Active Directory Integration

Active Directory is a unique implementation of the LDAP standard, as the requirements for communication need to conform to the Microsoft™ Windows Authentication protocols. To meet this need, it is necessary to enter all domains from which Users will authenticate. Multiple sources of Active Directory can be synchronized with the system, if required.

Configuring the Active Directory Integration

To configure the Active Directory integration:

1. Select Setup>LDAP

2. Click New
   The LDAP/Active Directory Server screen tab is displayed.

3. Enter the Server Name

4. Select Active Directory within the Type drop down list
   
   

5. Define all the Domains from which Users will be authenticated
   Domains will need to be entered in both NT and Windows 2000 domain naming systems formats. This is because Active Directory conforms to Microsoft™, Windows NT and Windows 2000 authentication protocols.
   
   Make entries with care, as they are not validated against the Directory Server by the system Domain Editor.
   
   

6. Here is an example of both the naming conventions for the domain:
   
   mydomain.mycompany.com
   
   NT Style = MYDOMAIN
   2K Style = mydomain.mycompany.com

6. Click New and enter domain information

7. Click Save

8. Using the drop-down arrow, select the Default Domain, which is used in the following three ways:

• on the login page

• to authenticate against, when synchronizing with the Directory Server

• where the system expects to find the User Groups.
  

9. Enter all other required fields to configure the Directory Server

   Settings	Description
   Security	Determines how the integration layer will authenticate. For Active Directory this should be set to Cleartext– Username + Password. Anonymous connections to Active Directory are rarely enabled.
   Server Host	Enter the hostname or IP address of the Active Directory Server. On a Windows NT domain this will be the primary domain controller.
   Server Port	The default Active Directory Server Port is 389. This is rarely changed.
   Username	Used by the system to authenticate against the Active Directory Server when reading account information. The domain prefix/suffix will be appended, based on the default domain, when connecting to the Server.
   Password	Enter the Password for the Username account.
   Users Node	The component of the base domain name that refers to the location of the User  Groups .For example, if the location of the User Groups is the following: ou=UserGroups, ou=MIS, dc=myoffice, dc=mycompany, dc=com (See LDAP/Active Directory Advanced Settings for information on Group configuration.) Groups must be in the default domain, in this case myoffice.mycompany.com. The Users Node only needs the location of the Groups within the default domain, so the Users Node in this example will be: ou=UserGroups, ou=MIS.
   Locale
   Default Timezone	Select the default Timezone to be applied to all User accounts imported via Active Directory.

10. Click Save.
    Repeat the above process to add more than one authentication server for authorizing User access.

Test Button

The Test button creates a connection to the Active Directory Server, applying the configuration settings. If successful, it will attempt to determine how many Users are in each group and display a Results Screen.

• If the test fails, an error message will display the cause.

Sync Button

The Sync button runs the synchronization process to import all Users from the Server Directory. If new Active Directory Accounts have been created and those Users require immediate access to the system, a manual synchronization would be used.

Only one synchronization can run at a time. When multiple Users need access, create the accounts, then run a single manual synchronization.

A manual synchronization may take some time as it depends on the connection speed with the external service. The manual synchronization works best for small directories. Larger Active Directory implementations can take some time to propagate the changes, so account information may not be immediately available.

Importing Customers

Customer details can be imported using Active Directory by enabling the option, if required. When the system is setup to synchronize with Active Directory, move to the Setup>Privileges>Customer tab and enable the Include Customers option.

If there is a need to create Customers using Active Directory and the system's internal authentication capability, Mixed Mode authentication can also be enabled. After the option to Include Customers is set to Yes in the Customer Privilege tab, the Mixed Mode field is displayed. Set this option to Yes to allow Customers to be created directly in the system and using Active Directory.

Imported Account Usernames

Accounts imported from Active Directory use the UPN as the Username, as opposed to the NT style login. The domain component of the UPN is derived from the selected domain in the popup on the login page, which means Users need to enter their login name only to connect to the support application.

Login details are passed directly to the directory server for authentication and are not retained within the service management system.