Active Directory Configuration

This section is common to all editions of IT360 - Professional Edition, Enterprise Edition [Central Server only], MSP Edition [Central Server only]

IT360 integrates with your Active Directory environment. As a first step, IT360 discovers all the windows domains that are reachable.

This section discusses the following:

  1. Active Directory Authentication

  2. Single Sign on

  3. Importing Users from Active Directory

You may enable AD Authentication for logging into IT360. Also, You may enable Single Sign On [SSO] option. By enabling SSO, logging into the server system is authenticated by AD and this automatically authorises to log into IT360 with the Read-Write permissions allocated. Thus, if you have logged into the Windows System using your Domian Account you need not separately sign in to IT360.

Note: A prerequisite to enabling SSO is that you should have enabled AD Authentication. Also, the applicable Domain User Accounts should have been imported into IT360.

Importing Users from AD into IT360 helps you in automatically configuring Requesters for the servicedesk module.

Active Directory Authentication

Using AD Authentication allows the Users to use AD Domain Password to log in to IT360. Note that this is different from Single Sign On. In SSO you use the AD Domian password to log in to the windows system and this lets you log in to IT360 also. However, when SSO is not enabled and only AD Authentication is enabled, you will need to log in twice; one, to log in to the windows system and two, to log in to IT360 using the AD Domian password.

Note 1: AD Authentication works only for those Users who have been imported from the AD into the local database of IT360. AD Authentication for the new users will apply / take effect when they are imported during the next AD sync up. You can schedule the AD sync frequency in IT360.

Note 2: Ensure that you have atleast one "Administrator" role among the users imported from AD.

Enabling Active Directory Authentication

1. Go to Admin - General - Active Directory [in the case of Professional Edition] and to Admin - Active Directory [in the case of Central Server of Enterprise Edition and Central Server of MSP Edition]

2. Enable Active Directory Authentication check box

3. Click "Save"

Single Sign on [SSO]

Using SSO helps you log in once [to the windows system] and gain access to IT360 without a need to give username / password separately. You can configure the SSO details by choosing the Domain, for which SSO should be enabled.

You also need to create a Computer Account in the Domain Controller to perform the authentication, as IT360 requires this. The Computer Account must be created with a specific Password, which will be used as a Service Account to connect to the NETLOGON service on an Active Directory Domain Controller.

Note: A prerequisite to enabling SSO is that you should have enabled AD Authentication. Also, the applicable Domain User Accounts should have been imported into IT360.

Important:

  1. The SSO will work for a Single AD Forest alone.

  2. A Computer Account must be available / created, and a regular User account will not work.

  3. The IT360 server should reside in the same domain, for which the SSO has to be enabled. For e.g., if you would like to configure SSO for a domain 'ORGANIZATION', then the IT360 host server should be a part of that domain and the firewall has to be configured in the domain controller. If not, the Computer Account might not be created properly. However, you can Create the Computer Account Manually too.

  4. Make sure the ports 53 / 445 (DNS/CIFS) are made free in the Domain Controller, to enable AD-SSO.

Enabling Single Sign On [SSO]

  1. Go to Admin - General - Active Directory [in the case of Professional Edition] and to Admin - Active Directory [in the case of Central Server of Enterprise Edition and Central Server of MSP Edition]
  2. Enable Active Directory Authentication check box
  3. Enable Single Sign On check box
  4. In the pop up that appears, select the Domain Name
  5. Provide the Bind String
  6. Provide a Computer Account and Password details
  7. Enable Create this computer account in the domain check box. Enter the Computer Account Name created in the domain controller and specify the correct Password. If you want to create a fresh Computer Account, then enable the checkbox Create this computer account in the domain. Jespa contains a script to set the password on a Computer account
  8. Click Save

Steps to create the computer account

If IT360 has any problem in creating the Computer Account, it can be created manually too, by following the steps below:

  1. Copy the scripts available under '<IT360_HOME>/scripts/*.vbs' to the Domain Controller machine.

  2. If a Computer Account is already present, and you wish to change the password for the same, simply reset the password. However, this will work only for the Accounts present under the container 'Computers'. If the account is under a different OU, then this script will not work.

