.. _powershell-ad-authenticator:

*******************************
Active Directory Authentication
*******************************

With Active Directory Authentication the requestor will authenticate
by using the Kerberos protocol.

When using Active Directory authentication it should be noted
that if your `SL1` collector is not already configured for `Kerberos`
authentication, it will be automatically configured at collection time.

This means that if your credential references an active directory host &
domain combination not already present in your `/etc/krb5.conf` file an
entry will be automatically added. Please take care to enter these details
correctly as incorrect entries may have to be manually removed.

Active Directory authentication will also generate a Kerberos ticket on the
collector file system. This ticket will be refreshed hourly.

Active Directory authentication is only supported in `SL1` >= 12.1.0

.. image:: ../../_static/authentication/images/powershell_cred_ad.png

The fields available with Active Directory Authentication are:

 * Account Type

    * The type of account specified in the credential.
      Accounts can be of type Local or Active Directory.

 * Hostname/IP

     * The device hostname or IP address for the connection.
       This field is required.

 * Username

    * The username for an SSH or user account on the device.


 * Password

    * The password for an SSH or user account on the device.


 * Timeout (ms)

    * The timeout value to use when authenticating with the credential.
      The value specified should be in milliseconds.

 * Encrypted

    * If the communication with remote hosts will make use of HTTPS or not.

 * Port

    * The port number for the WinRM connection.
      Default: ``5986``. This field is required.

 * Proxy Hostname/IP

    * This field is not supported.

 * Active Directory Hostname/IP

    * The Active Directory hostname.

 * Domain

    * The Active Directory domain you wish to authenticate with.


.. note::

    Active Directory Hostname should be fully resolvable.

.. note::

    If you make use of self signed certificates when using `Encrypted`
    communication between hosts, you will have to anchor an intermediate
    or root certificate to the `SL1` collector's trust bundle. In SL1
    this is located at `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.

.. note::

    Powershell Proxy Hostname/IP field is not supported.