Domains | Active Directory & SSO Settings

This section is common to all editions of IT360 - Professional Edition, Enterprise Edition [Central Server only], MSP Edition [Central Server only]

IT360 integrates with your Active Directory environment. As a first step, IT360 discovers all the windows domains that are reachable. You may enable AD Authentication for logging into IT360. Also, You may enable Single Sign On [SSO] option. By enabling SSO, logging into the server system is authenticated by AD and this automatically authorises to log into IT360 with the Read-Write permissions allocated. Thus, if you have logged into the Windows System using your domain Account you need not separately sign in to IT360.

Note:

  1. As the first step, the applicable Domain User Accounts should have been added.

  2. A prerequisite to enabling SSO is that you should have enabled AD Authentication.

Importing Users from AD into IT360 helps you in automatically configuring Requesters for the servicedesk module.


This section discusses the following:

  1. Windows Domain Configuration

  2. AD & SSO Settings

    1. Active Directory Authentication

    2. Single Sign on

    3. Importing Users from Active Directory

  3. AD Single Sign-On - Video

Windows Domain Configuration

In order to perform Active Directory Authentication and Single Sign on, and to import Users from Active Directory, you need to first add windows domains, as IT360 discovers all the windows domains that are reachable. The domains added here are fetched throughout the configuration process of AD & SSO settings, wherever applicable.

Steps to Add a Domain

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click AD & SSO Settings under User Management.

  4. In the Domains wizard displayed, click the Add button.In the Add Domain wizard displayed, configure the below details:

  1. Specify the Domain Name in the given field. For ex. Acme. This is a mandatory field, which uniquely identifies the domain from the network.

  2. Specify the Domain Controller Name. This is the host name for the domain controller and the organizational units are listed only if the domain controller name is provided. For ex. winkmaster.

  3. Specify the User name. This is the user login name. For ex. Administrator.

  4. Specify the Password for the user.
  1. Click Add. You can see the domain getting listed in the Domain View List. Also, the new domain gets added to all the Domain Name fileds throughout the configuration process of AD & SSO settings, wherever applicable.
In the Domain View List, the Status of only those domains, whose users are imported from Active Directory, is displayed as "IMPORTED". The Status of other domains are displayed as "NOT IMPORTED".

 


AD & SSO Settings

Active Directory Authentication

Using AD Authentication allows the Users to use AD Domain Password to log in to IT360. Note that this is different from Single Sign On. In SSO you use the AD domain password to log in to the windows system and this lets you log in to IT360 also. However, when SSO is not enabled and only AD Authentication is enabled, you will need to log in twice; one, to log in to the windows system and two, to log in to IT360 using the AD domain password.

Enabling Active Directory Authentication

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click AD & SSO Settings under User Management.

  4. Click the AD & SSO tab. The below wizard is displayed:

  1. Check the Enable Active Directory Authentication checkbox.

  2. Also check the Select Default Domain checkbox, if you want to enable active directory authentication for any of the available default domains. Then, Select a Domain from the dropdown. (In this dropdown, only those domains, where the users have already been imported, get listed)

  3. Click Save.


Single Sign on [SSO]

Using SSO helps you log in once [to the windows system] and gain access to IT360 without a need to give username / password separately. You can configure the SSO details by choosing the Domain, for which SSO should be enabled.

You also need to create a Computer Account in the Domain Controller to perform the authentication, as IT360 requires this. The Computer Account must be created with a specific Password, which will be used as a Service Account to connect to the NETLOGON service on an Active Directory Domain Controller.

Important:

  1. The SSO will work for a Single AD Forest alone.

  2. A Computer Account must be available / created, and a regular User account will not work.

  3. The IT360 server should reside in the same domain, for which the SSO has to be enabled. For e.g., if you would like to configure SSO for a domain 'ORGANIZATION', then the IT360 host server should be a part of that domain and the firewall has to be configured in the domain controller. If not, the Computer Account might not be created properly. However, you can Create the Computer Account Manually too.

  4. Make sure the ports 53 / 445 (DNS/CIFS) are made free in the Domain Controller, to enable AD-SSO.

Enabling Single Sign On [SSO]

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click AD & SSO Settings under User Management.

  4. Click the AD & SSO tab. The AD & SSO wizard is displayed.

  5. Enable Active Directory Authentication check box.

  6. Enable Single Sign On check box.

  7. In the SSO Details section that appears, choose the Domain Name. (In this dropdown, only those domains, where the users have already been imported, get listed)

  8. Provide the Bind String.

  9. Provide a Computer Account and Password details.

  10. Enable Create this computer account in the domain check box. Enter the Computer Account Name created in the domain controller and specify the correct Password. If you want to create a fresh Computer Account, then enable the checkbox Create this computer account in the domain. Jespa contains a script to set the password on a Computer account

  11. Click Save.

Steps to create the computer account

If IT360 has any problem in creating the Computer Account, it can be created manually too, by following the steps below:

  1. Copy the scripts available under '<IT360_HOME>/scripts/*.vbs' to the Domain Controller machine.

  2. If a Computer Account is already present, and you wish to change the password for the same, simply reset the password. However, this will work only for the Accounts present under the container 'Computers'. If the account is under a different OU, then this script will not work.

