Active Directory basic settings for Cloud or DMZ secure installations
Active Directory basic settings
- SSL certificate installation for LDAPS
- Active Directory service account
- Configure Active Directory integration
- Write access
- Automatic user creation
Active Directory intranet users group
SSL certificate installation for LDAPS
Secure and encrypted communication between ThoughtFarmer and your internal Domain can be achieved by installing and configuring LDAPS with a valid SSL certificate. This is required for ThoughtFarmer AD integrations from the Cloud. For DMZ configurations where the web server is NOT a part of the domain this is only a recommendation.
For details on setting up and configuring your domain controller to use LDAPS with a verified 3rd party certificate please see the Microsoft documentation at http://support.microsoft.com/kb/321051.
Once the certificate is installed onto the web server, you will need to export it from the Personal Certificates store, including the private key. This exported *.pfx file will need to be added to the Trusted Root Certification Authority on the web server. For ThoughtFarmer Cloud clients, this file will need to be sent to ThoughtFarmer Support so we can install this onto the Cloud server.
Active Directory service accountIn order for ThoughtFarmer to access Active Directory it needs to use the credentials of an AD account that has the appropriate permissions. This is a service account that should NOT have a password expiry set. If there is a password expiry set, ThoughtFarmer authentication and other components may fail.
In order to utilize write access for ThoughtFarmer profile to AD field mapping this account needs to have both read and write access. For permission information please see AD security permissions.
If you do not intend to use this feature, or if your security protocols restrict this usage, then read-only access to AD is sufficient.
Configure Active Directory integration
- Go to the ThoughtFarmer Administration panel > Users & Security section > Active Directory page (if you do not see the link add /Administration/Security/ActiveDirectory/Default.aspx to your site root URL).
- Click enable beside Active Directory basic settings. If already enabled, click change.
- Enter the Fully Qualified Domain name in the AD domain field (e.g. dc01.domain.com)
- Enter the AD service account name in the AD user login name field.
- Enter the AD service account password in the Password field.
- Click Save settings at the bottom. (If the account is valid you are brought back out to the main Active Directory page. If the account is invalid you see an error message and need to correct the error before proceeding.)
- Click change again in the Active Directory basic settings section.
- (Optional) Enable write access by clicking "Yes" in the Write access section.
- (Optional) Enable automatic user creation by clicking "Yes" in the User creation section.
- (Required only if automatic user creation is enabled) Enter the AD group that ThoughtFarmer is to sync with and click Validate.
- Click Save settings at the bottom.
Write accessSet the write access radio button to the appropriate value for your desired feature set. Whatever the AD user permissions and ThoughtFarmer configuration, disabling write access here will ensure that no information in your Active Directory will ever be altered.
Automatic user creationSet the radio button in the User creation section to "Yes" to enable the automatic user creation features. With this value set to "No" all users will need to be created manually by an Administrator. Please see Create Active Directory users for more information on the automatic user creation features.
Active Directory intranet users groupTo use the Active Directory automatic user management features you need to use a single AD distribution or security group to manage all users. This AD group can contain nested groups. This group must be a specifically created group and not an AD default group such as "Domain users". It is important to verify the members of this group before syncing to avoid creating unwanted profiles in ThoughtFarmer (eg. service accounts, or other generic accounts).
If you have just created a custom group in AD you may need to refresh the Active Directory configuration page in order for the changes to be picked up.