Setting up Active Directory (AD) Server Authentication
- 03 Feb 2023
- 3 Minutes to read
- Print
- DarkLight
Setting up Active Directory (AD) Server Authentication
- Updated on 03 Feb 2023
- 3 Minutes to read
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Overview
A successful Active Directory Server Authentication setup and implementation rests heavily on experienced client-side technical resources. Decisions' Support Team will help but may not be able to solve AD issues specific to the organization.
An Active Directory (AD) server synchronizes users, computers, groups, and/or organizational units to the Portal's account base. When an AD account (person or machine) is used, the account's AD credentials are authenticated to gain access to the Portal. Furthermore, AD authentication work in conjunction with Single Sign-On (SSO). Please review the Enabling SSO with Azure AD article for more information.
Before starting server authentication, it is recommended to have the domain name, default email domain, and the user name and password for the active user connecting to AD. The Portal user connecting to AD does not need to be an administrator i.e. the user can be a basic "Domain User" in AD.
However, the List Contents permission is required on the user account before proceeding. This is usually granted by default to a basic user. For more information, please visit Microsoft's AD support article.
AD Groups
Decisions only syncs with security groups not distribution groups. Please ensure that groups are configured as security groups.
AD Accounts
For data integrity purposes, AD account passwords cannot be edited in the Portal.
Setting up AD in a Tenant Environment
Complete the following configuration inside of the tenant to sync the tenant with an AD server. The account used to sync AD must have administrator credentials.
Configuration
- In the Designer Studio, navigate to System > Settings and right-click on Active Directory Settings to open its Action Menu. Select the Edit Active Directory/LDAP Settings action.
- To configure a new AD server, click ADD under the Servers box.
The Add Servers window has options for Portal Settings, Server Settings, and Synchronization Settings. All of the Server Settings are required, and a Synchronization option must be selected; settings for each section are outlined below.
Portal Settings
| Setting Name | Default Value | Description |
|---|---|---|
| Auto-Create Users on Initial Login | False | Toggles if a user receives immediate access to the Portal as soon as the account is created in the AD server. When true, the user does not need to wait for the next sync cycle to login using AD; the AD account is automatically added to the Portal's account base upon first logging into the Portal. For this to work, a user must first login with their username instead of their email to create the account. Future logins may then use either username or email. |
| Sync Only Users | False | Toggles if only users will sync to the Portal's account base thus ignoring groups, organizational units (OU), and computers. If using this setting, ensure the Synchronization Option under Synchronization settings is set to EntireDomain. Otherwise, user accounts will be deactivated after the next sync. |
| Default Groups | Blank | Allows selection of which Portal group(s) the synced AD account will belong to by default. For example, if wishing all synced AD accounts to have Portal admin privileges, set the default group to Administrators. Note that the group's name must be entered manually and only one group can be entered per line. This group must already exist within the Portal. |
| Create New Users Even if Disabled in AD | False | Toggles overriding AD settings that prevent the creation of new AD account for Portal users. |
Server Settings
All of the Server Setting fields are required. It is recommended to have the domain name, default email domain, user name for an account with admin rights, and password information before beginning.
| Setting Name | Default Value | Description | |
|---|---|---|---|
| LDAP Schema | Active Directory | Allows selection of which AD type to use for the server | |
| Active Directory | -- | Selects Active Directory as the AD type | |
| OpenLDAP | -- | Selects OpenLDAP as the AD type; selecting this spawns new settings | |
| Domain Name | Blank | Prompts for domain or IP address of the server | |
| Domain Login Prefix | Blank | Prompts for domain login prefix that must be added when users log on | |
| Use No Login Prefix | False | Toggles requirement of login prefix for users to login; commonly set to True to prevent this | |
| Default Email Domain | Blank | Prompts for default email domain for server | |
| Elevated User Name | Blank | Prompts for a Portal user with AD server access to connect to server | |
| Elevated User Password | Blank | Prompts for password of the provided Elevated User Name's AD credentials to allow connection | |
| Use Cloud To Site Agent | False | Toggles allowing AD to connect to a setup agent via the cloud. This allows the AD server to communicate with the Decisions service. | |
| Agent to Handle Requests | Blank | Prompts for which agent to use | |
Synchronization Settings
| Setting Name | Default Value | Description | |
|---|---|---|---|
| Sync Managers for Users | True | Toggles if AD user managers automatically sync for users | |
| Sync Only Groups From Users Having Logged In | False | Toggles syncing only groups with active users logging on | |
| Synchronization Option | Entire Domain | Allows selection of how synchronization is conducted between the Portal and AD | |
| EntireDomain | -- | Everything is synchronized in AD to the Portal account base including all users, groups, and organizational units. If the Sync Only Users checkbox is true, then only users within the domain will be synced. Proceed with caution when using this method. | |
| SelectedOrgUnits | -- | Synchronizes only the specified organizational units to the Portal account base. | |
| SelectedGroups | -- | Synchronizes only the specified groups to the Portal account base. | |
Was this article helpful?
