PMP provides the option to integrate with Active Directory in your environment and import users from there. Users who have logged into the Windows system using their domain account can be allowed to login to PMP directly (without separate PMP login).
There are four steps involved in completing the process of importing users from AD and assigning them necessary roles and permissions in PMP. Follow the three steps detailed below:
The first step is to provide credential details and importing users from AD. PMP automatically gets the list of the domains present under the "Microsoft Windows Network" folder of the server of which the running PMP is part of. You need to select the required domain and provide domain controller credentials.
To do this,
Go to "Admin" tab and click "Active Directory"
Go to Step 1 and click the button "Import Now"
Alternatively, you can also access this from "Admin >> Users >> Import from AD" button
In the UI that pops-up,
Select the required Domain Name, which forms part of the AD from the drop-down
Specify the DNS name of the domain controller.
This domain controller will be the primary domain controller
In case, the primary domain controller is down, secondary domain controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller
Enter a valid user credential (user name and password) having read permission in the domain controller. (If you want to import users from multiple domains, you may enter the username as <DomainName>\<username>. For example, if you want to import DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username))
For each domain, you can configure if the connection should be over an encrypted channel for all communication. To enable the SSL mode, the domain controller should be serving over SSL in port 636 and you will have to import the domain controller's root certificate into the PMP server machine's certificate.
As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the PMP server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PMP server machine and intermediate certificates, if any.
To import domain controller's certificate into PMP machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)
PMP server can now communicate with this particular domain controller over SSL. Repeat these steps for all domain controllers to which you want PMP to communicate over SSL. Note that the DNS name you specify for the domain controller should match the CN (common name) specified in the SSL certificate for the domain controller.
By default, PMP will populate all the OUs and groups from AD. If you want to import only a particular user, enter the required user name(s) in comma separated form
Similarly, you can choose to import only specific user groups or OUs from the domain. You can specify the names in the respective text fields in comma separated form
Whenever new users get added to the AD, there is provision to automatically add them to PMP and keep the user database in sync. Enter the time interval at which PMP has to query the AD to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
Click "Save". Soon after hitting this "Save" button, PMP will start adding all users from the selected domain. During subsequent imports, only the new users entries in AD are added to the local database
In the case of importing organizational units (OUs) and AD groups, user groups are automatically created with the name of the corresponding OU / AD group.
During import, every user will be notified through
email about their account, along with a password that will be used to
login to PMP when AD authentication is disabled. If you do not want to
send emails, select the option 'No'.
can also disable email notification, from General
Settings. But, the option entered here ('YES' or 'NO' for email notification)
will override the option chosen in 'General Settings'.
"Groups/OUs too large to display"
When you have a large number of groups or OUs in the domain controller, specifically when the number exceeds 2500, PMP will not display them in the GUI. In such cases, you will see the message "Groups too large to display" / "Organizational Units too large to display". When this happens, you have the following options:
Option 1: Specify only the specific groups / OUs to be imported
You may just specify the groups or OUs that are to be imported alone, instead of getting all the groups / OUs in the display.
Option 2: Increase the limit on the number of groups / OUs to be imported
The maximum number of groups / OUs to be displayed in the PMP GUI is indicated in system_properties.conf file present under <PMP_Installation_Folder>. You can increase the number through the following entries:
Navigate to <PMP_Installation_Folder>/conf directory and edit the following entries in system_properties.conf
Replace the above entries with the required values.
The users added to the PMP database will have the role as "Password Users". If you want to assign specific roles to specific users, proceed with Step 2 below.
Yes. You can use both your AD and local (non-AD) passwords to login to the application. The choice can be made in the GUI login screen itself.
The synchronization happens as a scheduled task. You can check Audit >> Task Audit for details. You can also choose to receive notifications whenever the synchronization happens. Refer to 'Task Audit' section for details. Alternatively, you can also click the button "View Synchronization Schedules" present in Step 1. The status of synchronization will be displayed there.
All the users imported from AD will be assigned the 'Password User' role by default. To assign specific roles to specific users,
Go to Step 2 in the UI (Admin >> Active Directory) and click the button "Assign Roles Now"
In the UI that opens, all the Users imported from AD are shown in the LHS under the column "Password Users"
Select the users for whom you wish to change the role and use the appropriate arrow button to assign them the role of "Password Administrator" or "Password User"
Click "Save" and the required roles are set for the users
The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to PMP. Note that this scheme will work only for users who have been already imported to the local database from AD.
Note: Make sure you have at least one user with the 'Administrator' role, among the users imported from AD.
Users who have logged into the Windows system using their domain account need not separately sign in to Password Manager Pro, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into PMP.
For Single SignOn, PMP makes use of a third party library named 'Java Enterprise Security Provider Authority' (Jespa), which provides advanced integration between Microsoft Active Directory and Java applications. Jespa NTLM security provider validates credentials using the NETLOGON service just as a Windows server.
To facilitate this, a Computer account must be created with a specific password, which will be used as a service account to connect to the NETLOGON service on an Active Directory domain controller.
That means, PMP requires a computer account in the domain controller to perform the authentication (a computer account must be available/created - a regular User account will not work.
To Enable Single SignOn,
Go to Step 4 in the UI (Admin >> Active Directory) and click the button "Enable Single SignOn"
In the UI that opens, select the domain
Enter the fully qualified DNS domain name in the text field against "Fully qualified DNS Domain Name" (For example, zohocorpin.com)
Enter the Computer Account name created in the domain controller and specify the password
If you want to create computer account afresh, select the checkbox "create this computer account in the domain". Jespa contains a script to set the password on a Computer account.
The IE browser supports NTLM authentication by default. Follow the instructions below to get this working in Firefox:
Open a Firefox browser and enter the URL about:config and hit "Enter".
You will see a big list of settings
In the filter, type "ntlm" to look for the setting "network.automatic-ntlm-auth.trusted-uris". Double click that entry and enter PMP server url in the text field (https://<PMP Server Host Name>:<port>)
Then look for the setting "network.ntlm.send-lm-response"
Double click the entry to change it from its default setting of "False" to "True"
In MSP Edition, Single SignOn can be enabled only for one client organization at a time. This can be enabled/disabled by the MSP Administrator.
©2014, ZOHO Corp. All Rights Reserved.