探花大神

Contact Us
Help Center Home > Apps and Integrations > Configure ADI: Manage users, security groups, and passwords in AD

Configure ADI: Manage users, security groups, and passwords in AD

The 探花大神 Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between 探花大神 and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords.

  1. Manage users, groups, and passwords in AD.
  2. Manage users and passwords in AD, 探花大神, or both.
  3. Manage users, groups, and passwords in 探花大神.

This article provides a step-by-step guide for configuring ADI to manage users, security groups, and passwords in AD. This configuration is typically used when you want to extend AD to the cloud for additional functionality, plan to keep AD as your primary user, group, and password authority, and want minimal changes to your existing AD environment. 

Deployment Configuration Overview

  • Use ADI import agent only.
  • Install import agent on all domain controllers (DCs) or on at least 2 member servers.
  • Add users and security groups under the ADI security group in AD.

To explore the use cases and benefits of this configuration, see Manage users, groups, and passwords in AD in the Configure Active Directory Integration (ADI) help center article.

Workflows

AD Import Agent Only 鈥 Single Domain Workflow

AD Import Agent Only 鈥 Multiple Domain Workflow

To learn more about the general user identity workflow and expected behavior for any user, group, and password change in AD and in 探花大神 read Use and Manage the Active Directory Integration (ADI)

System Requirements

  • 64-bit Windows Server (versions 2012, 2016, 2019, 2022)
    • Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the /msiexec parameter when running the agent installer
  • 15MB disk space
  • 10MB RAM

New Installation Overview

The main steps you will take to install and configure ADI for a one-way sync from AD to 探花大神 are:

  1. Determine on which servers the AD import agents will be installed: member servers or domain controllers (DCs).
  2. Complete the prerequisite checklist.
  3. Determine the Root User Container in AD. 
  4. Create the 探花大神 ADI Integration Security Group in AD.
  5. Create the AD Import Service Account.
  6. Delegate read-only control for the 探花大神 import account.
  7. Create an ADI domain instance in 探花大神.
  8. Select your configuration and follow the installation steps and download the import agent
  9. Run the the AD Import Agent installation wizard
  10. Reboot the servers on which the agent was installed.
  11. Verify the Import Agent Service started on each AD server.
  12. Complete post-installation AD import agent configuration on each AD server.
  13. Verify the AD import.

Considerations

Agent Version Considerations

  • As of import agent v2.2.1, the following changes were made:
    • The default location for all agent related installation, configuration, and log files is C:\Program Files\探花大神\AD Integration.
    • All references to AD Bridge changed to AD Import.
    • The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts.
  • Import agent v3.0.0 and higher supports delegated user authentication to AD.

Delegated Authentication Considerations

Review ADI: Use AD Delegated Authentication for specific considerations and more information about delegated authentication to AD. 

Warning:

When the delegated authentication setting, Delegated Password Validation, is enabled and Pending for the ADI configuration and the user's Delegated Authority is Active Directory, the user will not be able to log in. An AD import agent, version 3.0 or higher, must be installed and active to change the status of Delegated Password Validation from Pending to Active.

Important:
  • When upgrading from AD import agent v2.6.0 or lower, you must select Install New Agent from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.
  • When upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the Delegated Authority is manually set to Active Directory for those existing users.
  • The delegated authentication setting, Delegated Password Validation, is enabled by default for this ADI configuration and cannot be disabled.
  • When the delegated authentication setting, Delegated Password Validation, is enabled and active:
    • All users imported by import agent v3.0.0 or higher will have their Delegated Authority automatically set to Active Directory and their login to the 探花大神 User Portal and SSO login delegated to AD for validation.
    • Existing AD users imported from AD to 探花大神 no longer have to reset their password in AD to log in to 探花大神 managed resources when delegation is enabled for them.

General Installation Considerations

Warning:

All installed import agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.

  • Non-standard ASCII characters are not supported in the Root User DN.
  • When upgrading an import agent, the installation wizard prompts for minimal information:
    • Agent connect key, when upgrading from import agent v2.6.0 or lower.
    • Directory for where the installation should occur.
    • Finish screen.

Warning:

The Connect Key will expire in 7 days if it is not used.

