It is possible to configure the Console to read users and workstation objects from Active Directory. The Console only reads from AD and does not write to AD.
In the Console Administrator Tool on the Authentication and AD Settings tab displays settings for configuring Active Directory for usage in AD Authentication and for usage in LDAP tag synchronization. The details of each related setting in the CAT are shown the following user guide:
AD Authentication is where you log into the Console using AD Credentials.
LDAP Tags Synchronization is where the Console pulls in workstation objects from AD when a Dynamic LDAP Tag is created.
Configuring Active Directory Integration
AD authentication is configured in the Console Administrator Tool (CAT).
If you would like to integrate the Console with Active Directory you will need a service account with at least the “Read all properties” or “Read MemberOf” permission on the forest (depending on AD version) this is generally not the standard permission of a service account so it needs to be manually set by an administrator. You will also need to have access to the password for this service account during the initial Active Directory integration activities. The Console only reads from AD, it does not write to AD.
You will need to save the settings after you enter an AD Domain Controller, AD User and Password in the server setting settings in the CAT.
Determining the user format and server name
To determine the format of the user open the cmd prompt and type whoami at the cmd prompt and enter the user in that same format to connect to AD in as your user and your password, also add your same user as the admin account.
You can find the name of your Domain Controller by executing the following command at the cmd prompt:
Usually you just enter the NETBIOS name of the server in the format of LDAP://Hostname[ :PortNumber ][ /DistinguishedName ]. The brackets ( [ ] ) indicate optional parameters. LDAPS is not configured with this parameter. More information about the LDAP ADsPath format can be found at http://msdn.microsoft.com/en-us/library/aa746384(VS.85).aspx
All LDAP configurations are different and connection strings are case sensitive. In some cases you will need to use an upper case LDAP:// connection string and in others you will need to use a lower case ldap:// string. It is recommended that both are tried if things are not working properly. In general LDAP:// should always work, especially when sAMAccountName is used as the User Name Attribute. When the userPrincipalName is the User Name Attribute, then the lower case ldap:// might be required. Please consult a qualified windows administrator with in depth LDAP connection string knowledge to troubleshoot any connection issues.
If you wish to use Secure LDAP (LDAPS) Do not use LDAPS://.
Testing the Connection
To test the connection use the Test button to test if it is connecting to AD. To start with do not enter any LDAP search paths so you can ensure it is not the search path you enter that is causing an issue.
Please use the Test button and just select to Test LDAP objects retrieval but do not enter a path in that test. If it retrieves the AD structure then that is indicating that it is communicating with AD.
Troubleshooting the AD connection
If the Verify Query button on the Test dialog screen does not return anything then either the user used for the connection does not have at least “Read all properties” or “Read MemberOf” permission on the forest.
Or the name of the Domain Controller is not valid.
Configuring the Admin User
When first configuring AD authentication you should not enable AD authentication until you have the connection to AD configured, tested and then you would enable it and change the admin user to be a valid user you tested with the Test dialog. That admin user entered in the CAT will be the main Admin User you log into the Console with.
If you are having issues and you have entered a LDAP path, please remove the LDAP paths and save the settings then try logging into the Console with the AD user you have set as the Admin user in the CAT. Once you have that working then you can try adding LDAP paths if you wish. The only AD User that would be able to log into the Console would be the one entered as the Admin user in the CAT until you give other AD Users a Role in the Console. The following linked user guide page explains Console Roles.
Communication Ports needed
If the Spirion Console is going to utilize Active Directory / LDAP, the IIS Console Server will
require the ability to read LDAP from a DC/LDAP server on TCP 389 & TCP 3268
(TCP 636 & TCP 3269 for SSL)
AD Auto Roles
Auto Roles are Roles that automatically have AD Users added to them or removed from them.
If you would like to use Auto Roles then you would need to enable the following setting in the CAT:
- Allow Auto-Roles - Enable AD User Authentication must be checked before you can enable this option. If enabled, Allow Auto-Roles will synchronize users with roles. This information is from the following linked user guide page: http://my.spirion.com/Help/EnterpriseConsole/index.htm#3382.htm
When creating the Role you would add the LDAP path for the Role as explained in the following linked article: http://my.spirion.com/Help/EnterpriseConsole/index.htm#3458.htm
When creating any Role please ensure the Role has the appropriate General Permissions and Tag Permissions.