Documentation
Start typing to search…

Security providers

What are security providers?

Security providers authenticate users against existing identity sources like LDAP, RADIUS, Kerberos, or SAML servers. They can also assign privileges based on the hierarchy and group settings defined in those servers.

How are security providers useful?

Security providers streamline user authentication by leveraging existing directory services, enable single sign-on with Kerberos, and enhance security through two-factor authentication methods like RSA via RADIUS.

How do I access the Security Providers page?

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. From the left menu, click Remote Support > Users & Security.
    The Users page displays.
  3. At the top of the page, click Security Providers.
    The Security Providers page displays.

How to configure security providers

Add

Create a new security provider configuration. From the dropdown, select LDAP, RADIUS, Kerberos, SAML for Representatives, or SAML for Public Portals.

Change order

Click this button to drag and drop security providers to set their priority. You can drag and drop servers within a cluster; clusters can be dragged and dropped as a whole. Click Save Order for prioritization changes to take effect.

Sync

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day. Clicking this button forces a manual synchronization.

Disable

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

View log

View the status history for a security provider connection.

Edit, delete

Modify an existing provider or remove an existing provider.

ℹ️

Note

If you edit the local security provider and select a default policy that does not have administrator permissions, a warning message appears. Ensure other users have administrator permissions before proceeding.

Duplicate node

Create a copy of an existing clustered security provider configuration. This will be added as a new node in the same cluster.

Upgrade to cluster

Upgrade a security provider to a security provider cluster. To add more security providers to this cluster, copy an existing node.

Copy

Create a copy of an existing security provider configuration. This will be added as a top-level security provider and not as part of a cluster.

Add or edit security provider: LDAP

Name

Create a unique name to help identify this provider.

Enabled

If checked, your BeyondTrust Appliance B Series can search this security provider when a user attempts to log in to the representative console or /login. If unchecked, this provider will not be searched.

User authentication

This allows this provider to be used to authenticate users. If disabled, this provider may be used only to look up groups for user permissions.

Keep user information synchronized with the LDAP server

The display names are set according to the User Schema Settings defined below. If you are planning to sync a user's photo attribute, this option must be checked.

Authorization settings

Synchronization: enable LDAP object cache

If checked, LDAP objects visible to the B Series Appliance are cached and synchronized nightly, or manually, if desired. When using this option, fewer connections are made to the LDAP server for administrative purposes, thereby potentially increasing speed and efficiency.

If unchecked, changes to the LDAP server are immediately available without the need to synchronize. However, when you make changes on user policies through the administrative interface, several short-lived LDAP connections may occur as necessary.

For providers that have previously had the synchronization setting enabled, disabling the synchronization option will cause all cached records that are currently not in use to be deleted.

Lookup groups

Choose to use this security provider only for user authentication, only for group lookups, or for both. User Authentication must be selected if you want to turn group lookup off.

Default group policy (Visible Only if User Authentication Allowed)

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the representative console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

ℹ️

Note

If a default policy is defined, then any allowed user who authenticates against this server will potentially have access at the level of this default policy. Therefore, it is recommended that you set the default to a policy with minimum privileges to prevent users from gaining permissions that you do not wish them to have.

ℹ️

Note

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy will always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Connection settings (Not Visible for Clusters)

Hostname

Enter the hostname of the server that houses your external directory store.

ℹ️

Note

If you will be using LDAPS or LDAP with TLS, the hostname must match the hostname used in your LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name.

Port

Specify the port for your LDAP server. This is typically port 389 for LDAP or port 636 for LDAPS. BeyondTrust also supports global catalog over port 3268 for LDAP or 3269 for LDAPS.

Encryption

Select the type of encryption to use when communicating with the LDAP server. For security purposes, LDAPS or LDAP with TLS is recommended.

ℹ️

Note

Regular LDAP sends and receives data in clear text from the LDAP server, potentially exposing sensitive user account information to packet sniffing. Both LDAPS and LDAP with TLS encrypt user data as it is transferred, making these methods recommended over regular LDAP. LDAP with TLS uses the StartTLS function to initiate a connection over clear text LDAP but then elevates this to an encrypted connection. LDAPS initiates the connection over an encrypted connection without sending any data in clear text whatsoever.

If you select LDAPS or LDAP with TLS, you must upload the Root SSL Certificate used by your LDAP server. This is necessary to ensure the validity of the server and the security of the data. The Root Certificate must be in PEM format. A certificate chain cannot be used.

ℹ️

Note

If the LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name does not match the value in the Hostname field, the provider will be treated as unreachable. You can, however, use a wildcard certificate to certify multiple subdomains of the same site. For example, a certificate for *.example.com would certify both support.example.com and remote.example.com.

Bind credentials

Specify a username and password with which your B Series Appliance can bind to and search the LDAP directory store.

Binding credentials require a specific notation. Enter the username in the following format:

  • DOMAIN\Username
  • If your version of Active Directory does not support the notation use, USERNAME@DOMAIN

If your server supports anonymous binds, you may choose to bind without specifying a username and password. Anonymous binding is considered insecure and is disabled by default on most LDAP servers.

Connection method

If you are using an external directory store in the same LAN as your BeyondTrust Appliance B Series, the two systems may be able to communicate directly, in which case you can leave the option Proxy from appliance through the Connection Agent unchecked and move on.

If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall, you must use a connection agent. Downloading the Win32 connection agent enables your directory server and your B Series Appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

In the case above, check Proxy from appliance through the Connection Agent. Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

ℹ️

Note

BeyondTrust Cloud customers must run the connection agent in order to use an external directory store.

ℹ️

Note

BeyondTrust Cloud customers must run the connection agent in order to use an external directory store.

Updated about 2 months ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.