    1. Creating a Computer Account:

    This task can be done by the script 'ManuallysCreateComputerAccount.vbs', available in '<IT360>/scripts'. Copy this script to the AD server. Open a command prompt in the AD server and browse to the location, where the script is saved, and then execute the command mentioned below:

    'cscript ManuallyCreateComputerAccount.vbs ComputerAcctName /p password /d DomainName'

    Example: 'cscript ManuallyCreateComputerAccount.vbs accountname /p pass /d ORGANIZATION'

    1. Resetting the password:

    This task can be done by the script 'SetComputerPass.vbs', available in '<IT360>/scripts'. Copy this script to the AD server. Open a command prompt in the AD server and browse to the location, where the script is saved, and then execute the command mentioned below:

    'cscript SetComputerPass.vbs ComputerAcctName /p password /d DomainName'

    Example: 'cscript SetComputerPass.vbs accountname /p pass /d ORGANIZATION'

For SSO, IT360 makes use of a third party library named 'Java Enterprise Security Provider Authority' (Jespa), which provides advanced integration between the Microsoft Active Directory and Java applications. Jespa NTLM security provider validates credentials using the NETLOGON service, just as a Windows server. To facilitate this, a Computer Account must be created.

Browsers and SSO

The IE browser supports SSO by default. For SSO in Firefox, do the following:

    1. Open a Firefox browser and enter the URL 'about:config' and hit 'Enter'. You see a big list of settings.

    2. In the filter, type 'ntlm' to look for the setting 'network.automatic-ntlm-auth.trusted-uris'. Double click that entry, and enter'IT360 Console server' url in the text field (<protocol>://<IT360Console>:<port>).

      • To find the port, open the conf file <IT360>/conf/port.properties

      • Note the value against parameter 'Console' (by default 8100)

      • Construct the url based on this. eg. http://it360-server:8100 or https://it360-server:8100

    3. Look for the setting 'network.ntlm.send-lm-response'.
    1. Double click the entry to change it from its default setting of 'False to 'True'.

Scheduling AD User import

  1. In the AD & SSO wizard, enable the check box Schedule AD Import every xxx days.

  2. Enter the frequency of AD User import in Days in the appropriate column.

  3. Click Save.


Importing Users from Active Directory

A simpler way of adding users to IT360 is to import them through Active Directory. Users from the selected Domain are added to the IT360 Database. Subsequent sync up of the AD adds the new users, updates the existing users with any changes. The IT360 user database is automatically synchronized with the AD, if configured appropriately.

Enabling AD User import

You can enable user import from active directory in two ways; from the User Management wizard or from the Active Directory Configuration wizard.

1. From User Management wizard:

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click Users under User Management.

  4. In the wizard displayed, click the Import from AD link. The Import Users from Active Directory window pops up.

2. From Active Directory Configuration wizard:

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click AD & SSO Settings under User Management.

  4. Click the AD & SSO tab. The AD & SSO wizard is displayed.

  5. Click the Import Users from Active Directory link. The Import Users from Active Directory window pops up (the below screenshot).

3. Now, in the Import Users from Active Directory pop up window, enter the following details:

    1. Choose the Domain Name from the drop down that lists all the available IT360 domains, which were already created. The Domain Name corresponds to the place, where the Active Directory, from which the users are to be imported is installed. In addition, you may also add a new domain manually [by clicking on the + sign, present adjacent to the Domain Name field]

    2. Enter the name of the Domain Controller, Login Name and the exact Password, in the respective text boxes. You have the option to reset the password if required.

    3. You may optionally select other fields to import

    4. Click on Import. This leads you to the next wizard that displays the available OUs.

    5. Select the OUs from which the Users need to be imported. [If you want to get the latest OUs from the AD, you may use the option Fetch OUs from Active Directory again]

    6. You can enable the checkbox 'Notify users with login credentials' to send E-mail notification, along with the relevant Login Credentials, to all the newly imported users. You can disable the checkbox, if no e-mail notification is required.

    7. Click Import.

Note: You need to Configure Mail Server Settings, before synchronizing users from the Active Directory to send E-mail notifications.

Changing the default Role of the imported AD Users

All users imported through Active Directory are imported as 'HelpDeskRequesters' only. You need to assign Roles to them later. To assign a different role, do the following:

    1. Login to IT360 console with the Username and Password of an Admin user.

    2. Click the Admin tab in the header pane.

    3. Click Users under User Management.

    4. Choose HelpDesk Requestors from the Filter dropdown. All the HelpDesk Requestors are listed (as shown in the below screenshot).

    1. Enable the checkbox(es) against the required Requestor(s).

    2. Select the Role for this user from the Assign Role dropdown menu on the top of Requesters List.

Now, the chosen Role is assigned to the HelpDesk Requestor and a success message is displayed as "Successfully assigned user(s) to role".

Unscheduled AD User import [Sync Now option]

Suppose you do not want to schedule a periodic AD sync or you want to disable the already configured periodic AD sync and would like to sync up with the AD users on a need basis only, you can do so as per the steps given below:

  1. Login to IT360 console with the Username and Password of an Admin user.

  2. Click the Admin tab in the header pane.

  3. Click AD & SSO Settings under User Management.

  4. Click the AD & SSO tab. The AD & SSO wizard is displayed.

  5. Click the link Import Users from Active Directory. A window pops up.

  6. Do not change any values in the pop up. Click Import.

AD User sync is done.

AD Single Sign-On - Video

 



Copyright © 2014, ZOHO Corp. All Rights Reserved.