Connecting to an Active Directory

Majid Latif

Introduction

Windows Active Directory is a mainstay user directory in most businesses, this article shows you how you can connect your on-premise Active Directory to your cloud tenant enabling your users to manage their account from the cloud. 

Important Prerequisites 

SSL-Enabled Active Directory

LogonBox is a security product and takes security very seriously, all communications between the LogonBox server and your Active Directory are done over SSL which ensures all passwords and actions are secured. If you do not have SSL setup yet this article covers setting up a simple self-signed SSL certificate for your Active Directory, Enable SSL on AD.

Cloud-Only Tenants

In order for your cloud tenant to locate your Active Directory, the directory needs to be visible to the tenant. This will all depend on whether the directory is located on the same network as your cloud tenant (if you have hosted your own LogonBox server) or if you are using our own cloud servers. If you have signed up using our cloud service then you will need to install a secure node agent connection in your own network to provide a dedicated, zero firewall callback service to our service, as documented in the article titled Installing a secure node agent.

Step 1 - Create Directory

Whilst managing the tenant realm, navigate to Users & Permissions and select Configure User Database located at the top of the User table. 

 

From the form that opens up select Realm Type as Active Directory.

 

 

Step 2 - Configuring your standard AD Settings

With the correct realm type selected, the next step requires the Active Directory settings to be configured.

There are two top-level tabs available: Standard and Advanced. Step 2 concerns all the settings in Standard.

 

Step 2a - Connection

You will need to provide the following information:

  • Hostname - the hostname or IP address of the domain controller you want to get users from.
  • Domain - fully qualified domain name of your AD domain.
  • Service Username - the service account username that will make the connections to AD to get the list of users/groups. Note that this account needs to be either an AD administrator or have delegated rights on AD to edit user objects in order for Hypersocket to be able to create new AD accounts.
  • Service Password - the password for the above user.

 

If you are happy for your tenant to synchronize with these settings, press Update if everything is correct the details will be saved. From there the first synchronisation with your Acitve Directory will begin, you will see a green status message, reconciling with directory, once completed, a similar message stating, reconcile finished successfully, will be shown. 

 

Step 2b - Restricting Synchronization by OU

With the core Active Directory settings configured, your tenant will begin synchronizing all users from your AD. If you wish to limit these to a subset, you can do so under the OU Filter tab.

Settings here are:

  • Include BuiltIn Groups: Include groups from the CN=Builtin AD container. Set this to ON if you want to import AD groups such as Users, Guests or Administrators.
  • Include Default Users: Include users and groups from the CN=Users container. Set this to ON if you want to import AD groups such as Domain Users or the AD administrator user account. Note for both this setting and the one above, it may be best to set these to OFF, which will save importing around 50 items that you may not use.
  • Base DN: The base DN that you want to use for this realm. You can use this to further filter any users by only looking at any objects from this Base DN and down. You may leave this blank or add in the DC=yourdomain,DC=domain root DN if you do not wish to filter users in this way.
  • Include OUs: The names of any OUs (in DN format) that you only want to import users and groups from. Type in the OU name and press enter or click the plus icon to add the filter.
  • Exclude OUs: The names of any OUs (in DN format) that you wish to exclude from importing from. Type in the OU name and press enter or click the plus icon to add the filter.

Note that OUs can be entered either with a fully qualified DN, or just the part of the DN without the Base DN (the Base DN relating to the setting you entered for Domain in the first tab).

For example, both of these are valid on our test system

  • OU=Test Accounts
  • OU=Test Accounts,DC=hypersocket,DC=local

The Exclude OU filter will run after the Include filter, so this can be used to exclude a subset of OUs.

In the above example. Test Users is being included with the sub OU of Disabled Accounts being excluded from the import.

 

Step 2c - Principal Filter

The Principal Filter tab works in a similar way to the Exclude OU filter, but for ignoring specific usernames and groups. Just type in the username or group you wish to exclude from the reconcile and press Enter or click the plus icon.

 

 

Step 3 - Advanced Settings

The configuration items below are not necessary to get your Active Directory connected and synching with your tenant, however they may be useful for those that wish to add a little more control.

Click on the Advanced link above the tabs to see the advanced settings.

 

Step 3a - Advanced

The first tab contains some advanced settings that should in most cases not need to be altered. These settings are:

  • Protocol: Can be changed from SSL to Plain. Note though that only SSL connections will allow users to be updated and their passwords reset so should be left as SSL unless you want only a read only experience.
  • Authentication: Options are LDAP and NTLM. The default LDAP setting should be the most compatible setting.
  • Backup Controllers: You can add a list of other AD servers that LogonBox will contact if the primary server is not accessible.
  • Follow Referrals: Follows referrals to other domains in the forest (useful for importing users from child domains).
  • Connect Timeout: The number of milliseconds to wait for a response when making a connection to the AD server.
  • Read Timeout: The number of milliseconds to wait for a response on a read operation from the AD.
  • Page Size: The AD returns users in blocks of users called pages. The default of 1000 is fine in most cases.

 

 

 

Step 3b - Reconcile

The Reconcile tab contains settings relating to how LogonBox reconciles your users. The settings here are:

  • Rebuild Cache: By default, reconciles will only handle any changes to users or groups to keep things quick. Setting this option to ON will perform a full reconcile of every item and is generally used in certain troubleshooting cases. Defaults to OFF.
  • Purge Duplicates: On rare occasions with an out of date cache, duplicate users may be created. Set this to ON to purge any duplicates on the next reconcile. Defaults to OFF
  • Cache Passwords: Create a one way hash and store on LogonBox so that subsequent authentication attempts do not need to contact AD. Recommended to keep this set to OFF.
  • Reconcile at Login: If set to ON, perform a reconcile on the user's account when they log on to pull in any changes immediately. Defaults to OFF, which should give best user performance.