Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage directories >
  3. Configure an on-premises Active Directory

 

Configure an on-premises Active Directory

You can create an on-premises directory to sync users and groups from your Active Directory to Identity as a Service.

Note: If you currently use an on-premises directory to sync users and groups from Microsoft Entra ID, Entrust recommends that you configure an Configure an Azure Directory (Preview).

The Directory Sync agent is an on-premises application that is of part of an Identity as a Service Gateway to automatically import user and group information from your Active Directory server. The directory sync agent periodically queries your AD server to ensure that new user and group information is automatically added to Identity as a Service.

When you configure an on-premises directory, you can add multiple directory servers for failover in case a directory cannot be reached.

Attention: Depending on the configuration of the domain controller, when you change your password due to it being in a Change Required or Expired state, the old password can remain active for a period of time (default 1 hour). See the following for more details: https://support.microsoft.com/en-us/help/906305/new-setting-modifies-ntlm-network-authentication-behavior.

For Enterprise Service Gateways prior to 5.3, only the first directory server in the list is used.

Attention: Once you configure a directory and associate it to a gateway through the directory sync agent, the synchronization begins immediately. If you configure a directory without Group Filter values, every user identified in your corporate directory is imported into Identity as a Service immediately after the directory setup is complete. All user groups are also imported if no Group Filters are set.

 

Supported Microsoft Entra ID user roles and operations

The following table shows the Active Directory user roles and supported permissions.

SI No.

Role

User Sync

Group Sync

Password Change

Password Reset

1

Global Administrator

Yes

Yes

Yes

Yes

2

User Administrator

Yes

Yes

Yes

Yes

3

Global Reader

Yes

Yes

No

No

4

Directory Reader

Yes

Yes

No

No

Domain user roles

The following are Active Directory Domain user roles:

Domain Administrator—Users with this role can connect with IDaaS with write permissions and can perform User synchronization, Group synchronization, Password Reset, and Password change.

Domain User—Users with this role can connect with IDaaS with read only permissions and can perform User synchronization and Group synchronization but not Password Reset and Password change.

Group synchronization

When synchronizing users from AD, if synchronization is configured to synchronize all groups, then all users will have a group in common.

If an administration role is configured with OWN group access then an administrator that was synchronized will have that same group in common and will be able to administer all users that were synchronized.

If you want administrators to not have access to all synchronized users, you can do one of the following:

Configure synchronization to synchronize only groups that match the group filter and do not include a group that is common to all users in AD in your group filter. This allows you to have an administrator role with access to OWN groups.

Configure an administrator role that has access to DEFINED groups and do not include groups that are common to all users.

 

Add an on-premise directory

Click > Resources > Directories. The Directories List page appears.

Click and select On-premises Active Directory from the drop-down list. The Add Directory page appears.

Set the connection settingsSet the connection settings.

In the Connection Settings section, do the following:

In the Directory Name field, enter a name for your directory.

In the Root Domain Naming Context field, enter the full DN of the AD server.

Example: DC=AnyCorp,DC=biz

In the Username field, enter the name used to administer your directory in LDAP format. The user name can be a fully distinguished name or UPN. For example, CN=Administrator,CN=Users,DC=AnyCorp,DC=biz or Administrator@AnyCorp.biz.

In the Password field, enter your directory account password.

Add Directory ServersAdd Directory Servers.

Click Add to add Directory Servers. The Directory Server dialog box appears.

In the Hostname field, enter the host name the AD server. The hostname can be either a hostname or IP address.

In the Port field, enter the port the directory communicates on.

Optional: Select Use SSL if you want secure communication to the directory. While optional, it is highly recommended that you use an SSL connection. 

Note: Identity as a Service supports the .cer and .pem SSL certificate extension types. It does not support the .p7b extension.

If you select Use SSL you are prompted to upload your SSL certificate.

Click in the box, browse to select SSL certificate, and click Open.

Click Add to add your directory server.

Repeat these steps to add additional directory servers for failover.

Note: A  next to the directory server connection indicates that SSL is not being used.

To edit the Directory Server information, click the row of the server you want to edit. The Edit dialog box appears. Make your changes and click Edit.

Click to drag and drop the order of the Directory Server used for failover. For Enterprise Service Gateways prior to 5.3, only the first directory server in the list is used.

Set searchbases and group filtersSet searchbases and group filters.

In the SearchBases & Group Filters section, specify which users and groups are synchronized. These settings are optional.

