[DO NOT MERGE] GitHub Enterprise Server 3.8 release candidate (github#34113)

Co-authored-by: Rachael Sewell <[email protected]>
Co-authored-by: Felicity Chapman <[email protected]>
Co-authored-by: Sarah Edwards <[email protected]>
Co-authored-by: David Jarzebowski <[email protected]>
Co-authored-by: Steve Guntrip <[email protected]>
Co-authored-by: Joe Clark <[email protected]>
Co-authored-by: Lucas Costi <[email protected]>
Co-authored-by: Siara <[email protected]>
Co-authored-by: docubot <[email protected]>

Author: 10 people

assets/images/azure/azure-aad-app-storage-ids.png

@@ -0,0 +1,38 @@
+---
+title: About the Management Console
+shortTitle: About
+intro: '{% data reusables.enterprise_site_admin_settings.management-console-overview %}'
+versions:
+  ghes: '*'
+type: overview
+topics:
+  - Administrator
+  - Enterprise
+  - Fundamentals
+  - Networking
+  - Monitoring
+---
+
+## About the {% data variables.enterprise.management_console %}
+
+The {% data variables.enterprise.management_console %} allows you to manage the low-level configuration of  {% data variables.location.product_location %}. For example, you can complete initial setup, manage licensing and low-level settings, configure authentication, schedule maintenance windows, and monitor your instance.
+
+You can always reach the {% data variables.enterprise.management_console %} using {% data variables.location.product_location %}'s IP address, even when the instance is in maintenance mode, or there is a critical application failure or hostname or SSL misconfiguration.
+
+To access the {% data variables.enterprise.management_console %}, {% ifversion enterprise-management-console-multi-user-auth %}you can use the root site administrator password established during initial setup of {% data variables.location.product_location %} or log in as a {% data variables.enterprise.management_console %} user. For more information, see "[Accessing the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/accessing-the-management-console)." {% else %}you must use the administrator password established during initial setup of {% data variables.location.product_location %}. {% endif %}You must also be able to connect to the virtual machine host on port 8443. If you're having trouble reaching the {% data variables.enterprise.management_console %}, please check intermediate firewall and security group configurations.
+
+The {% data variables.enterprise.management_console %} password hash is stored in `/data/user/common/secrets.conf`. If high availability or clustering is configured, the file is automatically synced from the primary node to any additional nodes. Any change to the primary's password will automatically be replicated to all of the instance's nodes. For more information about high availability, see "[About high availability configuration](/admin/enterprise-management/configuring-high-availability/about-high-availability-configuration)."
+
+## Examples of activities in the {% data variables.enterprise.management_console %}
+
+In the {% data variables.enterprise.management_console %}, you can perform administrative tasks for {% data variables.location.product_location %}, including:
+
+- **Initial setup**: Walk through the initial setup process when first launching {% data variables.location.product_location %} by visiting {% data variables.location.product_location %}'s IP address in your browser.
+{%- ifversion enterprise-management-console-multi-user-auth %}
+- **Identity and access management**: Improve the security of {% data variables.location.product_location %} by creating dedicated user accounts for the {% data variables.enterprise.management_console %}. The root site administrator account can control these user accounts' access by assigning either the editor or operator role. For more information, see "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console)."
+{%- endif %}
+- **Configuring authentication policies for the {% data variables.enterprise.management_console %}**: Set rate limits for login attempts, and the lockout duration if someone exceeds the rate limit. For more information, see "[Managing access to the {% data variables.enterprise.management_console %}](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."
+- **Configuring basic settings for your instance**: Configure DNS, hostname, SSL, user authentication, email, monitoring services, and log forwarding on the Settings page.
+- **Scheduling maintenance windows**: Take {% data variables.location.product_location %} offline while performing maintenance using the {% data variables.enterprise.management_console %} or administrative shell.
+- **Troubleshooting**: Generate a support bundle or view high level diagnostic information.
+- **License management**: View or update your {% data variables.product.prodname_enterprise %} license.

assets/images/azure/azure-federated-credential.png

@@ -0,0 +1,31 @@
+---
+title: Accessing the Management Console
+shortTitle: Access
+intro: 'You can access the {% data variables.enterprise.management_console %} {% ifversion ghes < 3.8 %}using the {% data variables.enterprise.management_console %} password{% elsif enterprise-management-console-multi-user-auth %}as the root site administrator or a {% data variables.enterprise.management_console %} user{% endif %}.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+---
+
+{% data reusables.enterprise_site_admin_settings.management-console-access %}
+
+## Accessing the {% data variables.enterprise.management_console %}
+
+The first time that you access the {% data variables.enterprise.management_console %} for {% data variables.location.product_location %}, you must upload your license file. For more information, see "[Managing your license for {% data variables.product.prodname_enterprise %}](/billing/managing-your-license-for-github-enterprise)."
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+{% data reusables.enterprise_management_console.type-management-console-password %}
+{% data reusables.enterprise_management_console.click-continue-authentication %}
+
+## Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user
+
+1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
+  ```shell
+  http(s)://HOSTNAME/setup
+  ```
+{% data reusables.enterprise_management_console.type-management-console-password %}
+{% data reusables.enterprise_management_console.click-continue-authentication %}

