About Active Directory Authentication and SynchronizationLast Updated: 12/03/2015 Introduced in Verision: 2.0
Active Directory Requirements
AD authentication in general requires that the IIS server have the IIS Authentication modules for Basic, Digest, and Integrated Windows authentication installed. (This is only an AD authentication requirement; it is not required for the Decisions Portal to function.) This is found under Control Panel > Programs and Features, by selecting Turn Windows Features on or off. Expand IIS > World Wide Web Services > Security, and select the following checkboxes:
The Decisions Portal supports Mixed Mode authentication; therefore, the complete site has Anonymous Authentication Enabled, except a single page called “WindowsLogin.aspx.” The installer takes care of setting up the authentication.
Single Sign-On Requirements
If using AD as a source for users, when an AD user logs in to his/her client machine and launches the Decisions portal, Decisions will not prompt for a login as long as the following conditions are met in the environment:
- The machine the user is logging in to is a part of the domain.
- Windows Authentication has been enabled in IIS.
- User is accessing the Portal using Internet Explorer.
- The pre-Windows domain name is configured correctly in the Active Directory Settings in the Portal, found under System > Settings > Active Directory. The domain name must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.
- The Windows User user name matches the User Identifier in the Decisions database. This is found under System > Security > Accounts, in the User Identifier field. Active Directory synced users will have a user identifier in the format of [domain name]\[user name].
- The IP address of the server on which Decisions is hosted must be in the Intranet zone list on the client. (In Internet Explorer, open Tools > Options. From the Security tab, click on Local Intranet and select the Sites button. Click on Advanced and add the IP to the web sites list.) Also, ensure the Automatic Logon Only in Intranet Zone setting is enabled.
Summary of Active Directory Synchronization
- Active Directory Sync only fetches users & groups from Active Directory. This is a one way sync where account/user/group information from Active Directory is stored in Decisions.
- If you select Sync Only Users, groups from Active Directory will not be synced.
- The Synchronization options allow you to specify what do you want to Sync from AD. For example, Entire Domain will get all the users and groups on the AD server. Selected Groups will get only users and groups from the selection. Select Org Units will get only users and groups from the selected organization units.
- Information about organization units is not synced into Decisions.
- AD sync replicates what is presently there on the AD Server. For example, if user John Smith is moved from group Managers to group Supervisors, the AD sync will replicate the change in Decisions by removing John Smith from group Managers and include him the group Supervisors.
- For users, Decisions retrieves all the personal information (First Name, Last Name, etc) and also all the contact information (Address, Phone Numbers, Emails, etc) from Active Directory to Decisions.
- When permissions are set up in Decisions for a synced user, those permissions are Decisions-specific and are retained across syncs.
- When a user is deactivated in AD, he/she will be deactivated in Decisions.
- When a user is deleted from AD, he/she will never be able to log in to Decisions. Users are never deleted from Decisions for data integrity purposes, such as having history of who completed a task, audited an entity, etc.
- The domain name entered under System > Settings > Active Directory must match exactly to the domain name in Active Directory. If users do not sync, check the Decisions log file and look to see the syntax of the user names attempting to sync to confirm the domain name is correct.
Need more help with:
About Active Directory Authentication and Synchronization?