Contents x
Setting up Active Directory (AD) Server Authentication
  • 07 Jul 2021
  • 4 Minutes to read
  • Print
  • Dark
    Light
Contents
  This documentation version is deprecated, please click here for the latest version.

Setting up Active Directory (AD) Server Authentication

  • Updated on 07 Jul 2021
  • 4 Minutes to read
  • Print
  • Dark
    Light
Article summary

Overview

The success of Active Directory (AD) Server Authentication setup and implementation rests heavily on experienced client-side technical resources.  Decisions' Support Team can help, but may not be able to answer questions or solve AD issues specific to the organization.
AD Groups
Decisions only syncs with security groups, not distribution groups. Please ensure that groups are configured as security groups.

AD Accounts
For data integrity purposes, AD account passwords cannot be edited in the Portal.

Setting up AD in a Tenant Environment

Complete the demonstrated configuration inside of the tenant to sync the tenant with an AD server. The account used to sync AD must have administrator credentials. 

An AD server can be used to synchronize users, computers, groups, or organizational units to the Portal's account base. When an AD account (person or machine) is used, the account's AD credentials are authenticated to gain access to the Portal.  AD authentication can be used in conjunction with Single Sign-On (SSO); please review the Enabling SSO with AD article for more information.

It is recommended to have the domain name, default email domain, and the user name and password for the active user that will connect to AD before beginning. The specified user in the Portal that is connecting to AD does not have to be an administrator (user can be a basic "Domain User" in AD). The actual permission needed (that is usually granted by default to a basic user) is the "List Contents" permission.

 For more information, please visit Microsoft's AD support article.

Configuration

In the Designer Studio, navigate to System > Settings from the Folders list on the left side. Click Active Directory Settings link; the Edit Entity window will appear.

Under the Active Directory Servers section, check the box for Auto Sign In. When Auto Sign In is enabled, accounts will automatically be signed in based on the AD credentials used to login to the machine. 

To configure a new AD server, click the 'Add New' button under the Servers box.

The Add Servers window has options for Portal Settings, Server Settings, and Synchronization Settings. All of the Server Settings are required and a Synchronization option must be selected; settings for each section are outlined beneath the screenshot below.

Portal Settings

Auto-Create Users on Initial Login: Allows a user immediate access to the Portal as soon as the account is created in the AD server. The user will not have to wait for the next sync cycle to login using AD. Once the user logs in to the Portal, the AD account is added to the Portal's account base. For this to work, however, a user must Login with their username rather than their email. This will create the account. Future Logins can use either the user's username or email.

Sync Only Users: Allows only the users to be synchronized to the Portal's account base. Groups, organizational units, and computers within the Active Directory will not synchronize to the Portal's account base.

Default Groups: Field used to provide the Portal groups to which the synced AD accounts will belong; for example, the default All Users group. Note that the name of the group must be typed in manually and only one group can be added per line, this group must already exist in the Portal as well.

Server Settings

All of the Server Setting fields are required. It is recommended to have the domain name, default email domain, user name for an account with admin rights, and password information before beginning.

Synchronization Settings

Below is a description of the use case for the three Synchronization Options in the dropdown list.

Entire Domain: An option to synchronize everything in AD to the Portal account base, including users, groups, and organizational units. If the Sync Only Users checkbox is selected, then only users within the domain will be synced. Use this option with caution.

Selected Org Units: An option to select specific organizational units. When selected, only those organization units will be synchronized to the Portal's account base.

Selected Groups: An option to synchronize only the selected AD groups.

Once the settings have been configured in the Add Servers window, select 'OK' and then select 'SAVE' on the Edit Entity window. The settings will now be applied.

To see these settings in action, navigate to the Creating An AD Sync Job article.

LDAPS Configuration 

In the event that a user is handling sensitive information/data on an Active Directory Server, or requires an additional layer of security for their AD environment, they may consider LDAPS.
LDAPS (or Lightweight Directory Access Protocol (over SSL) acts in a similar manner to standard LDAP but provides further security by utilizing SSL

Additional Information on LDAPS 
Note that LDAPS is supported by current versions of Decisions. To properly work, LDAPS requires specific certifications to be in place. For additional help in establishing these certifications or assistance with firewall configuration, contact Decisions Support.

For additional information regarding LADPS configuration see Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain and Enable LDAP over SSL with a third-party certification authority.


Was this article helpful?
What's Next
Decisions
Resources
Organization
Connect