Skip header
 

Windows Authentication

Specify this authentication when using the Windows domain controller to authenticate users who have their accounts on the directory server. Users cannot be authenticated if they do not have their accounts in the directory server. Under Windows authentication, you can specify the access limit for each group registered in the directory server. The Address Book stored in the directory server can be registered to the machine, enabling user authentication without first using the machine to register individual settings in the Address Book. Obtaining user information can prevent the use of false identities because the sender's address (From:) is determined by the authentication system when scanned data is sent or a received fax message is transferred via e-mail.

The first time you access the machine, you can use the functions available to your group. If you are not registered in a group, you can use the functions available under "*Default Group". To limit functions that are available only to certain users, first make settings in advance in the Address Book.

To automatically register user information such as fax numbers and e-mail addresses under Windows authentication, it is recommended to encrypt communication between the machine and domain controller by using SSL. To do this, you must create a server certificate for the domain controller. For details about creating a server certificate, see Creating the Server Certificate.

Windows authentication can be performed using one of two authentication methods: NTLM or Kerberos authentication. The operational requirements for both methods are listed below:

Operational requirements for NTLM authentication

To specify NTLM authentication, the following requirements must be met:

  • This machine supports NTLMv1 authentication and NTLMv2 authentication.

  • Set up a domain controller in the domain you want to use.

  • This function is supported by the operating systems listed below. To obtain user information when Active Directory is running, use LDAP. If you are using LDAP, we recommend you use SSL to encrypt communication between the machine and the LDAP server. SSL encryption is possible only if the LDAP server supports TLSv1 or SSLv3.

    • Windows Server 2003/2003 R2

    • Windows Server 2008/2008 R2

    • Windows Server 2012

Operational requirements for Kerberos authentication

To specify Kerberos authentication, the following requirements must be met:

  • Set up a domain controller in the domain you want to use.

  • The operating system must support KDC (Key Distribution Center). To obtain user information when Active Directory is running, use LDAP. If you are using LDAP, we recommend you use SSL to encrypt communication between the machine and the LDAP server. SSL encryption is possible only if the LDAP server supports TLSv1 or SSLv3. Compatible operating systems are listed below:

    • Windows Server 2003/2003 R2

    • Windows Server 2008/2008 R2

    • Windows Server 2012

    To use Kerberos authentication under Windows Server 2008, install Service Pack 2 or later.

  • Data transmission between the machine and the KDC server is encrypted if Kerberos authentication is enabled. For details about specifying encrypted transmission, see Kerberos Authentication Encryption Setting.

Important

  • During Windows Authentication, data registered in the directory server, such as the user's e-mail address, is automatically registered in the machine. If user information on the server is changed, information registered in the machine may be overwritten when authentication is performed.

  • Users managed in other domains are subject to user authentication, but they cannot obtain items such as e-mail addresses.

  • If Kerberos authentication and SSL encryption are set at the same time, e-mail addresses cannot be obtained.

  • If you created a new user in the domain controller and selected "User must change password at next logon" at password configuration, first log on to the computer and change the password.

  • If the authenticating server only supports NTLM when Kerberos authentication is selected on the machine, the authenticating method will automatically switch to NTLM.

  • When Windows authentication is used, the login name is case-sensitive. A wrongly entered login name will be added to the Address Book. If this is the case, delete the added user.

  • If the "Guest" account on the Windows server is enabled, users not registered in the domain controller can be authenticated. When this account is enabled, users are registered in the Address Book and can use the functions available under "*Default Group".

Note

  • For the characters that can be used for login user names and passwords, see Usable characters for user names and passwords.

  • When accessing the machine subsequently, you can use all the functions available to your group and to you as an individual user.

  • Users who are registered in multiple groups can use all functions available to those groups.

  • Under Windows Authentication, you do not need to create a server certificate unless you want to automatically register user information such as fax numbers and e-mail addresses using SSL.

  • If you fail in obtaining fax information during authentication, see If the Fax Number Cannot be Obtained.