Optional: Enter the Root Domain Naming Context (for example, DC=AnyCorp,DC=biz). SearchBases are combined with your Root Domain Naming Context. For example, the SearchBase DC=Users would combine with the Root Domain Naming Context DC=AnyCorp,DC=biz to form DC=Users,DC=AnyCorp,DC=biz.

If you do not specify any SearchBases then all search bases under the root context are searched for users.

If you do specify SearchBases, then only those search bases under the root context are searched for users.

Click Add to add SearchBases.

When specifying a SearchBase, by default(Include subtree) is selected. When Include Subtree is selected, all subtrees under your SearchBase are searched for users. Click   to exclude the subtree. When Exclude Subtree is selected, then only entries immediately in your SearchBase are searched. For example, if you have SearchBase ou= department and subtree ou= sales and subtree ou= marketing, then all users in ou= department and the subtrees ou= sales and ou= marketing are synchronized.

Click Add to add more SearchBases.

Optional. Under Group Filters, click Add.

In the Group Filter field enter the name of the group that you want to filter. For example, enter Sales to sync all users in the Sales Department. By default all groups are synchronized.

Note: If there are no group filters set, all users are imported. If there is more than one group filter set, the user must belong to one of the groups identified by the group filters. Only enter one value per Group Filter text box.

Optional: Click Add to add more group filters.

Set the attribute mappingsSet the attribute mappings.

In the Attributes Mappings section, map directory attributes in your Active Directory to Identity as a Service attributes. You must at a minimum map the mandatory system attributes. They are flagged with an asterisk (*).

The Security ID is an optional system attribute that uniquely identifies users in a Microsoft Windows environment. The attribute is automatically assigned the value ObjectSID. Do not change this value.

Optional: Add or modify the attributes. (See Create and manage user attributes).

Note:  Once a user is synchronized from AD, the user is read-only in Identity as a Service and an administrator cannot manually update the attribute. In addition, mandatory attributes must be populated. If there is no value, then the user will not be synchronized.

Optional: To configure your directory for AD LDS, enter msDS-UserAccountDisabled=True as the State attribute value. This setting specifies the required directory attribute and potential value. Entering
msDS-UserAccountDisabled=True disables the user account.

Configuring your directory for AD LDS allows for directories other than Active Directories to be used on Identity as a Service, including Entrust Identity Enterprise. It also supports directory synchronization and directory password authentication.

Note: This step is recommended for most AD LDS directories that have disabled users with the msDS-UserAccountDisabled set to True. By configuring the Identity as a Service user with the value set to True, the user is synchronized in the disabled state. Configure this setting differently if your directory settings contain a different attribute and attribute value that indicates that a user is disabled.

Set the synchronization settingsSet the synchronization settings.

In the Synchronization section, do the following:

From the Synchronization Agent drop-down list, select the Gateway Agent used to connect to the directory and sync users.

In the Page Size field, enter the number of results on a page.  The minimum is 10 and the maximum is 1000.

In the Crawl Frequency field, enter  the rate at which Active Directory (AD) is queried. The maximum is 24 hours (86400000 ms).

Note: To disable crawling, set the Crawl Frequency to 0. This feature is available with Gateways 5.4 or later. For Gateways prior to 5.4, the default setting of 1 hour is used.

Tip: Click the time option, for example, hr to select to enter the Crawl Frequency rate in milliseconds, seconds, minutes, or hours.

In the User Object Class field, enter the object class names that define your users in your on-premise directory. For Active Directory users, the User Object Class is usually user, which is the Identity as a Service default value.

Depending on the type of directory you are configuring, valid values can include

user

userProxy

user,userProxy

user, userProxy

From the Group Synchronization drop-down list, select the groups that you want to add to Identity as a Service. Only groups with users synced to Identity as a Service are created. The group synchronization options include:

All groupsAll groups from users synced to Identity as a Service are added.

Groups Matching Group Filter—Only groups matching the filter are added to Identity as a Service.

No Groups—No groups are  added to Identity as a Service.

The Group Name Attribute is cn by default. This is the name of the attribute from which Identity as a Service obtains the group name.

Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters. Options include:

Group removed from Identity as a Service to remove the group from IDaaS.

Group becomes a directory-localized Identity as a Service group to keep the group but change it to an unsynchronized group.

Click Add.

When synchronization completes, the new directory appears on the Directories List page.