Setting up Active Directory (AD) Server Authentication
  • 20 Feb 2024
  • 5 Minutes to read
  • Dark
    Light

Setting up Active Directory (AD) Server Authentication

  • Dark
    Light

Article summary

Overview

A successful Active Directory Server Authentication setup and implementation rest heavily on experienced client-side technical resources.  Decisions' Support Team will help but may not be able to solve AD issues specific to the organization.

An Active Directory (AD) server synchronizes users, computers, groups, and/or organizational units to the Portal's account base. 

When an AD account (person or machine) is used, the account's AD credentials are authenticated to gain access to the Portal. Furthermore, AD authentication works in conjunction with Single Sign-On (SSO). Please review the article on Enabling SSO with Azure AD for more information.

Before starting server authentication, it is recommended to have the domain name, default email domain, and the user name and password for an active user connecting to AD. The Portal user connecting to AD does not need to be an administrator, i.e., the user can be an essential "Domain User" in AD. 

However, the List Contents permission is required on the user account before proceeding. This is usually granted by default to a basic user. For more information, please visit Microsoft's AD support article. 

Listed below are additional common caveats when syncing with an AD server:

  • For AD Groups, Decisions only sync with security groups, not with distribution groups. Please ensure that groups are configured as security groups.
  • For AD Accounts, account passwords cannot be edited in the Portal. This is to preserve data integrity.
  • To set up AD in a Tenant Environment, perform the configuration inside the tenant to sync the tenant with an AD server. The account used to sync AD must have administrator credentials. 

Configuration

  1. In the Designer Studio, navigate to System > Settings and click on Active Directory Settings.


  2. To configure a new AD server, click ADD under the Servers box.
    The Add Servers window has Portal Settings, Server Settings, and Synchronization Settings options. All of the Server Settings are required, and a Synchronization option must be selected; settings for each section are outlined below.

Portal Settings

Setting NameDefault ValueDescription
Auto-Create Users on Initial LoginFalseToggles if a user receives immediate access to the Portal when the account is created in the AD server. When true, the user does not need to wait for the next sync cycle to log in using AD; the AD account is automatically added to the Portal's account base upon first logging into the Portal.

For this to work, a user must first log in with their username instead of their email to create the account. Future logins may then use either username or email.
Sync Only UsersFalseToggles, if only users, will sync to the Portal's account base, thus ignoring groups, organizational units (OU), and computers.

If using this setting, ensure the Synchronization Option under Synchronization settings is set to EntireDomain. Otherwise, user accounts will be deactivated after the next sync.
Default GroupsBlankAllows selection of which Portal group(s) the synced AD account will belong to by default. For example, if wishing all synced AD accounts to have Portal admin privileges, set the default group to Administrators.

Note that the group's name must be entered manually; only one group can be entered per line. This group must already exist within the Portal.
Create New Users Even if Disabled in ADFalseToggles overriding AD settings that prevent the creation of new AD accounts for Portal users.

Server Settings

All of the Server Setting fields are required. It is recommended to have the domain name, default email domain, user name for an account with admin rights, and password information before beginning.

Settings available after selecting OpenLDAP for the LDAP Schema are denoted with an * after their name,

Setting NameDefault ValueDescription
LDAP SchemaActive DirectoryAllows selection of which AD type to use for the server

Active Directory--Selects Active Directory as the AD type

OpenLDAP--Selects OpenLDAP as the AD type; selecting this spawns new settings
LDAP Authentication Type--Allows selection for LDAP Authentication

Anonymous, Basic, Negotiate, Kerberos, NTLM
Negotiate
For information on all the authentication types, refer to Microsoft's official documentation.
Enable LDAPSFalse
LDAPS (LDAP over SSL) is a secure version of LDAP that encrypts the authentication process. For more information, refer to Microsoft's official documentation.
Note: This option will be absent in the non-Windows environments.
Server*BlankPrompts for the name of the OpenLDAP server to connect
Domain NameBlankPrompts for the domain or IP address of the server
Base DN*BlankPrompts for the base of the domain name
Use No Login Prefix
False
Toggles the requirement of login prefix for users to log in
Note: This should be marked as false when the platform is hosted in containers. For more information, refer to Active Directory Setup in Containers.
Domain Login Prefix
BlankPrompts for domain login prefix that must be added when users log on
Default Email DomainBlankPrompts for the default email domain for the server
Elevated User NameBlankPrompts for a Portal user with AD server access to connect to the server
Elevated User PasswordBlankPrompts for the password of the provided Elevated User Name's AD credentials to allow connection
Query Timeout (In Seconds)
100Sets the time-out value for the query to the AD server
Connection Timeout (In Seconds)
100Sets the time-out value for the connection to the AD environment during a sync
Logon By*UidAllows for selection of how users log in via the OpenLDAP server

Uid--Select login via user ID credentials.

Email Address--Selects login via email credentials
Use Cloud To Site AgentFalseAllows AD to connect to a setup agent via the cloud. This allows the AD server to communicate with the Decisions service. 

Agent to Handle RequestsBlankPrompts for which agent to use

Synchronization Settings

Setting NameDefault ValueDescription
Sync Managers for UsersTrueToggles if AD user managers automatically sync for users
Sync Only Groups From Users Having Logged InFalseToggles syncing only groups with active users logging on
Synchronization OptionEntire DomainAllows selection of how synchronization is conducted between the Portal and AD

EntireDomain--Everything is synchronized in AD to the Portal account base, including all users, groups, and organizational units.

If the Sync Only Users checkbox is true, then only users within the domain will be synced. Proceed with caution when using this method.

SelectedOrgUnits--Synchronizes only the specified organizational units to the Portal account base.

SelectedGroups--Synchronizes only the specified groups to the Portal account base.
Ignore Managers if not in Group
FalseIf this setting is marked as true, the synchronization process will not include the managers of users who are not part of the selected group. For instance, if John is in the selected group, but his manager Will is not, enabling this setting will result in Will not being synced as John's manager.
Note: This setting is exposed if the Synchronization Option is set to Selected Groups.

For further information on Modules, visit the Decisions Forum.

Was this article helpful?