Summary:


When considering the integration of Aqua CSP with AD/LDAP for user authentication, some questions could be generated about the nature of this feature and they will be replied below.



Environment:


Aqua CSP 4.6 / 5.0



FAQ:

1) Do AQUA CSP support authentication on multi Active Directory domains ?


In first instance Domain Forest should be functional for us as far as the domain that we are connected to is able to reach the rest of the forest, basically we rely on the AD server capability provided in our "Connection" tab


2) Is cross domain with approbations links between domains is supported ?

The same principal applies here if the server that we access has the correct forest trust relationship, we should be access to those groups and users specified on our Aqua GUI AD/LDAP configuration.


3) Is SID History is supported?

I do not think we had any type interaction with the SID history, again we will just authenticate torwards the domain and then we will present our query to identify the users and groups that have been set up in Aqua, if the server that we are connected too has SID history capability, we probably could get the benefit of it, but it is nothing triggered from our side.


4) Is AQUA CSP compatible with Active Directory 2016 functional level ?

We should be able to authenticate and identify the users and groups selected for mapping on the Aqua GUI without any issues on Active Directory 2016, once more we rely entirely for the results of our AD/LDAP query on the server that we have been granted.


5) Does as LDAP client, the LDAP connection is limited to simple Bind ? Is it compliant with LDAPS or LDAP SASL ?

Yes the connection is limited to simple bind (user and password), and we are compliant with LDAPS as we provide the possibility to enable SSL/TLS


6) Which Kerberos versions are supported?

Since we provide only simple authentication this will not be relevant for us, at the moment there is not support from Aqua for Windows challenge/response or ticketing authentication.


7) Which NTLM versions are supported?


Since we provide only simple authentication this will not be relevant for us, at the moment there is not support from Aqua for Windows challenge/response or ticketing authentication.



Related Information: 


https://docs.aquasec.com/docs/active-directory-ldap-integration

https://support.aquasec.com/a/solutions/articles/16000105689?portalId=16000023059