Active Directory

Central Server® User Management can be used in conjunction with the Active Directory® (AD) service. This service allows user names and passwords to be verified at login against those stored in the Active Directory®. Other user data, such as email addresses and telephone numbers, can also be copied from the directory to Central Server®. This approach can also be used to ensure that corporate security requirements are complied with.
Use the Active Directory menu option in the SystemAdministration application to configure directory services for use with Central Server®. Once this is configured, the users associated with the chosen directory services can be selected as Central Server® users in User Management.
A separate Active Directory configuration can be set up for every Customer contained in the Customers system. Active Directory users can be set up in User Management for each of these Customers. The login name for each user must already be set up in the directory service. The properties associated with the user, such as name and email address, will be copied from the directory service to Central Server® User Management and can be updated manually there. Unlike all the other user data, the login name and password are not stored in Central Server® and cannot be changed. When an Active Directory user logs in to Central Server®, the login credentials that are provided are verified against those stored in the directory service. If the service is unavailable, then it will not be possible to log in. A Customer can include both Active Directory and Local users.

The Active Directory screen provides an overview of the directory service configurations for all Customers.

The left pane of the Active Directory screen shows the sub-menus of the SystemAdministration application. The current screen is highlighted.
The center of the screen shows a table listing all Active Directory services that have been configured, along with a selection of their properties. The table allows multiple selections. The status bar at the bottom edge of the table shows the number of Active Directory configurations selected, as well as the total number of configurations. The last time the screen was refreshed is also shown.

Menu

The toolbar above the Active Directory table supports the following operations:

Create Active Directory Configuration wizard

The Create Active Directory Configuration wizard guides you through the process of setting up a new Active Directory configuration for use by Central Server®.

An Active Directory can be allocated to every Customer. Choose the Customer of interest on the Select Customer page. This shows only Customers that do not yet have an associated configuration. This is because only one Active Directory can be allocated to each Customer.

In the next step (Create New Configuration), enter a name and description for the new configuration.

The Active Directory Configuration page contains all the information that is needed to communicate with the Active Directory.

Type	AD-DS (Domain Services)		Select AD-DS (Domain Services) if you want to use Active Directory® Domain Services (AD DS).
	AD-LDS (Lightweight Directory Services)		Select AD-LDS (Lightweight Directory Services) if you want to use Active Directory® Lightweight Directory Services (AD LDS).
Hostname	Host name or IP address of the server where the directory service is installed.
Port	LDAP server port (default 389)
Use SSL (StartTLS)	Select this checkbox to use SSL for transmission of data.
User	Name of the user that will log in to the directory service.
Password	Password for the user that will log in to the directory service.
Confirm Password	Confirmation of password for the user that will log in to the directory service.
Container	Node in the directory service tree structure that should be used as the starting point for user searches in Central Server® User Management. This syntax for the path uses the following notation: CN=users,DC=my,DC=organization,DC=domain. This information can be copied from the Active Directory Users and Computers application. To copy this information, first find the relevant organizational unit and right-click on its folder symbol. Select Properties from the context menu. This will open a window displaying the properties of the organizational unit. On the Attribute Editor tab, select the distinguishedName attribute with the mouse and then click the View button. Copy the complete text from the Value text field in the String Attribute Editor window and paste it into the Container text field. The Attribute Editor tab is only displayed if the Advanced Features options in the View menu is active.
Context Options	Negotiate		The client is authenticated by using either Kerberos or NTLM. When the user name and password are not provided, the Account Management API binds to the object by using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread represents.
	Signing		The integrity of the data is verified. This flag can only be used with the Negotiate context option and is not available with the simple bind option.
	ServerBind		Specify this flag when you use the domain context type if the application is binding to a specific server name.
	SimpleBind		The client is authenticated by using the Basic authentication
	Sealing		The data is encrypted by using Kerberos

The Summary page provides an overview of the configuration.