Integrating Active Directory & Importing Users

PMP provides the option to integrate with Active Directory in your environment and import users from there. Users who have logged into the Windows system using their domain account can be allowed to login to PMP directly (without separate PMP login).

 

There are four steps involved in completing the process of importing users from AD and assigning them necessary roles and permissions in PMP. Follow the three steps detailed below:

Step 1  - Importing Users

The first step is to provide credential details and importing users from AD. PMP automatically gets the list of the domains present under the "Microsoft Windows Network" folder of the server of which the running PMP is part of. You need to select the required domain and provide domain controller credentials.

 

To do this,

 

 

In the UI that pops-up,

 

     

    As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.

     

    To import domain controller's certificate into PMP machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)

     

    • In the machine where PMP is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates

    • Click "Import"

    • Browse and locate the root certificate issue by your CA

    • Click "Next" and choose the option "Automatically select the certificate store based on the type of certificate" and install

    • Again click "Import"

    • Browse and locate the domain controller certificate

    • Click "Next" and choose the option "Automatically select the certificate store based on the type of certificate" and install

    • Apply the changes and close the wizard

    • Repeat the procedure to install other certificates in the root chain

     

    PMP server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want PMP to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.

 

 

  • What will be role of the users imported from AD, in PMP?

 

The users added to the PMP database will have the role as "Password Users". If you want to assign specific roles to specific users, proceed with Step 2 below.

 

  • Can I handle both AD and non-AD permissions to login to PMP?

 

Yes. You can use both your AD and local (non-AD) passwords to login to the application. The choice can be made in the GUI login screen itself.

 

  • How to verify if user/user group synchronization had taken place in AD?

 

The synchronization happens as a scheduled task. You can check Audit >> Task Audit for details. You can also choose to receive notifications whenever the synchronization happens. Refer to 'Task Audit' section for details. Alternatively, you can also click the button "View Synchronization Schedules" present in Step 1. The status of synchronization will be displayed there.

Step 2  - Assigning Roles

All the users imported from AD will be assigned the 'Password User' role by default. To assign specific roles to specific users,

 

Step 3   -  Enabling Authentication

The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to PMP. Note that this scheme will work only for users who have been already imported to the local database from AD.

 

Note: Make sure you have at least one user with the 'Administrator' role, among the users imported from AD.

Step 4  -  Enabling Single SignOn

Users who have logged into the Windows system using their domain account need not separately sign in to Password Manager Pro, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into PMP.

 

For Single SignOn, PMP makes use of a third party library named 'Java Enterprise Security Provider Authority' (Jespa), which provides advanced integration between Microsoft Active Directory and Java applications.  Jespa NTLM security provider validates credentials using the NETLOGON service just as a Windows server.

 

To facilitate this, a Computer account must be created with a specific password, which will be used as a service account to connect to the NETLOGON service on an Active Directory domain controller.

 

That means, PMP requires a computer account in the domain controller to perform the authentication (a computer account must be available/created - a regular User account will not work.

 

To Enable Single SignOn,

 

 

Note:

 

The IE browser supports NTLM authentication by default. Follow the instructions below to get this working in Firefox:

 

 

In MSP Edition, Single SignOn can be enabled only for one client organization at a time. This can be enabled/disabled by the MSP Administrator.


©2014, ZOHO Corp. All Rights Reserved.