- 20 Feb 2024
- 5 Minutes to read
Setting up Active Directory (AD) Server Authentication
- Updated on 20 Feb 2024
- 5 Minutes to read
An Active Directory (AD) server synchronizes users, computers, groups, and/or organizational units to the Portal's account base.
When an AD account (person or machine) is used, the account's AD credentials are authenticated to gain access to the Portal. Furthermore, AD authentication works in conjunction with Single Sign-On (SSO). Please review the article on Enabling SSO with Azure AD for more information.
Before starting server authentication, it is recommended to have the domain name, default email domain, and the user name and password for an active user connecting to AD. The Portal user connecting to AD does not need to be an administrator, i.e., the user can be an essential "Domain User" in AD.
However, the List Contents permission is required on the user account before proceeding. This is usually granted by default to a basic user. For more information, please visit Microsoft's AD support article.
Listed below are additional common caveats when syncing with an AD server:
- For AD Groups, Decisions only sync with security groups, not with distribution groups. Please ensure that groups are configured as security groups.
- For AD Accounts, account passwords cannot be edited in the Portal. This is to preserve data integrity.
- To set up AD in a Tenant Environment, perform the configuration inside the tenant to sync the tenant with an AD server. The account used to sync AD must have administrator credentials.
- In the Designer Studio, navigate to System > Settings and click on Active Directory Settings.
- To configure a new AD server, click ADD under the Servers box.
The Add Servers window has Portal Settings, Server Settings, and Synchronization Settings options. All of the Server Settings are required, and a Synchronization option must be selected; settings for each section are outlined below.
|Auto-Create Users on Initial Login
|Toggles if a user receives immediate access to the Portal when the account is created in the AD server. When true, the user does not need to wait for the next sync cycle to log in using AD; the AD account is automatically added to the Portal's account base upon first logging into the Portal.
For this to work, a user must first log in with their username instead of their email to create the account. Future logins may then use either username or email.
|Sync Only Users
|Toggles, if only users, will sync to the Portal's account base, thus ignoring groups, organizational units (OU), and computers.
If using this setting, ensure the Synchronization Option under Synchronization settings is set to EntireDomain. Otherwise, user accounts will be deactivated after the next sync.
|Allows selection of which Portal group(s) the synced AD account will belong to by default. For example, if wishing all synced AD accounts to have Portal admin privileges, set the default group to Administrators.
Note that the group's name must be entered manually; only one group can be entered per line. This group must already exist within the Portal.
|Create New Users Even if Disabled in AD
|Toggles overriding AD settings that prevent the creation of new AD accounts for Portal users.
All of the Server Setting fields are required. It is recommended to have the domain name, default email domain, user name for an account with admin rights, and password information before beginning.
Settings available after selecting OpenLDAP for the LDAP Schema are denoted with an * after their name,
|Allows selection of which AD type to use for the server
|Selects Active Directory as the AD type
|Selects OpenLDAP as the AD type; selecting this spawns new settings
|LDAP Authentication Type
|Allows selection for LDAP Authentication
|Anonymous, Basic, Negotiate, Kerberos, NTLM
|For information on all the authentication types, refer to Microsoft's official documentation.
|LDAPS (LDAP over SSL) is a secure version of LDAP that encrypts the authentication process. For more information, refer to Microsoft's official documentation.
Note: This option will be absent in the non-Windows environments.
|Prompts for the name of the OpenLDAP server to connect
|Prompts for the domain or IP address of the server
|Prompts for the base of the domain name
|Use No Login Prefix
|Toggles the requirement of login prefix for users to log in
Note: This should be marked as false when the platform is hosted in containers. For more information, refer to Active Directory Setup in Containers.
|Domain Login Prefix
|Prompts for domain login prefix that must be added when users log on
|Default Email Domain
|Prompts for the default email domain for the server
|Elevated User Name
|Prompts for a Portal user with AD server access to connect to the server
|Elevated User Password
|Prompts for the password of the provided Elevated User Name's AD credentials to allow connection
|Query Timeout (In Seconds)
|Sets the time-out value for the query to the AD server
|Connection Timeout (In Seconds)
|Sets the time-out value for the connection to the AD environment during a sync
|Allows for selection of how users log in via the OpenLDAP server
|Select login via user ID credentials.
|Selects login via email credentials
|Use Cloud To Site Agent
|Allows AD to connect to a setup agent via the cloud. This allows the AD server to communicate with the Decisions service.
|Agent to Handle Requests
|Prompts for which agent to use
|Sync Managers for Users
|Toggles if AD user managers automatically sync for users
|Sync Only Groups From Users Having Logged In
|Toggles syncing only groups with active users logging on
|Allows selection of how synchronization is conducted between the Portal and AD
|Everything is synchronized in AD to the Portal account base, including all users, groups, and organizational units.
If the Sync Only Users checkbox is true, then only users within the domain will be synced. Proceed with caution when using this method.
|Synchronizes only the specified organizational units to the Portal account base.
|Synchronizes only the specified groups to the Portal account base.
|Ignore Managers if not in Group
|If this setting is marked as true, the synchronization process will not include the managers of users who are not part of the selected group. For instance, if John is in the selected group, but his manager Will is not, enabling this setting will result in Will not being synced as John's manager.
Note: This setting is exposed if the Synchronization Option is set to Selected Groups.