The eG administrative interface provides administrators with a wide variety of options to manage user information. Be it user creation, modification, deletion, or simply viewing user information, any type of user-related activity can be performed quickly and easily using the eG administrative console. Typically, when an eG user logs into the eG Enterprise system, the login is validated by the eG database, which stores the user information. However, in large IT environments that span multiple domains, the Active Directory server functions as the central repository for information related to users spread across domains, and also authenticates domain user logins. To avoid the confusion that might arise when using both the eG manager and the AD server for user authentication in such multi-domain environments, administrators might want the eG manager to integrate with AD; this ensures that the eG manager serves as the single, central, secure console for automatically authenticating logins by eG users, regardless of the size of the environment or the domain to which the user belongs.

To enable this integration, the eG administrative interface allows the following:

• Automatic discovery / manual creation of one/more domains and sub-domains (if any) configured in the target environment;
• Addition of a domain user to the eG Enterprise system, and validating the user's logins by automatically connecting to the associated domain.

To achieve step 1, first, follow the menu sequence: Admin -> User Management -> Domains, in the eG administrative interface. This page then appears, using which, you can create multiple parent and child domains.

Note:

To integrate with the Active Directory, the eG manager should use JDK 1.5 or higher. If not, the Authentication option will not be available in the Users menu.

This page consists of two panels - a left panel that hosts a tree structure, and a context-sensitive right panel, the contents of which vary according to the node chosen from the tree. Typically, the parent domains that you configure will be the primary nodes of the tree-structure in the left panel, and the sub-domains will be the sub-nodes. By default, the global Domains node will be chosen from the tree. Accordingly, the right panel will display the complete details of all the parent and child domains that pre-exist in the eG Enterprise system. If no domains pre-exist, then the message to that effect will be displayed in the right panel. To the same effect, the global Domains node will display a sub-node named none. To view all the primary nodes and secondary nodes of the tree at one shot, click the Expand All link in the left panel. To view only the primary nodes of the tree, click the Close All link in the left panel.

Let us now proceed to create domains. The first step towards creating multiple domains is to create a parent domain. Before attempting to create a parent domain, you would have to choose between the following:

• Automatically discovering the IP address and port number of the domain server
• Manually configuring the IP address and port number of the domain server

Automatic domain discovery is recommended if you are not certain about the IP and port number on which the AD server functions, or if the IP address of the AD server is configured to change frequently (for e.g., in a DHCP environment). On the other hand, you might opt for manual domain configuration, if the IP/Port number of the AD server is static.

Automatically Discovering Parent and Child Domains

The eG manager is capable of automatically discovering only that domain in which it has been deployed. To auto-discover the parent domain in which the eG manager operates, follow the steps given below:

1. Click on the Add a new Domain button in the right panel.
2. Doing so displays the domain configuration parameters in the right panel.
3. To auto-discover the eG manager's parent domain, specify the following in the right panel:
   • First, provide a Display Name for the domain in the right panel.
   • Next, indicate whether or not the eG manager needs to auto-discover the IP/Port number of the AD server. To auto-discover the domain, set the Discover DNS settings flag to Auto.

   Note:

   Note that only the domain in which the eG manager is deployed can be auto-discovered.

