Importing Users form Active Directory

Password Manager Pro provides the option to integrate with Active Directory in your environment and import users from there. Users who have logged into the Windows system using their domain account can be allowed to log in to Password Manager Pro directly.

There are four steps involved in completing the process of importing users from Active Directory. Follow the four steps detailed below:

Step 1 - Importing users

The first step is to provide credential details and import users from Active Directory. Password Manager Pro automatically gets the list of the domains present under the "Microsoft Windows Network" folder of the server of which the running Password Manager Pro is part of. You need to select the required domain from the list and provide necessary domain controller credentials.

To do this,

  • Navigate to "Admin" >> "Authentication" >> "Active Directory".
  • Go to Step 1 and click the button "Import Now".
  • Alternatively, you can also access this from Users >> Add user >> Import from Active Directory.
  • In the pop-up form that appears, select the required Domain Name, which forms part of the AD from the drop-down.
  • Specify the DNS name of the domain controller. This domain controller will be the primary domain controller.
  • In case, the primary domain controller is down, secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
  • Supply Credentials: Enter a valid user credential (user name and password) having read permission in the domain controller. (If you want to import users from multiple domains, you may enter the username as <DomainName>\<username>. For example, if you want to import DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username)).
  • Connection Mode: For each domain, you can configure if the connection should be over an encrypted channel for all communication. To enable the SSL mode, the domain controller should be serving over SSL in port 636 and you will have to import the domain controller's root certificate into the Password Manager Pro server machine's certificate store.
  • Users to Import: By default, Password Manager Pro will populate all the organizational units (OUs) and groups from Active Directory. If you want to import only a particular user, enter the required user name(s) in comma separated form.
  • User Groups to Import / OU(s) to Import: Similarly, you can choose to import only specific user groups or organizational units (OUs) from the domain. You can specify the names in the respective text fields in comma separated form.
  • Synchronization Interval: Whenever new users get added to the Active Directory, there is provision to automatically add them to Password Manager Pro and keep the user database in sync. Enter the time interval at which Password Manager Pro has to query the Active Directory to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
  • Click "Save". Soon after hitting this "Save" button, Password Manager Pro will save the domain details. During subsequent imports, only the new users entries in AD are added to the local database.
  • In case of importing organizational units (OUs) and Active Directory groups, user groups are automatically created with the name of the corresponding OU / AD group.

Note: As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the Password Manager Pro server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the Password Manager Pro server machine and intermediate certificates, if any.

To import domain controller's certificate into Password Manager Pro machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)
  • In the machine where Password Manager Pro is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates.
  • Click "Import".
  • Browse and locate the root certificate issue by your CA.
  • Click "Next" and choose the option "Automatically select the certificate store based on the type of certificate" and install.
  • Click "Import" again.
  • Browse and locate the domain controller certificate.
  • Click "Next" and choose the option "Automatically select the certificate store based on the type of certificate" and install.
  • Apply the changes and close the wizard.
  • Repeat the procedure to install other certificates in the root chain.

Step 2 - Specify appropriate user roles

All the users imported from AD will be assigned the 'Password User' role by default. To assign specific roles to specific users,

  • Go to Step 2 in the UI (Admin >> Authentication >> Active Directory) and click the button "Assign Roles Now".
  • In the pop-up form that opens, all the Users imported from AD are listed.
  • Click "Change role" button against desired users for whom you wish to change the role and select the appropriate role from the drop down.
  • Click "Save" and the required roles are set for the users.

Step 3 - Enabling AD authentication

The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to Password Manager Pro. Note that this scheme will work only for users who have been already imported to the local database from Active Directory.

Step 4 - Enabling single SignOn

Users who have logged into the Windows system using their domain account need not separately sign in to Password Manager Pro, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into Password Manager Pro.

For Single Sign-On, Password Manager Pro makes use of a third party library named 'Java Enterprise Security Provider Authority' (Jespa), which provides advanced integration between Microsoft Active Directory and Java applications. Jespa NTLM security provider validates credentials using the NETLOGON service just as a Windows server.

To facilitate this, a Computer account must be created with a specific password, which will be used as a service account to connect to the NETLOGON service on an Active Directory domain controller.

That means, Password Manager Pro requires a computer account in the domain controller to perform the authentication (a computer account must be available/created - a regular User account will not work.)

To enable single sign-on,

  • Go to Step 4 in the UI (Admin >> Authentication >> Active Directory) and click the button "Enable Single Sign-On".
  • In the UI that opens, select the domain.
  • Enter the fully qualified DNS domain name in the text field against "Fully qualified DNS Domain Name" (For example, zohocorpin.com)
  • Enter the Computer Account name created in the domain controller and specify the password.
  • If you want to create computer account afresh, select the checkbox "Create this computer account in the domain". Jespa contains a script to set the password on a Computer account.
  • Click "Save".

Note: The IE browser supports NTLM authentication by default. Follow the instructions below to get this working in Firefox:

  • Open a Firefox browser and enter the URL about:config and hit "Enter".
  • You will see a big list of settings.
  • In the filter, type "ntlm" to look for the setting "network.automatic-ntlm-auth.trusted-uris". Double click that entry and enter PMP server url in the text field (https://<PMP Server Host Name>:<port>)
  • Then, look for the setting "network.ntlm.send-lm-response".
  • Double click the entry to change it from its default setting of "False" to "True".

In MSP Edition, Single Sign-On can be enabled only for one client organization at a time. This can be enabled/disabled by the MSP Administrator.

Troubleshooting tip

The browser will keep on asking for Domain User credentials on the login page if computer account credentials are incorrect. In that case, cancel the pop-up to access Password Manager Pro login page.

©2014, ZOHO Corp. All Rights Reserved.

Top