Log in to SnapCenter using RBAC authorization
SnapCenter supports role-based access control (RBAC). SnapCenter admin assigns roles and resources through SnapCenter RBAC to either a user in workgroup or active directory, or to groups in active directory. The RBAC user can now log in to SnapCenter with the assigned roles.
What you will need
-
You should enable Windows Process Activation Service (WAS) in Windows Server Manager.
-
If you want to use Internet Explorer as the browser to log in to the SnapCenter Server, you should ensure that the Protected Mode in Internet Explorer is disabled.
About this task
During installation, the SnapCenter Server Install wizard creates a shortcut and places it on the desktop and in the Start menu of the host where SnapCenter is installed. Additionally, at the end of the installation, the Install wizard displays the SnapCenter URL based on the information that you provided during installation, which you can copy if you want to log in from a remote system.
If you have multiple tabs open in your web browser, closing just the SnapCenter browser tab does not log you out of SnapCenter. To end your connection with SnapCenter, you must log out of SnapCenter either by clicking the Sign out button, or by closing the entire web browser. |
Best Practice: For security reasons, it is recommended that you do not enable your browser to save your SnapCenter password. |
The default GUI URL is a secure connection to the default port 8146 on the server where the SnapCenter Server is installed (https://server:8146). If you provided a different server port during the SnapCenter installation, that port is used instead.
For High Availability (HA) deployment, you must access SnapCenter using the virtual cluster IP https://Virtual_Cluster_IP_or_FQDN:8146. If you do not see the SnapCenter UI when you navigate to https://Virtual_Cluster_IP_or_FQDN:8146 in Internet Explorer (IE), you must add the Virtual Cluster IP address or FQDN as a trusted site in IE on each plug-in host, or you must disable IE Enhanced Security on each plug-in host. For more information, see Unable to access cluster IP address from outside network.
In addition to using the SnapCenter GUI, you can use PowerShell cmdlets to create scripts to perform configuration, backup, and restore operations. Some cmdlets might have changed with each SnapCenter release. The SnapCenter Software Cmdlet Reference Guide has the details.
If you are logging in to SnapCenter for the first time, you must log in using the credentials that you provided during the install process. |
Steps
-
Launch SnapCenter from the shortcut located on your local host desktop, or from the URL provided at the end of the installation, or from the URL provided by your SnapCenter administrator.
-
Enter user credentials.
To specify the following… Use one of these formats… Domain administrator
-
NetBIOS\UserName
-
UserName@UPN suffix
For example, username@netapp.com
-
Domain FQDN\UserName
Local administrator
UserName
-
-
If you are assigned more than one role, from the Role box, select the role that you want to use for this login session.
Your current user and associated role are shown in the upper right of SnapCenter after you are logged in.
Results
The Dashboard page is displayed.
If the logging fails with the error that site cannot be reached, you should map the SSL certificate to SnapCenter. Learn more
After you finish
After logging to SnapCenter Server as an RBAC user for the first time, refresh the resources list.
If you have untrusted Active Directory domains that you want SnapCenter to support, you must register those domains with SnapCenter before configuring the roles for the users on untrusted domains. Learn more
Log in to SnapCenter using Multi-Factor Authentication (MFA)
SnapCenter Server supports MFA for domain account, which is part of the active directory.
What you will need
-
You should have enabled MFA.
For information on how to enable MFA, see Enable Multi-factor authentication
About this task
-
Only FQDN is supported
-
Workgroup and cross domain users cannot login using MFA
Steps
-
Launch SnapCenter from the shortcut located on your local host desktop, or from the URL provided at the end of the installation, or from the URL provided by your SnapCenter administrator.
-
In the AD FS login page, enter Username and Password.
When the username or password invalid error message is displayed on the AD FS page, you should check for the following:
-
Whether the username or password is valid
The user account should exist in the Active Directory (AD)
-
Whether you exceeded the maximum allowed attempts that was set in AD
-
Whether AD and AD FS is up and running
-
Modify the SnapCenter default GUI session timeout
You can modify the SnapCenter GUI session timeout period to make it less than or greater than the default timeout period of 20 minutes.
As a security feature, after a default period of 15 minutes of inactivity, SnapCenter warns you that you will be logged out of the GUI session in 5 minutes. By default, SnapCenter logs you out of the GUI session after 20 minutes of inactivity, and you must log in again.
Steps
-
In the left navigation pane, click Settings > Global Settings.
-
In the Global Settings page, click Configuration Settings.
-
In the Session Timeout field, enter the new session timeout in minutes, and then click Save.
Secure the SnapCenter web server by disabling SSL 3.0
For security purposes, you should disable Secure Socket Layer (SSL) 3.0 protocol in Microsoft IIS if it is enabled on your SnapCenter web server.
There are flaws in the SSL 3.0 protocol that an attacker can use to cause connection failures, or to perform man-in-the-middle attacks and observe the encryption traffic between your website and its visitors.
Steps
-
To launch Registry Editor on the SnapCenter web server host, click Start > Run, and then enter regedit.
-
In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\.
-
If the Server key already exists:
-
Select the Enabled DWORD, and then click Edit > Modify.
-
Change the value to 0, and then click OK.
-
-
If the Server key does not exist:
-
Click Edit > New > Key, and then name the key Server.
-
With the new Server key selected, click Edit > New > DWORD.
-
Name the new DWORD Enabled, and then enter 0 as the value.
-
-
-
Close Registry Editor.