  • Demoting a DC installation to a member server and promoting a member server installation to a DC aren鈥檛 supported.  The agent(s) must be uninstalled first and then installed on the other type of server.
  • A reinstall of the same ADI import agent is treated as an update.
  • User passwords must be managed in AD.
  • Users who are imported from AD to 探花大神 will automatically have their Password Authority set to Active Directory by default and the attributes that sync will be read-only in both the Admin Portal and in User Portal. These fields become restrictedFields.

Member Server Installation Considerations

The following are considerations only if you choose to install the import agents on member servers:

  • The AD password does NOT sync from AD to 探花大神. Users imported and synced from AD will not have a password in 探花大神.

Domain Controller (DC) Installation Considerations

The following are considerations only if you choose to install the import agents on DCs:

  • An import agent must be installed on all Domain Controllers. 
  • Downtime should be scheduled. The installation requires a server reboot.
  • AD passwords will sync from AD to 探花大神. This means that the password will be managed in AD and stored in both AD and 探花大神.

Security Considerations

  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
  • We recommend periodically rotating the password for the server account used by the integration (e.g., jcimport)for security reasons.
  • API tokens are specific to each Admin account. Use a separate, dedicated account for this integration to prevent the possibility of breaking the ADI connectivity to your 探花大神 organization when an Admin account is deleted.

Warning:

If the 探花大神 Administrator Account associated with the import is deleted or the API key is rotated, the import will stop working. All imports will fail until a valid API key is generated and updated in the registry on the AD servers.

Password Considerations

  • Users imported and synced from AD to 探花大神 will have their Password Authority set to Active Directory, which means a password cannot be created or changed in 探花大神 by either a 探花大神 Admin or an end-user. The password can only be created and updated in AD.
  • When the 探花大神 AD import agent is installed on member servers, the AD password does NOT sync to 探花大神. The password will only be in AD.
    • In this configuration, the user鈥檚 Password Authority should also be set to Active Directory to prevent a password from being entered in 探花大神 by either a 探花大神 Admin or the end user.
  • When the 探花大神 AD import agent is installed on all DCs, the AD password does sync from AD to 探花大神. This means that the password will be saved in both AD and 探花大神.
    • When passwords are imported and synced from AD to 探花大神:
      • Passwords are still managed in AD.
      • Password complexity requirements in AD and 探花大神 should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
      • If you set a password expiration policy in 探花大神, these users will not receive password expiration notifications automatically.
      • Sending password expiration notifications from 探花大神 is not recommended. You can send notifications manually by going to users 禄 select expiring users 禄 resend email.
      • Users with their password authority set to Active Directory managed by AD are restricted from changing their password in 探花大神, with the exception of the link from the password expiration notification.

Note:
  • If the import agent is installed on DCs, the password is stored in 探花大神 after the initial log in. The stored password continues to be synced from AD to 探花大神 and from 探花大神 to other resources. The password can be used to log in to resources that don鈥檛 support delegated authentication to AD, such as Cloud RADIUS, Cloud LDAP, and devices.
  • If the import agent is installed on AD member servers, the password is never stored in 探花大神.

Import Considerations

  • We recommend that all users you plan to import from AD into 探花大神 live in a single OU or be nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory
    • If you relocate users in AD outside of the Root User Container, you could disrupt password synchronization, or remove users and groups from your 探花大神 instance, along with any associated data and resource associations
  • The 探花大神 ADI import agent services use TLS for all communication. If no network connectivity exists to 探花大神, the ADI will fail to sync and will not work properly.
  • Users must have values for <First Name> and <Last Name>, i.e., the first name and last name fields cannot be empty,  otherwise the users will fail to sync from AD to 探花大神.
  • When multiple AD import agents are installed, one is designated as the primary agent by the ADI service for all user, group, delegated authentication, and password related actions (directives) performed by the import agent. If the primary import agent becomes unavailable, another active import agent is automatically designated as the primary.
  • Users who are imported from AD to 探花大神 will automatically have their Password Authority set to Active Directory by default and the attributes that sync will be read-only in both the Admin Portal and in User Portal. These fields become restrictedFields.
    • The Password Authority setting can be changed for a specific user from their user record directly or for multiple users from Users > Actions > Set External Password Authority.
  • To enable successful AD user imports, you must ensure that User Settings > Default Password Authority is set to None (探花大神)
  • You can manage users in 2 ways:
    • Individually by adding them to the security group created for this integration, located in the designated OU 
    • Using groups located in or nested in the designated Root user container by adding those groups as a member of the 探花大神 Integration Security Group.
  • ADI Import Agent settings in the jcadimportagent.config.json file control the behaviors that occur in 探花大神 when certain actions are taken on the user in AD.
    • Removing users from the 探花大神 integration Security Group within AD will either delete those users in 探花大神 and deprovision them from all bound resources or disconnect them from the AD integration, leaving them active in 探花大神 and allowing them to be managed in 探花大神 directly. The behavior is controlled by the UserDissociationAction setting in AD Import Agent configuration file.
  • Importing , such as Domain Admins and accounts with 鈥渁dminCount=1鈥, into 探花大神 from AD or managing them in AD from 探花大神, isn鈥檛 supported.

