Importing Users from Active Directory
PAM360 integrates with Active Directory in your environment and allows import of users from there. Users logged into the Windows system using their domain account can log into PAM360 directly.
There are four steps involved in importing users from Active Directory:
- Importing Users
- Specifying Appropriate User Roles
- Enabling AD Authentication
- Enabling Single Sign-On
To begin, navigate to Admin >> Authentication >> Active Directory. The Active Directory Configuration page is displayed.
1. Importing Users
The first step is to provide credential details and import users from Active Directory. PAM360 automatically gets the list of the domains present under the "Microsoft Windows Network" folder of the server of which the running PAM360 is part of. You need to select the required domain from the list and provide necessary domain controller credentials.
To do this:
- Click the Import Now button. Alternatively, you can also access this from Users >> Add user >> Import from Active Directory.
- In the pop-up form that appears, select the required Domain Name, which forms part of the AD from the drop-down.
- Specify the DNS name of the domain controller. This domain controller will be the primary domain controller.
- In case, the Primary Domain Controller is down, Secondary Domain Controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
- Supply Credentials: Enter a valid user credential (user name and password) having read permission in the domain controller. (If you want to import users from multiple domains, you may enter the username as <DomainName>\<username>. For example, if you want to import DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username)).
- Connection Mode: For each domain, you can configure if the connection should be over an encrypted channel for all communication. To enable the SSL mode, the domain controller should be serving over SSL in port 636 and you will have to import the domain controller's root certificate into the PAM360 server machine's certificate store.
- Users to Import: By default, PAM360 will populate all the organizational units (OUs) and groups from Active Directory. If you want to import only a particular user, enter the required user name(s) in comma separated form.
- User Groups to Import / OU(s) to Import: Similarly, you can choose to import only specific user groups or organizational units (OUs) from the domain. You can specify the names in the respective text fields in comma separated form.
- Synchronization Interval: Whenever new users get added to the Active Directory, there is provision to automatically add them to PAM360 and keep the user database in sync. Enter the time interval at which PAM360 has to query the Active Directory to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
- Click Save. Soon after hitting this "Save" button, PAM360 will save the domain details. During subsequent imports, only the new users entries in AD are added to the local database.
- In case of importing organizational units (OUs) and Active Directory groups, user groups are automatically created with the name of the corresponding OU / AD group.
Note: As mentioned above, to enable SSL mode, the domain controller should be serving over SSL in port 636. If the certificate of the domain controller is not signed by a certified CA, you will have to manually import the certificate into the PAM360 server machine's certificate store. You need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the PAM360 server machine and intermediate certificates, if any.
To import domain controller's certificate into PAM360 machine's certificate store: (you can use any procedure that you normally use to import the SSL certificates to the machine's certificate store. One example is given below)
- In the machine where PAM360 is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates.
- Click Import.
- Browse and locate the root certificate issue by your CA.
- Click Next and choose the option Automatically select the certificate store based on the type of certificate and install.
- Click Import again.
- Browse and locate the domain controller certificate.
- Click Next and choose the option "Automatically select the certificate store based on the type of certificate" and install.
- Apply the changes and close the wizard.
- Repeat the procedure to install other certificates in the root chain.
2. Specifying Appropriate User Roles
All the users imported from AD will be assigned the Password User role by default. To assign specific roles to specific users,
- Click the button Assign Roles Now.
- In the pop-up form that opens, all the Users imported from AD are listed.
- Click Change role button against desired users for whom you wish to change the role and select the appropriate role from the drop down.
- Click Save and the required roles are set for the users.
3. Enabling AD Authentication
The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to PAM360. Note that this scheme will work only for users who have been already imported to the local database from Active Directory.
4. Enabling Single Sign-On
Users who have logged into the Windows system using their domain account need not separately sign in to PAM360, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into PAM360.
For Single Sign-On, PAM360 makes use of a third party Java software library which provides advanced integration between Microsoft Active Directory and Java applications. The third party software package also includes a complete NTLM security service provider which validates the credentials using the NETLOGON service just as a Windows server.
To facilitate this, a Computer account must be created with a specific password, which will be used as a service account to connect to the NETLOGON service on an Active Directory domain controller.
That means, PAM360 requires a computer account in the domain controller to perform the authentication (a computer account must be available/created - a regular User account will not work.)
To enable single sign-on:
- Click the Enable Single Sign-On button.
- In the wizard that opens, select the domain.
- Enter the fully qualified DNS domain name in the text field against Fully qualified DNS Domain Name (For example, zohocorpin.com)
- Enter the Computer Account name created in the domain controller and specify the password.
- If you want to create computer account afresh, select the checkbox Create this computer account in the domain. The third party software package contains a script to set the password on a Computer account.
- Click Save.
Note: The IE browser supports NTLM authentication by default. Follow the instructions below to get this working in Firefox:
- Open a Firefox browser and enter the URL about:config and hit Enter.
- You will see a big list of settings.
- In the filter, type ntlm to look for the setting network.automatic-ntlm-auth.trusted-uris. Double click that entry and enter PAM360 server URL in the text field (https://<Host-Name-of-PAM360-Server OR IP address>:<Port>)
- Then, look for the setting network.ntlm.send-lm-response.
- Double click the entry to change it from its default setting of False to True.
In MSP Edition, Single Sign-On can be enabled only for one client organization at a time. This can be enabled/disabled by the MSP Administrator.
The browser will keep on asking for Domain User credentials on the login page if computer account credentials are incorrect. In that case, cancel the pop-up to access PAM360 login page.