   • Next, specify the fully-qualified Domain Name.
   • To connect to the AD server and access the domain user information stored within, the eG manager requires a domain user's privileges. To faciliate this connection, provide a valid domain user's name and password against Domain User and Domain User's Password.
   • Then, indicate whether the AD server is SSL-enabled or not, by setting the SSL flag to Yes or No, as the case may be. If the SSL flag is set to Yes, then you will have to follow the procedure discussed in the Appendix below to ensure that the eG manager is able to communicate with the AD server over SSL.
   • Next, indicate how accesses to the AD server are to be authenticated - using Kerberos or LDAP. Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a network to prove their identity to one another in a secure manner. Kerberos is ideal for AD environments with high security considerations. The Lightweight Directory Access Protocol on the other hand, is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. The LDAP authentication mechanism is best suited for environments with not very high security constraints.
   • Next, indicate whether the Domain User Password that you have provided here for enabling the eG manager to connect to the AD server, should be saved in eG Enterprise or not. To save the password, set the Save Domain User Password in eG Enterprise? flag to Yes. If this is done, then, the specified Domain User's Password will be automatically encrypted and saved to the eg_authenticate.ini file, which will be available in the <EG_MANAGER_INSTALL_DIR>\manager\config directory. On the other hand, if the Save Domain Admin Password flag is set to No instead, the password will not be saved to the eg_authenticate.ini file. If the password is not saved, then every time the eG manager attempts to connect to the AD server - say, when validating/registering domain user profiles configured on the eG manager (using the ADD USER page) with the AD server - you will be prompted for the Domain User' Password.
   • Also, indicate whether/not the domain being configured should be set as the default domain at the time of login. To set the new domain as the default domain, set the Set as default domain for login? flag to Yes. If this is done, then the next time a user attempts to log into the eG management console by typing his/her user name in the login page, the Domain selection will instantly change from Local to the domain that you have set as the default. This capability is most useful in environments where the eG manager integrates with only one domain. By setting this domain as the default, administrators can save users the trouble of selecting a Domain every time he/she tries to login. 
   • In virtual environments where LDAP is used to authenticate access to the AD server, administrators may want to keep track on specific user information for e.g., location, vendor etc of the users accessing their environment through the AD server. For example, in addition to viewing the user experience with their virtual environment, if administrators are able to view the location of the user, it would help them troubleshoot location specific issues at the earliest. This approach would definitely help administrators improve the overall performance of their environment. To view such user specific information in the eG monitoring console, administrators should do the following:
     • First, set the Discover User Details from AD flag to Yes. By default, this flag is set to No.
       Once this flag is set to Yes, the user specific information will automatically be populated in the ADUserDetails.ini file that is located in the <eG_INSTALL_DIR>/manager/config location.

     If the Discover User Details from AD flag is set to Yes, then an additional Update User Details from AD option will appear in the What would you like to do? list in the right panel. Clicking the Update button will immediately integrate the user information from the domain to the ADUserDetails.ini file available in the <eg_install_dir>\manager\config directory.

     Note:
     By default, the user information available in the domain will be integrated with the ADUserDetails.ini file once in 7 days. If you wish to override this default, setting, then you can do the following:
     • Edit the eg_services.ini file (in the <eg_install_dir>\manager\config directory).
     • Set the ThreadFrequency parameter in the [ADUserDetails_Thread_Settings] section of the file to a frequency  of your choice.
     • By default, the information will be integrated every Sunday.
     • If you wish to override this default day, then you can change the DayToRun parameter to the day of your choice.
     • Save the file.
     The user specific information so updated can be viewed in the eG monitoring console in the following features offered by the eG Enterprise Suite:
     • User Experience Dashboard
     • Current Alarms
     • Layer model page of the tests where users are the descriptors of the tests
     To view the user specific information in the User Experience Dashboard, you have to further edit the <eG_INSTALL_DIR>/manager/config/eG_enduserdetails.ini file with the procedure mentioned below:
     • If you want to view user specific information in the User Experience dashboard for VDI environments, then you have to set the VDI:ShowUserLocations flag under the [GEO_LOCATION_SETTINGS] location to true.

       Alternately, set the XenApp7:ShowUserLocations flag to true if you want to view the User Experience dashboard for Citrix XenApp 7 and above environments. Set the XenApp:ShowUserLocations flag to true if you want to view the User Experience Dashboard for Citrix XenApp servers.

