Active Directory Concepts
Some retailers might have specific requirements in providing authorization for their associates to sign on and access the WebOffice and POS applications. For these requirements, the AS WebOffice and POS application can be configured to use Microsoft Active Directory for Windows to authenticate and authorize associates.
Active Directory (AD) is a Microsoft directory service for Windows domain networks. This directory exists as a set of processes and services in systems with Microsoft Server operating systems.
In an internet protocol (IP) network, a group of network objects, such as computers, users, and devices, that are managed as a unit is called a domain. A server running Active Directory Domain Services (AD DS) is called a domain controller.
The domain controller manages and stores information about the network objects. It authenticates and authorizes all users included in its domain. For example, when a user logs on to a computer in the Windows domain, the domain controller verifies the user credentials and determines whether the user can log on to the computer.
Active Directory uses Lightweight Directory Access Protocol (LDAP). LDAP is an industry-standard protocol used to access and manage directory information on a network. A common application of LDAP is to provide a single sign on, where one user password is shared between network services.
In the Advanced Store solution, by default, the WebOffice applications and the POS use the Advanced Store CoreDb database to authenticate its users. The retailer’s setup can be configured to use Active Directory for the servers and POS user authentication on the Enterprise Solutions Web Server. For more information, refer to Configuring the Enterprise to Use Active Directory.
Using Active Directory to authorize associates offers the following advantages:
- Manage the access to store systems using a single identity.
- Prevent associates from sharing their credentials, such as user names, passwords, and ID numbers.
- Provide faster and easier access to store associates, including new hires and temporary store associates.
- Provide access to corporate users, such as District Managers and Region Vice Presidents, to POS terminals in multiple stores.
- Configure the system for associates to maintain only one role across all stores in the enterprise or different roles based on the organizational unit.
When Active Directory is used, the POS operates as is but is now capable of the following additional features:
- Employee associate numbers can be composed of eight alphanumeric characters.
- Associates can update expired passwords through their network systems, and then use the updated password to log back on to the POS application.
- Complete associate details for the authenticated associate can be retrieved from the POS. Software functions accessible to authorized associates are determined by the associate user role, which is determined by the AD groups the user belongs to.
When the POS is offline to the Active Directory, the application responds with the following actions:
- Authentication is verified against the system cache.
- User authentication is determined using instances of successful previous attempts to authenticate the associate. If these data are still existing in the system cache, the POS associate can log on to the POS application; otherwise, the user cannot log on to the POS and an error message is displayed.
Before configuring your system with Active Directory authentication, NCR recommends consulting with an NCR Representative.
Related Active Directory topics
The following sections contain information related to AD configuration throughout this publication set.
| Task | Server | Reference |
|---|---|---|
| AD concepts in Advanced Store | Customer’s AD domain server | Preparing to Install topics: Active Directory Concepts (this topic) |
| POS user authentication | DSR Enterprise Web Server | |
| WebOffice user authentication | EOM Server | |
| WebOffice user authentication | ETS Server |
