s).

For example: If the DS-Client was installed on a computer that is a member of an Active Domain (AD), by a Domain Administrator, then CloudBakSvc is registered in the AD. If a DS-User connects to that DS-Client and supplies the registered Target Name (CloudBakSvc), the DS-Client will accept the connection, given the user has been logged into their local Windows environment.

The Target name points to an SPN that must be registered and configured in Active Directory. The default Target Name is CloudBakSvc.

• You must have your network administrator create and register this Target Name (or any other name you choose to use) with Active Directory using a tool like Microsoft setspn.exe provided with Windows Support Tools.

• In an Active Directory environment, you must have your network administrator register this Target Name in form <name/host> or <name/host-DNS-name> for the account used by the DS-Client service (if LocalSystem, the target name must be registered under the computer account).

• Register this Target Name with Active Directory. Microsoft supplies a tool (setspn.exe) that can register with the command line:

Once registered, this DS-User will supply the Target Name for DS-Client to verify using Kerberos authentication. This will establish the trust required for an authenticated user from this DS-User to connect to a remote DS-Client on another network.

• Last DS-Client: This DS-User will search for the last DS-Client with which it had a successful connection. If that DS-Client is not available, DS-User will prompt the user to select a DS-Client.

• Local DS-Client: This DS-User will search for the local DS-Client. If the local DS-Client is not available, DS-User will prompt the user to select a DS-Client.

• Last or Local DS-Client: This DS-User will search for the last connected DS-Client first. If the last connected DS-Client is found, DS-User will attempt to connect using the already logged on user credentials from the current Windows login session (provided that the same user name and password is provided). If however, the last connected DS-Client is not available DS-User will connect to the local DS-Client using the current security context.

• Local or Last DS-Client: (Default) This DS-User will search for the local DS-Client first and connect using the current security context. If the local DS-Client is not found, DS-User will attempt to connect to the last connected DS-Client using the current security context (provided that the same user network credentials are used, and that the local user exists on the remote DS-Client, and appropriate user permissions are there in the remote DS-Client).

• Disabled: Users can select this option to turn off the auto-connect functionality. Users will see the "Connect to DS-Client Service screen" at GUI startup and must supply a valid user name and credentials to connect to the selected DS-Client.