     Once you have set the ShowUserLocations flag to true accordingly, you have to specify the format of the user details that were discovered from the AD server and populated in the ADUserDetails.ini file. This can be achieved using the <UserType>:Format=Vendor-City-CompanyName where UserType can be VDI or XenApp7 or XenApp. For example, if you want the User Experience Dashboard for VDI environments, then you can specify the format as:
     VDI:Format=Vendor-City-CompanyName
     Then, you have to specify the separator using which the user details can be separated into columns while being displayed in the User Experience dashboard against the Separator field. By default, the separator is hyphen (-).

     Once you have specified the format and separator, you have to provide the display name for all user specific information that you have mentioned against the format field. By default, the display name for certain user specific information that you have mentioned in the UserType:Format section will be specified under the [USER_DESKTOP_METRICS] section.

     ;GeoDetails:Address~$~Address Name

     • Once you have provided all the entries, the final step in this process is to specify the columns that should appear in the User Experience Dashboard. By default, the eG Enterprise provides out of the box support to display the Vendor, City and Company of the users in the User Experience Dashboard. If you want to include the address of the VDI users in the dashboard,then you have to append the GeoDetails:Address~$~Address format to the “VDI=” section under the [USER_DESKTOP_METRICS] section as shown below:

       VDI=EsxLoginTest:New_logins:LoginTime:DATE:Logon Time, GeoDetails:Address~$~Address

     To view the user specific information in the current alarms and the layer model, you have to append the user specific test to the [Show_User_location]section of the eg_dashboardConfig.ini file which is situated in the <eG_INSTALL_DIR>/manager/config location. By default, the entry in this section should be in the following format: <Testname>:iconDesktopUser Note: If you have to view the user specific information, then you have to remove the semicolon(;) in front of the <Testname>.
     Once you have configured the necessary files, it is mandatory for you to restart the eG manager to effect your changes.

   • Then, to verify the correctness of your specifications, click the Validate button. A pop up window will then appear indicating whether/not the Display Name, Domain Name, Domain User, and Connect Password values that you have provided are indeed valid.
   • Since the eG manager auto-discovers the IP/Port of the AD server, you will not be prompted to manually specify the same. Therefore, simply click the Register button to add the new domain.
   • Once the parent domain is auto-discovered, the tree in the left panel will change to reflect the addition of the parent domain.

4. By default, only the parent domain of the eG manager can be auto-discovered; the child domains (if any) under this parent domain will not be auto-discovered. This is because, the AutoDiscoverChildDomains flag in the [MISC_ARGS] section of the eg_services.ini file (in the <EG_INSTALL_DIR>\manager\config directory) is set to false by default. If need be, you can configure the eG manager to automatically discover the child domains along with the eG manager's parent domain; to achieve this, set the AutoDiscoverChildDomains flag to true. In this case therefore, the child domains (if any) will also be automatically discovered along with the eG manager's parent domain and will be displayed as sub-nodes of the parent domain's node in the tree of the left panel.
5. To view the details of all domains (both parent and child) that have been configured, click on the Domains node tree in the left panel. The right panel will then change to display a tabular column, where you can view the configuration of all the domains that you have created.
6. At any time, you can view the configuration of the auto-discovered parent domain by right-clicking on the node representing the parent domain in the tree and selecting the View option from the shortcut menu that appears.
7. The right panel will then change to display the parent domain's current configuration.
8. To modify the configuration of a parent domain, once again, right-click on the node representing the parent domain in the tree and pick the Modify option from the shortcut menu that appears.
9. The right panel will once again change to display the parent domain's current configuration, but in an editable mode.
10. Except the Display Name, all other details of the parent domain can be modified. Once you are done with your changes, click the Update button in the right panel to save the changes.

Note:

Whenever the configuration of a parent / child domain is modified, make sure that you restart the eG manager.

