The integration of Active Directory with the ServiceDesk Plus MSP application enables you to import user information from the Active Directory server into the ServiceDesk Plus MSP application. It also lets you to import requesters from the active directory, schedule user import from AD, sync deleted requester/ technician from AD, and configure active directory authentication.
- Importing Requesters
- Scheduling import for Requesters
- Sync deleted users from Active Directory
- Configuring AD authentication
- Configuring pass through authentication
If you have not yet imported requesters from any of the domains, you can import them by clicking Import Requesters from Active Directory link. The Import From Active Directory window pops up.
Select the Account name and from the list of domains that are listed in the Domain Name combo box, select the domain name in which the active directory from which you wish to import is installed. If the other details such as domain controller name, user name, and password have already been entered in the Domain scan page, then that will be populated automatically. Else enter the name of the domain controller in the Domain Controller Name field, login name and password in the corresponding fields.
You also have an option to select the fields to be imported from Active Directory. To do this, enable the check box beside the default fields namely, Phone, Department, Job Title, Mobile, Site Name and E-mail. Specify the field name configured in Active Directory for the selected fields.
Say, if "Phone" is configured as "telephoneNumber" in active directory, then enter telephoneNumber in the text field provided. The unselected fields are not imported. This is to avoid over ridding of the new values by the old values from the directory.
Apart from the default fields, you can also Import Requester Additional Field details from the active directory. If you have not configured any requester additional fields, then select Click here to configure link. This takes you to Requester - Additional Field page, from where you need to configure the additional fields to be imported from Active Directory. The configured requester additional fields - Text and Numeric fields, appear in Import from Active Directory window indicated in the colors Blue and Green respectively. Enable the check box beside the requester additional fields to import, and specify the field name configured in active directory beside the selected field. The unselected fields are not imported.
Distinguished Name (DN) in Active Directory
Email Address of the requester
Country Code of the requester
1. The numeric additional fields hold up to 19 digits. If your numeric value exceeds 19 digits, then configure the value in text field.
2. On every import, the existing requester data will be overwritten.
If the site associated to the user/department is changed in Active Directory, then the assets belonging to the user/department should be moved to the new site. To update this information on every import, enable Move associated assets check box. De-selecting this check box will not move the asset to the new site.
Click Import Now. The import wizard displays the various Organizational Units (OUs) available in that domain. Choose the specific Organizational Unit from which you wish to import users by selecting the check box beside it.
Click Start Importing. Once the import is complete, the data on how many records were added, how many overwritten, and how many failed to import will be displayed.
You have an option to schedule Active Directory import in specified number of days. When you schedule an Active Directory Import, data from all the domains available in the application is imported at the specified number of days.
- Select the Schedule AD import check box. Specify the number of days in the text box. The requester details gets imported automatically as scheduled.
- Click saveADSync button to be in sync with the active directory.
Criterion for User Account overwrite in Active Directory User Imports:
While performing a user import from Active Directory,
Criteria 1: ObjectGUID - If the ObjectGUID of a user account in ServiceDesk Plus MSP matches with the user account in Active Directory, then the record in ServiceDesk Plus MSP will be overwritten.
Criteria 2: Login name and Domain - If the login name and domain of a user account in ServiceDesk Plus MSP matches with the user account in Active Directory, then the record in ServiceDesk Plus MSP will be overwritten.
Criteria 3: Email address - If the 'Override based on EmailId' option is enabled under Admin>> Self-Service Portal settings and if the email address of the user account in ServiceDesk Plus MSP matches with the Active Directory user account, then the record in ServiceDesk Plus MSP will be overwritten.
Criteria 4: Login name and domain is '-' (not associated) - If a user account in ServiceDesk Plus MSP contains only a login name with an email address without a domain association and if the login name matches with the Active Directory user account, then the record in ServiceDesk Plus MSP will be overwritten.
When a user is imported from AD, the ObjectGUID of the user is used as a unique identifier to update the user details in ServiceDesk Plus MSP. If the 'ObjectGUID' does not match for any user in ServiceDesk Plus MSP,
The 'loginname+domainname' of the user is used as an unique identifier to update the user details in ServiceDesk Plus MSP.