    1. Creating a Computer Account:

    This task can be done by the script 'ManuallyCreateComputerAccount.vbs', available in '<IT360>/scripts'. Copy this script to the AD server. Open a command prompt in the AD server and browse to the location, where the script is saved, and then execute the command mentioned below:

    'cscript ManuallyCreateComputerAccount.vbs ComputerAcctName /p password /d DomainName'

    Example: 'cscript ManuallyCreateComputerAccount.vbs accountname /p pass /d ORGANIZATION'

    1. Resetting the password:

    This task can be done by the script 'SetComputerPass.vbs', available in '<IT360>/scripts'. Copy this script to the AD server. Open a command prompt in the AD server and browse to the location, where the script is saved, and then execute the command mentioned below:

    'cscript SetComputerPass.vbs ComputerAcctName /p password /d DomainName'

    Example: 'cscript SetComputerPass.vbs accountname /p pass /d ORGANIZATION'

For SSO, IT360 makes use of a third party library named 'Java Enterprise Security Provider Authority' (Jespa), which provides advanced integration between the Microsoft Active Directory and Java applications. Jespa NTLM security provider validates credentials using the NETLOGON service, just as a Windows server. To facilitate this, a Computer Account must be created.

Browsers and SSO

The IE browser supports SSO by default. For SSO in Firefox, do the following:

    1. Open a Firefox browser and enter the URL 'about:config' and hit 'Enter'. You see a big list of settings.
    2. In the filter, type 'ntlm' to look for the setting 'network.automatic-ntlm-auth.trusted-uris'. Double click that entry, and enter'IT360 Console server' url in the text field (<protocol>://<IT360Console>:<port>).
      • To find the port, open the conf file <IT360>/conf/port.properties
      • Note the value against parameter 'Console' (by default 8100)
      • Construct the url based on this. eg. http://it360-server:8100 or https://it360-server:8100
    3. Look for the setting 'network.ntlm.send-lm-response'.
    4. Double click the entry to change it from its default setting of 'False to 'True'.

Scheduling AD User import

  1. Enable the check box related to Schedule AD Import every xxx days
  2. Enter the frequency of AD User import in Days in the appropriate column
  3. Click Save

Importing Users from Active Directory

A simpler way of adding users to IT360 is to import them through Active Directory. Users from the selected Domain are added to the IT360 Database. Subsequent sync up of the AD adds the new users, updates the existing users with any changes. The IT360 user database is automatically synchronized with the AD, if configured appropriately.

Enabling AD User import

  1. Go to Admin - General - Active Directory [in the case of Professional Edition] and to Admin - Active Directory [in the case of Central Server of Enterprise Edition and Central Server of MSP Edition]
  2. Click on the link Import Users from Active Directory.
  3. Enter the following details in the pop-up window:
    1. Choose the Domain Name from the drop down that lists all the available IT360 domains. The Domain Name corresponds to the place, where the Active Directory, from which the users are to be imported is installed. In addition, you may also add a new domain manually [by clicking on the + sign, present adjacent to the Domanin Name field
    2. Enter the name of the Domain Controller, Login Name and the exact Password, in the respective text boxes. You have the option to reset the password if required.
    3. You may optionally select other fields to import
    4. Click on Import. This leads you to the next wizard that displays the available OUs.
    5. Select the OUs from which the Users need to be imported. [If you want to get the latest OUs from the AD, you may use the option Fetch OUs from Active Directory again]
    6. You can enable the checkbox 'Notify users with login credentials' to send E-mail notification, along with the relevant Login Credentials, to all the newly imported users. You can disable the checkbox, if no e-mail notification is required.
    7. Click Start Importing
Note: You need to configure the MailServer Settings, before synchronizing users from the Active Directory to send E-mail notifications. For more related information, refer Configuring Mail Server Settings .

Changing the default Role of the imported AD Users

All users imported through Active Directory are imported as 'HelpDeskRequesters' only. You need to assign Roles to them later. To assign a different role, do the following:

    1. Navigate to 'Admin - General - User Management', in case of Professional Edition, and to 'Admin - User Management', in case of Central Server (Enterprise and MSP Editions).

    2. Click the 'Requestor' tab

    3. Enable the checkbox against the User Name.

    4. Select the Role for this user from the dropdown menu on the top of Requesters List and click 'Apply'

Unscheduled AD User import [Sync Now option]

Suppose you do not want to schedule a periodic AD sync or you want to disable the already configured periodic AD sync and would like to sync up with the AD users on a need basis only, you can do so as per the steps given below:

  1. Go to Admin - General - Active Directory [in the case of Professional Edition] and to Admin - Active Directory [in the case of Central Server of Enterprise Edition and Central Server of MSP Edition]
  2. Click on the link Import Users from Active Directory. [Do not change any values in the pop up]
  3. Click Import

AD User sync is done.

 


Copyright © 2013, ZOHO Corp. All Rights Reserved.