11. To view the details of an auto-discovered child domain, right-click on the node representing the child domain in the tree structure and pick the View option from the shortcut menu that appears.
12. The right panel will then change to display the child domain's current configuration.
13. Unlike an auto-discovered parent domain, an auto-discovered child domain cannot be modified. However, you can delete an auto-discovered child domain. For this, right-click on the node representing the child domain in the tree and pick the Delete option from the shortcut menu that appears.
14. While deleting a child domain will delete only that domain, deleting a parent domain will delete all its child domains as well. Therefore, to delete a parent domain and all its child domains, first, right-click on a node representing a parent domain and pick the Delete option from its shortcut menu. A message box requesting your confirmation to delete the parent domain will appear. Click the OK button in the message box to confirm deletion.

Note:

• Ensure that the eG manager is restarted after deleting a domain.
• Deleting an auto-discovered parent domain automatically deletes all its discovered sub-domains as well.

If you want to manage users spread across multiple domains, then, all domains, except the eG manager's domain (which can be auto-discovered), will have to be manually configured using the eG administrative interface.

Follow the steps below to manually add parent and child domains:

1. Right-click on the global Domains node in the tree structure in the left panel, and choose the Add option from the shortcut menu that appears.
2. The right panel then displays the parameters to be configured for creating a new domain.
3. Specify the following to create a parent domain in that right panel:
   • Provide a Display Name for the new domain.
   • To manually configure the IP address and port number of the domain server, set the Discover DNS flag to Manual.
   • Next, specify the fully-qualified Domain Name.

   Note:

   eG Enterprise disallows Domain Name duplication - i.e., you cannot assign the domain name of an existing parent/child domain to a new domain.

   • To add a parent domain, set the Parent Domain parameter to None.
   • Since auto-discovery of DNS is disabled, you need to manually specify the Domain IP and Port No of the AD server.
   • To connect to the AD server and access the domain user information stored within, the eG manager requires a domain administrator's privileges. To faciliate this connection, provide a valid domain administrator's name and password against Domain Admin User and Domain Admin Password.
   • Then, indicate whether the AD server is SSL-enabled or not, by setting the SSL flag to Yes or No, as the case may be. If the SSL flag is set to Yes, then you will have to follow the procedure discussed in the Appendix below to ensure that the eG manager is able to communicate with the AD server over SSL.
   • Next, indicate how accesses to the AD server are to be authenticated - using Kerberos or LDAP. Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a network to prove their identity to one another in a secure manner. Kerberos is ideal for AD environments with high security considerations. The Lightweight Directory Access Protocol on the other hand, is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. The LDAP authentication mechanism is best suited for environments with not very high security constraints.
   • Next, indicate whether the Domain Admin Password that you have provided here for enabling the eG manager to connect to the AD server, should be saved in the eG Enterprise system or not. To save the password, set the Save Domain Admin Password in eG Enterprise? flag to Yes. If this is done, then, the specified Domain Admin Password will be automatically encrypted and saved to the eg_authenticate.ini file, which will be available in the <EG_MANAGER_INSTALL_DIR>\manager\config directory. On the other hand, if the Save Domain Admin Password in eG Enterprise? flag is set to No instead, the password will not be saved to the eg_authenticate.ini file. If the password is not saved, then every time the eG manager attempts to connect to the AD server - say, when validating the domain configuration using the eG manager or when validating/registering domain user profiles configured on the eG manager (using the ADD USER page) with the AD server - you will be prompted for the Domain Admin Password.
   • Then, to verify the correctness of your specifications, click the Validate button. A pop up window will then appear indicating whether/not the Display Name, Domain Name, DomainIP, Domain Port, Domain Admin User, and Domain Admin Password values that you have provided are indeed valid.
   • Click the Register button to add the new domain.
   • Once a new parent domain is added, the tree will change to reflect the same.

4. To view/modify/delete a parent domain that is created manually, simply right-click on the node representing the parent domain in the tree structure and pick the relevant option (View, Modify, or Delete, as the case may be) from the shortcut menu that appears.
5. For all parent domains that are created manually, sub-domains also need to be manually created. To do so, follow the steps given below:
   • Right-click on the node representing the manually configured parent domain in the tree, and pick the Add Sub-domain option from the shortcut menu that appears.
   • In the right panel that appears, first provide a Display Name for the sub-domain.
   • Set the Discover DNS flag to Manual.

     Note:

     Note that if a parent domain is configured manually, then its sub-domains cannot be auto-discovered - i.e., you should not set the Discover DNS flag to Auto while configuring such a sub-domain.

   • Provide the fully-qualified Domain Name.
   • Next, from the Parent Domain list, select the parent domain under which this sub-domain is to be created.
   • Since auto-discovery of DNS is disabled, you need to manually specify the Domain IP and Port No of the AD server.
   • To connect to the AD server and access the domain user information stored within, the eG manager requires a domain user's privileges. To faciliate this connection, provide a valid domain user's name and password against Domain Admin User and Domain Admin Password.
   • Then, indicate whether the AD server is SSL-enabled or not, by setting the SSL flag to Yes or No, as the case may be. If the SSL flag is set to Yes, then you will have to follow the procedure discussed in the Appendix below to ensure that the eG manager is able to communicate with the AD server over SSL.
   • Next, indicate how accesses to the AD server are to be authenticated - using Kerberos or LDAP. Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a network to prove their identity to one another in a secure manner. Kerberos is ideal for AD environments with high security considerations. The Lightweight Directory Access Protocol on the other hand, is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. The LDAP authentication mechanism is best suited for environments with not very high security constraints.
   • Next, indicate whether the Domain Admin Password that you have provided here for enabling the eG manager to connect to the AD server, should be saved or not. To save the password, set the Save Domain Admin Password in eG Enterprise? flag to Yes. If this is done, then, the specified Domain Admin Password will be automatically encrypted and saved to the eg_authenticate.ini file, whcih will be available in the <EG_MANAGER_INSTALL_DIR>\manager\config directory. On the other hand, if the Save Connect Password flag is set to No instead, the password will not be saved to the eg_authenticate.ini file. If the password is not saved, then every time the eG manager attempts to connect to the AD server - say, when validating the domain configuration using the eG manager or when validating/registering domain user profiles configured on the eG manager (using the ADD USER page) with the AD server - you will be prompted for the Domain Admin Password.
   • Then, to verify the correctness of your specifications, click the Validate button.
   • Once the specifications are validated, click the Register button to add the new domain.
   • Once a sub-domain is manually added, the tree will change to reflect the same.
6. Similarly, you can add multiple child domains to a parent domain. In fact, you can even add sub-domains to a child domain by right-clicking on the sub-domain and picking the Add Sub-domain option from the shortcut menu that appears.
7. Also, like in the case of a manually-configured parent domain, you can view/modify/delete a manually-configured sub-domain using the options provided by the shortcut menu that appears when a sub-domain node in the tree-structure is right-clicked.

Note:

Whenever the configuration of a parent / child domain is modified or deleted, make sure that you restart the eG manager.

8. Also, from the parent domain, you have the option of deleting all the sub-domains alone. For this, right-click on the parent domain node, and pick the Delete Sub-domains option from the shortcut menu.
9. A message box will appear requesting your confirmation to delete all the sub-domains of a chosen parent. Click the OK button to proceed with the deletion.

Note:

Ensure that the eG manager is restarted after deleting a parent/child domain.

10. To simply view the names and current configuration of the parent and child domains that have been created using the eG administrative interface, just click on the global Domains node in the tree-strcture.

Note:

Discovery of AD and KDCs is an on-going process - a configurable time period is used to determine for how long discovered AD/KDC information is cached by the eG manager. The default period is 15 minutes. To override this default setting, do the following:

• Edit the eg_services.ini file (in the <EG_INSTALL_DIR>\manager\config directory)
• Set the ADRediscovery parameter in the [MISC_ARGS] section of the file to a duration in minutes) of your choice.
• Save the file.