Importing Users from Active Directory

Access Manager Plus allows you to import and synchronize users directly from the Active Directory. You can also schedule your synchronizations so that new users added to the Active Directory will automatically be imported into Access Manager Plus. This document provides information on how to import users from Active Directory. Users logged into the Windows system using their domain account can log into Access Manager Plus directly.

Summary of Steps

Navigate to Admin >> Authentication >> Active Directory. The Active Directory Configuration page is displayed. The following are the sections to be setup:

  1. Importing Users
  2. Specifying Appropriate User Roles
  3. Enabling AD Authentication
  4. Enabling Single Sign-On

1. Importing Users

Provide credential details and import users from Active Directory. Access Manager Plus automatically gets the list of the domains present under the Microsoft Windows Network folder of the server of which the running Access Manager Plus is a part of. Select the required domain and provide necessary domain controller credentials.

To do this,

  1. Click the Import Now button. You can also access this from Users >> Add user >> Import from Active Directory.

  2. In the pop-up form that appears,
    1. Select the required Domain Name, which forms part of the AD from the drop-down.
    2. Specify the DNS name of the domain controller. This domain controller will be the Primary Domain Controller.
    3. In case, the Primary Domain Controller is down, Secondary Domain Controllers can be used. If you have secondary domain controllers, specify their DNS names in comma separated form. One of the available secondary domain controllers will be used. When you use SSL mode, make sure the DNS name specified here matches the CN (common name) specified in the SSL certificate for the domain controller.
    4. Connection Mode: For each domain, you can configure if the connection should be over an encrypted channel for all communication. To enable the SSL mode, the domain controller should be serving over SSL in port 636 and you will have to import the domain controller's root certificate into the Access Manager Plus server machine's certificate store.
    5. Supply Credentials: If you choose Specify Username and Password Manually, Enter a valid user credential having read permission in the domain controller. If you choose Use an account stored in Access Manager Plus, Enter a valid session name.
    6. Note: If you want to import users from multiple domains, you may enter the username as <DomainName>\<username>. For example, if you want to import DOMAIN A users by giving DOMAIN B username/password, you need to enter the username as <DOMAIN B>\username).

    7. Users to Import: By default, Access Manager Plus will populate all the organizational units (OUs) and groups from Active Directory. If you want to import only a particular user, enter the required user name(s) in comma separated form.
    8. User Groups to Import / OU(s) to Import: Similarly, you can choose to import only specific user groups or organizational units (OUs) from the domain. You can specify the names in the respective text fields in comma separated form.
    9. Synchronization Interval: Whenever new users get added to the Active Directory, there is provision to automatically add them to Access Manager Plus and keep the user database in sync. Enter the time interval at which Access Manager Plus has to query the Active Directory to keep the user database in sync. The time interval could be as low as a minute or it can be in the range of hours/days.
    10. Click Save. Access Manager Plus will save the domain details. During subsequent imports, only the new users entries in AD are added to the local database.

  3. In case of importing organizational units (OUs) and Active Directory groups, user groups are automatically created with the name of the corresponding OU / AD group.

1.2 Importing Domain Controller's Certificate into Access Manager Plus

To import domain controller's certificate into Access Manager Plus machine's certificate store, you can use any procedure to import the SSL certificates to the machine's certificate store. One example is given below:

  1. In the machine where Access Manager Plus is installed, launch Internet Explorer and navigate to Tools >> Internet Options >> Content >> Certificates.
  2. Click Import.
  3. Browse and locate the root certificate issue by your CA.
  4. Tap Next and choose the option Automatically select the certificate store based on the type of certificate and install.
  5. Click Import again.
  6. Browse and locate the domain controller certificate.
  7. Tap Next and choose the option Automatically select the certificate store based on the type of certificate and install.
  8. Apply the changes and close the wizard.
  9. Repeat the procedure to install other certificates in the root chain.

2. Specifying Appropriate User Roles

All the users imported from AD will be assigned the User role by default. To assign specific roles to specific users,

  1. Click Assign Roles Now.
  2. In the pop-up form that opens, all the Users imported from AD are listed.
  3. Click Change role button against desired users for whom you wish to change the role and select the appropriate role from the drop down.

3. Enabling AD Authentication

The third step is to enable AD authentication. This will allow your users to use their AD domain password to login to Access Manager Plus. Note that this scheme will work only for users who have been already imported to the local database from Active Directory.

4. Enabling Single Sign-On

  1. Users who have logged into the Windows system using their domain account need not separately sign in to Access Manager Plus, if this setting is enabled. For this to work, AD authentication should be enabled and the corresponding domain user account should have been imported into Access Manager Plus.
  2. For Single Sign-On, Access Manager Plus uses a third party Java software library which provides advanced integration between Microsoft Active Directory and Java applications. The third party software package also includes a complete NTLM security service provider which validates the credentials using the NETLOGON service just as a Windows server.
  3. To facilitate this, a Computer account must be created with a specific password, which will be used as a service account to connect to the NETLOGON service on an Active Directory domain controller.
  4. That means, Access Manager Plus requires a computer account in the domain controller to perform the authentication (a computer account must be available/created - a regular User account will not work).

To enable Single Sign-On,

  1. Click the Enable Single Sign-On button.
  2. In the pop-up that appears,
    1. Select the Domain Name.
    2. Mention the Fully qualified DNS Domain Name in the text field (For example,
    3. Enter the Computer Account name created in the domain controller and specify the Password.
    4. Specify the DNS Servers.
    5. To create computer account afresh, select the checkbox Create this computer account in the domain. The third party software package contains a script to set the password on a Computer account.
    6. Click Save.

  3. Open a Firefox browser and enter the URL about:config and hit Enter.
  4. List of settings appears.
  5. In the filter, type ntlm to look for the setting network.automatic-ntlm-auth.trusted-uris. Double click and enter Access Manager Plus server url in the text field (https://<AMP Server Host Name>:<port>).
  6. Then, look for the setting: network.ntlm.send-lm-response.
  7. Double click the entry to change it from its default setting of False to True.

Troubleshooting Tip

Access Manager Plus will repeatedly ask you to enter the computer account credentials untill it is correct through a dialog box. If the user wants to login without the credentials, closing the dialog box would redirect them to the login screen of Access Manager Plus where they can use a local login.

See also: