ServiceDesk Plus

    Active Directory

     The integration of Active Directory with the ServiceDesk Plus application enables you to import user information from the Active Directory server into the ServiceDesk Plus application. It also lets you to import requesters from the active directory, schedule user import from AD, sync deleted requester/ technician from AD, and configure active directory authentication.

    Quick Links

    Importing Requesters from Active Directory

    If you have not yet imported requesters from any of the domains, you can import them by clicking Import Requesters from Active Directory link. The Import From Active Directory window pops up.

    1. From the list of domains that are listed in the Domain Name drop-down box, select the domain name in which the active directory you wish to import is installed. If the other details such as domain controller name, user name, and password have already been entered in the Domain scan page, then that will be populated automatically. Else, enter the name of the domain controller in the Domain Controller Name field, login name and password in the corresponding fields.

    2. You also have an option to select the fields to be imported from Active Directory. To do this, enable the check box beside the default fields namely, Phone, Department, Job Title, Mobile, Site Name and E-mail. Specify the field name configured in Active Directory for the selected fields.

      Say, if "Phone" is configured as "telephoneNumber" in active directory, then enter telephoneNumber in the text field provided. The unselected fields are not imported. This is to avoid over ridding of the new values by the old values from the directory.

    3. Apart from the default fields, you can also Import Requester Additional Field details from the active directory. If you have not configured any requester additional fields, then select Click here to configure link. This takes you to Requester - Additional Field page, from where you need to configure the additional fields to be imported from Active Directory. The configured requester additional fields - Text and Numeric fields, appear in Import from Active Directory window indicated in the colors Blue and Green respectively. Enable the check box beside the requester additional fields to import, and specify the field name configured in active directory beside the selected field. The unselected fields are not imported.
       

      Field Name

      Field Type

      Distinguished Name (DN) in Active Directory

      Description

      Email Address

      Text

      mail

      Email Address of the requester

      Country Code

      Numeric

      countryCode

      Country Code of the requester

    Note:

    note

    1. The numeric additional fields hold up to 19 digits. If your numeric value exceeds 19 digits, then configure the value in text field.

    2. On every import, the existing requester data will be overwritten.

    1. If the site associated to the user/department is changed in Active Directory, then the assets belonging to the user/department should be moved to the new site. To update this information on every import, enable Move associated assets check box. De-selecting this check box will not move the asset to the new site.

    2. Click Import Now. The import wizard displays the various Organizational Units (OUs) available in that domain. Choose the specific Organizational Unit from which you wish to import users by selecting the check box beside it.

    3. Click Start Importing. Once the import is complete, the data on how many records were added, how many overwritten, and how many failed to import will be displayed.

    Schedule AD import

    You have an option to schedule Active Directory import in specified number of days. When you schedule an Active Directory Import, data from all the domains available in the application is imported at the specified number of days.

    1. Select the Schedule AD import check box. Specify the number of days in the text box.  The requester details gets imported automatically as scheduled.
    2. Click saveADSync button to be in sync with the active directory.

    Criterion for User Account overwrite in Active Directory User Imports:

    While performing a user import from Active Directory,  

    Criteria 1: ObjectGUID - If the ObjectGUID of a user account in ServiceDesk Plus matches with the user account in Active Directory, then the record in ServiceDesk Plus will be overwritten.

     

    Criteria 2: Login name and Domain - If the login name and domain of a user account in ServiceDesk Plus matches with the user account in Active Directory, then the record in ServiceDesk Plus will be overwritten.

     

    Criteria 3: Email address - If the 'Override based on EmailId' option is enabled under Admin>> Self-Service Portal settings and if the email address of the user account in ServiceDesk Plus matches with the Active Directory user account, then the record in ServiceDesk Plus will be overwritten.

     

    Criteria 4: Login name and domain is '-' (not associated) - If a user account in ServiceDesk Plus contains only a login name with an email address without a domain association and if the login name matches with the Active Directory user account, then the record in ServiceDesk Plus will be overwritten.


    When a user is imported from AD, the ObjectGUID of the user is used as a unique identifier to update the user details in ServiceDesk Plus. If the 'ObjectGUID' does not match for any user in ServiceDesk Plus,

    • The 'loginname+domainname' of the user is used as an unique identifier to update the user details in ServiceDesk Plus.

    • If the 'loginname+domainname' does not match for any user in ServiceDesk, the 'email address' of the user will be used as a unique identifier.