If the 'loginname+domainname' does not match for any user in ServiceDesk, the 'email address' of the user will be used as a unique identifier.
If the email address does not match, then the 'loginname + domain=NULL' ( where loginname is Howard (example) and domain name is NULL) is used as a unique identifier to update user details.
This option lets you to sync the deleted requesters/technicians from the Active Directory into the application. Syncing of deleted users happens after an import. Once the sync is done, it shows you the list of deleted users from AD. You can delete the requesters and technicians from the list. For requesters, you can enable automatic deletion so that when an requester is deleted from the active directory, the user will be removed from the application as well. However for technicians, this option is not available. You can delete the technicians by choosing from the list and manually deleting them.
- Mouseover "Sync deleted users from Active Directory" fields . Edit option will appear. Click on the edit button . Enable "Sync deleted User(s) from AD".
Select the mode of deletion of users. To sync the deleted users automatically, select "Delete Automatically...".
To stop the automatic sync of deleted users and delete the users manually, select "Delete Manually...". You can manually delete the users, by clicking on the deleted users link that appears in the import results page and at the top of the configuration wizard. The link opens up the list of deleted users, you can verify and delete the users from the list.
Note: If you disable "Sync deleted User(s) from AD" option, the deleted users will not be synced. The list of deleted requester(s), technician(s) will not be displayed as well. If you import users manually from AD, the deleted users will not get synced. If the sync deleted users in running on a schedule, the SDAdmins will be notified about the deleted users through the bell notification.
You can authenticate the Requester login with active directory (AD) by following the steps mentioned below. On configuring AD authentication, any changes made in the password in AD will be reflected in ServiceDesk Plus MSP. This facilitates the Requesters to login to the application using the login name and password of the system.
Note: Please ensure that you have already imported the requesters, before you start configuring the AD Authentication. Only if a user account is available in ServiceDesk Plus MSP application, it will authenticate the password for that user account from the active directory. Hence, when none of the users have been imported from the active directory, the authentication cannot be done for the user account.
To configure the Active Directory Authentication,
Log in to the ServiceDesk Plus MSP application using the user name and password of a ServiceDesk Plus MSP administrator.
Click the Admin tab in the header pane.
In the Users block, click Active Directory Authentication. Here you can enable or disable active directory authentication. By default the AD authentication will be disabled.
If you have already imported requesters from the any of the domains in your network, then click Enable button.
Even after enabling Active Directory (AD) Authentication, if you would like to bypass the AD Authentication, then in the application login screen, you need to select Local Authentication from the Domain list box after entering the login name and password, and then click Login button to enter ServiceDesk Plus MSP.
Setting Local Authentication Password
You can set a random or predefined Local Authentication password for users imported through AD/LDAP. If you select Random Password, then the imported users will receive a random password. If you select a Predefined Password, you can set a password and save it to send it to the users. The Predefined Password can be reset.
- Hover mouse over the Local Authentication Password section.
- Edit icon will appear. Click on it.
- Select either Random Password or Predefined Password. Selecting Random Password will send random passwords to users imported from AD/LDAP. Selecting the Predefined Password will prompt you to enter a new password which will in turn be sent to the users imported from AD/LDAP.
On enabling single sign-on, ServiceDesk Plus MSP directly authenticates your windows system user name and password. Hence you need not login again to enter into ServiceDesk Plus.
ServiceDesk Plus MSP Pass through Authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service.
Enabling Active Directory, activates the Pass-through authentication (Single Sign-on) option.
If you like to activate single sign - on, select the Enable Pass-through Authentication (Single Sign-On) option.
You can enable Pass-through authentication for users from a particular domain. To do so, select the Domain Name from the drop down list. Enabled domain should be two way trusted.
Specify the DNS Server IP of the domain in the provided field.
To use the NTLM security provider as an authentication service a computer account needs to be created in the Active Directory with a specific password. Specify a unique name for the Computer Account and Password for this account.
The Bind String parameter must be a fully qualified DNS domain name or the fully qualified DNS hostname of a particular AD server.
Save the authentication. You will get a confirmation message on the authentication.