assets/images/enterprise/management-console/actions-gcp-idp-setup-1.png

@@ -0,0 +1,27 @@
+---
+title: Administering your instance from the Management Console
+intro: 'You can use the {% data variables.enterprise.management_console %} to perform administrative tasks for {% data variables.location.product_location %}. '
+redirect_from:
+  - /admin/configuration/configuring-your-enterprise/accessing-the-management-console
+  - /enterprise/admin/articles/about-the-management-console
+  - /enterprise/admin/articles/management-console-for-emergency-recovery
+  - /enterprise/admin/articles/web-based-management-console
+  - /enterprise/admin/categories/management-console
+  - /enterprise/admin/articles/accessing-the-management-console
+  - /enterprise/admin/guides/installation/web-based-management-console
+  - /enterprise/admin/installation/accessing-the-management-console
+  - /enterprise/admin/configuration/accessing-the-management-console
+  - /admin/configuration/accessing-the-management-console
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+children:
+  - /about-the-management-console
+  - /managing-access-to-the-management-console
+  - /accessing-the-management-console
+  - /troubleshooting-access-to-the-management-console
+shortTitle: Management Console
+---
+

assets/images/enterprise/management-console/actions-gcp-idp-setup-2.png

@@ -0,0 +1,78 @@
+---
+title: Managing access to the Management Console
+shortTitle: Manage access
+intro: '{% ifversion enterprise-management-console-multi-user-auth %}You can increase the security of {% data variables.location.product_location %} by creating or deleting {% data variables.enterprise.management_console %} users. As the root site administrator, you {% else %}You {% endif %}can access the {% data variables.enterprise.management_console %} as well as configure {% data variables.enterprise.management_console %} authentication rate limits.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+  - SSH
+  - User account
+---
+
+{% data reusables.enterprise_site_admin_settings.management-console-access %} For more information about {% data variables.enterprise.management_console %} access, see "[Accessing the {% data variables.enterprise.management_console %}](/admin/configuration/configuring-your-enterprise/accessing-the-management-console)."
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+## Types of {% data variables.enterprise.management_console %} accounts
+
+There are two types of user accounts for the {% data variables.enterprise.management_console %} on a {% data variables.product.product_name %} instance. The root site administrator account authenticates with a password established during the initial setup of {% data variables.location.product_location %}.
+
+The root site administrator can create additional accounts, and assign one of two roles to each.
+
+### Root site administrator
+
+Root site administrators have complete control over the {% data variables.enterprise.management_console %}. They can take every action in the {% data variables.enterprise.management_console %}, including creating and deleting {% data variables.enterprise.management_console %} user accounts.
+
+Only the root site administrator can create and delete {% data variables.enterprise.management_console %} user accounts.
+
+### {% data variables.enterprise.management_console %} user
+
+{% data variables.enterprise.management_console %} users can perform most administrative tasks for {% data variables.location.product_location %}. For heightened security, {% data variables.enterprise.management_console %} users cannot create or delete {% data variables.enterprise.management_console %} user accounts.
+
+Only {% data variables.enterprise.management_console %} users with the operator role can manage SSH keys.
+
+The root site administrator can provision one of two roles for {% data variables.enterprise.management_console %} users:
+
+- **Editor**: A {% data variables.enterprise.management_console %} user with the editor role can perform basic administrative tasks for {% data variables.location.product_location %} in the {% data variables.enterprise.management_console %}. Editors cannot add public SSH keys to the {% data variables.enterprise.management_console %} to grant administrative SSH access to the instance.
+- **Operator**: A {% data variables.enterprise.management_console %} user with the operator role can perform basic administrative tasks for {% data variables.location.product_location %} in the {% data variables.enterprise.management_console %}. Users with the operator role can add SSH keys to the {% data variables.enterprise.management_console %} to grant administrative access to the instance via SSH.
+
+### Creating or deleting a user account for the {% data variables.enterprise.management_console %}
+
+While signed into the {% data variables.enterprise.management_console %} as the root site administrator, you can create new {% data variables.enterprise.management_console %} user accounts.
+
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. Click **Create user**.
+1. Fill in the user's name, username, and email address.
+1. Use the drop-down menu to select the user's role. You may select the editor or operator role.
+1. To finish creating the user account, click **Create**. If email notifications are configured for the instance, the user will automatically receive an invitation email with access instructions for the {% data variables.enterprise.management_console %}. For more information, see "[Inviting new {% data variables.enterprise.management_console %} users](#inviting-new-management-console-users)."
+1. Optionally, to delete a {% data variables.enterprise.management_console %} user account, click {% octicon "trash" aria-label="The trash symbol" %} to the right of any user account you wish to delete. Then confirm deletion.
+
+## Inviting new {% data variables.enterprise.management_console %} users
+
+If you have configured email for notifications for {% data variables.location.product_location %}, new {% data variables.enterprise.management_console %} users will automatically receive an invitation to complete creation of the {% data variables.enterprise.management_console %} user account. For more information, see "[Configuring email for notifications](/admin/configuration/configuring-your-enterprise/configuring-email-for-notifications)."
+
+If you have not configured email notifications for {% data variables.location.product_location %}, you must manually copy the {% data variables.enterprise.management_console %} invitation link and send it to the user. The user must set a password using the link before the user can access the {% data variables.enterprise.management_console %}.
+
+{% data reusables.enterprise_site_admin_settings.sign-in-as-root-administrator %}
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. To copy the invitation link, click {% octicon "link" aria-label="Copy invitation link" %} on any {% data variables.enterprise.management_console %} user account.
+1. Send the invitation link to the {% data variables.enterprise.management_console %} user. The invitation link will lead the user through the final account setup steps.
+
+{% endif %}
+
+{% ifversion enterprise-authentication-rate-limits %}
+## Configuring rate limits for authentication to the {% data variables.enterprise.management_console %}
+
+You can configure the lockout time and login attempt limits for the {% data variables.enterprise.management_console %}. If you configure rate limits, the limits apply to both the root site administrator and any {% data variables.enterprise.management_console %} users.
+
+After you configure rate limits and a user exceeds the limit, the {% data variables.enterprise.management_console %} will remain locked for the duration set by the lockout time. {% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
+
+{% data reusables.enterprise_site_admin_settings.access-settings %}
+{% data reusables.enterprise_site_admin_settings.management-console %}
+2. Under "Login attempt rate limiting", configure the lockout time and login attempt rate limit or accept the pre-filled default settings.
+![Fields for configuring lockout time and login attempt rate limit](/assets/images/enterprise/management-console/login-attempt-rate-limiting.png)
+{% data reusables.enterprise_management_console.save-settings %}
+
+{% endif %}

assets/images/enterprise/management-console/actions-gcp-idp-setup-3.png

@@ -0,0 +1,47 @@
+---
+title: Troubleshooting access to the Management Console
+shortTitle: Troubleshoot
+intro: 'You can troubleshoot access problems for the {% data variables.enterprise.management_console %}.'
+versions:
+  ghes: '*'
+type: how_to
+topics:
+  - Enterprise
+  - Authentication
+  - SSH
+  - Troubleshooting
+---
+
+## About problems with {% data variables.enterprise.management_console %} access
+
+If you experience problems accessing the Management Console, you can try the following troubleshooting steps.
+
+## Unlocking the {% data variables.enterprise.management_console %} after failed login attempts
+
+The {% data variables.enterprise.management_console %} locks after {% ifversion enterprise-authentication-rate-limits %}the number of failed login attempts configured by your authentication policies. For more information, see "[Managing access to the Management Console](/admin/configuration/administering-your-instance-from-the-management-console/managing-access-to-the-management-console#configuring-rate-limits-for-authentication-to-the-management-console)."{% else %}ten failed login attempts are made in the span of ten minutes. You must wait for the login screen to automatically unlock before attempting to log in again. The login screen automatically unlocks as soon as the previous ten minute period contains fewer than ten failed login attempts. The counter resets after a successful login occurs.{% endif %}
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+### Unlocking the root site administrator account
+{% endif %}
+
+{% data reusables.enterprise_management_console.unlocking-management-console-with-shell %}
+
+{% ifversion enterprise-management-console-multi-user-auth %}
+### Unlocking a {% data variables.enterprise.management_console %} user account
+
+The root site administrator can unlock access to the {% data variables.enterprise.management_console %} for other user accounts.
+
+{% data reusables.enterprise_site_admin_settings.sign-in-as-root-administrator %}
+{% data reusables.enterprise_site_admin_settings.click-user-management %}
+1. Locked user accounts will appear as "State: blocked". To unblock the user and allow authentication, to the right of the user's details, click {% octicon "law" aria-label="The law icon" %}.
+
+
+{%- endif %}
+
+## Troubleshooting failed connections to the {% data variables.enterprise.management_console %}
+
+If you cannot connect to the {% data variables.enterprise.management_console %} on {% data variables.location.product_location %}, you can review the following information to troubleshoot the problem.
+
+### Error: "Your session has expired" for connections through a load balancer
+
+If you access {% data variables.location.product_location %} through a load balancer and connections to the {% data variables.enterprise.management_console %} fail with a message that your session has expired, you may need to reconfigure your load balancer. For more information, see "[Using {% data variables.product.product_name %} with a load balancer](/admin/configuration/configuring-network-settings/using-github-enterprise-server-with-a-load-balancer#error-your-session-has-expired-for-connections-to-the-management-console)."