    • If the email address does not match, then the 'loginname + domain=NULL'  ( where loginname is Howard (example) and domain name is NULL) is used as a unique identifier to update user details. 

    In cases where none of the specified conditions like 'ObjectGUID' , 'loginname+domainname', 'email address','loginname + domain=NULL' are absent in ServiceDesk Plus , a new user will be added.
     

    Sync deleted users from Active Directory



     

    This option lets you to sync the deleted requesters/technicians from the Active Directory into the application. Syncing of deleted users happens after an import. Once the sync is done, it shows you the list of deleted users from AD. You can delete the requesters and technicians from the list. For requesters, you can enable automatic deletion so that when an requester is deleted from the active directory, the user will be removed from the application as well. However for technicians, this option is not available. You can delete the technicians by choosing from the list and manually deleting them.

    • Mouseover "Sync deleted users from Active Directory" fields . Edit option will appear. Click on the edit button . Enable "Sync deleted User(s) from AD".
    • Select the mode of deletion of users. To sync the deleted users automatically, select "Delete Automatically...".

    • To stop the automatic sync of deleted users and delete the users manually, select "Delete Manually...". You can manually delete the users, by clicking on the deleted users link that appears in the import results page and at the top of the configuration wizard. The link opens up the list of deleted users, you can verify and delete the users from the list.


    Note: If you disable "Sync deleted User(s) from AD" option, the deleted users will not be synced. The list of deleted requester(s), technician(s) will not be displayed as well. If you import users manually from AD, the deleted users will not get synced. If the sync deleted users in running on a schedule, the SDAdmins will be notified about the deleted users through the bell notification.

    Active Directory Authentication

    You can authenticate the Requester login with active directory (AD) by following the steps mentioned below. On configuring AD authentication, any changes made in the password in AD will be reflected in ServiceDesk Plus. This facilitates the Requesters to login to the application using the login name and password of the system.

     

    note

    Note: Please ensure that you have already imported the requesters, before you start configuring the AD Authentication. Only if a user account is available in ServiceDesk Plus application, it will authenticate the password for that user account from the active directory. Hence, when none of the users have been imported from the active directory, the authentication cannot be done for the user account.

     

    To configure the Active Directory Authentication,

    1. Log in to the ServiceDesk Plus application using the user name and password of a ServiceDesk Plus administrator.

    2. Click the Admin tab in the header pane.

    3. In the Users block, click Active Directory Authentication. Here you can enable or disable active directory authentication. By default the AD authentication will be disabled.

    4. If you have already imported requesters from the any of the domains in your network, then click Enable button.

    Even after enabling Active Directory (AD) Authentication, if you would like to bypass the AD Authentication, then in the application login screen, you need to select Local Authentication from the Domain list box after entering the login name and password, and then click Login button to enter ServiceDesk Plus.

    Configure Pass - through Authentication

    On enabling single sign-on, ServiceDesk plus directly authenticates your windows system user name and password. Hence you need not login again to enter into ServiceDesk Plus.

    ServiceDesk Plus Pass through Authentication uses NTMLV2 which provides better security and validates the credentials using NETLOGON service.

    1. Enabling Active Directory, activates the Pass-through authentication (Single Sign-on) option.

    2. If you like to activate single sign - on, select the Enable Pass-through Authentication (Single Sign-On) option.

    3. You can enable Pass-through authentication for users from a particular domain. To do so, select the Domain Name from the drop down list. Enabled domain should be two way trusted. 

    4. Specify the DNS Server IP of the domain in the provided field.

    5. To use the NTLM security provider as an authentication service a computer account needs to be created in the Active Directory with a specific password. Specify a unique name for the Computer Account and Password for this account.

    6. The Bind String parameter must be a fully qualified DNS domain name or the fully qualified DNS hostname of a particular AD server.

    7. Save the authentication. You will get a confirmation message on the authentication.

    Upon saving the details, a new computer account will be created on the Active Directory (with the help of VB Script). If the user specifies existing computer accountname, the password specified here will be reset on the Active Directory for the computer account. User can choose to reset the password of computer account by clicking on the Reset Password link as well.

    If there is a problem in creating a Computer Account or resetting a password of the existing Computer Account using VB script from SDP server(upon save, the script will be called automatically) , the details specified here will be saved and user can execute the script locally on the AD server specifying the same details to create computer account / reset password.

    If there is an issue with computer account creation, user can specify an already created computer account name and reset password of that computer account with the help of reset password script.

     

     

    Copyright © 2017, ZOHO Corp. All Rights Reserved.