Attributes

The user attributes that sync from AD to 探花大神 are:

  • First Name
  • Last Name
  • Username
  • Email

If the SyncAdditionalAttributes setting is true in the jcadimportagent.config.json file, the following attributes are also updated:

  • displayname
  • description
  • JobTitle
  • department
  • company
  • location
  • employeeType
  • phoneNumbers
  • addresses
  • manager 

Note:

These attributes become read-only (restrictedFields) in 探花大神 when a user's Password Authority is set to Active Directory. The Password Authority setting can be changed for a specific user from their user record directly or for multiple users from Users > Actions > Set External Password Authority.

Prerequisite Checklist for New Installations

Before installing the ADI import agents for the first time, complete the following checklist

  1. Know your AD Domain Admin credentials.
  2. Decide whether you want to install the sync agents on your AD domain鈥檚 non-DC Domain Member Servers (member servers) or Domain Controllers (DCs).
    • When installing the import agent on DCs, schedule downtime. Installation requires server reboot! 
  3. Verify you have access to all Domain Controllers (DCs) in the AD domain or to the member servers on which you plan to install the import agents.
  4. Ensure the servers on which you are installing the import agent are running on a 探花大神 supported 64-bit Windows Server version (2012, 2016, 2019, 2022).
  5. Confirm the servers on which you are installing the import agent have networking access to the internet and are able to communicate outbound to console.jumpcloud.com over HTTPS port 443. 
  6. If installing the import agents on DCs, schedule Downtime 鈥 installation requires a server reboot!
  7. Create a dedicated Administrator account in 探花大神 that is specifically for the ADI.

Important:

API tokens are specific to each Admin account. Create a dedicated account for this integration to prevent the possibility of breaking the ADI connectivity to your 探花大神 organization when an Admin account is deleted.

  1. Generate and securely store the API key for the ADI dedicated Administration account.
  2. Verify all users to be synced from AD to 探花大神 have a value for first name and last name in AD.
  3. If you install the import agents on DCs, align password complexity requirements between AD and 探花大神 as closely as possible. Otherwise, passwords may not replicate if they鈥檙e rejected by the destination directory鈥檚 complexity requirements.
  4. [Recommended] Verify all users you plan to import into 探花大神 live in a single OU or are nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory. 
  5. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent and note any default values that need to be changed as part of the installation. 
  6. [STRONGLY recommended] Install LDAPS.

Important:

We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Prepare AD for the Import Agent Installations

To import and update user identities, attributes, and user groups from AD into 探花大神, you'll need to install a 探花大神 AD import agent on your non-DC Domain Member Servers (member servers) or all Domain Controllers (DCs) within your domain.  Complete the steps below to prepare for installing the agents on your servers.

Important:

Passwords can only be synced from AD to 探花大神 if the import agent is installed on a DC. When installing on DCs, an import agent must be installed on all DCs.

Prepare for the AD Import Agent Installation in AD

Note:

The steps outlined below must be done on a DC, even if you plan to install the import agents on member servers. A server reboot is NOT required after completing these changes.

Determine the Root User Container in AD

The 探花大神 AD Import agent is designed to integrate with AD鈥檚 default 鈥楿sers鈥 container (CN=Users) which is pre-populated in the AD Users and Computers (ADUC) interface and labeled as 鈥淯sers鈥 as shown in the following image. (This is a default domain with no custom containers. In this use-case the Root Container is CN=Users;DC=example;DC=com).

The import agent installation wizard assumes that this is the Root User container and uses this path in your AD Import agent configuration file. During installation, you鈥檙e prompted for the domain components (DC) used in your AD Domain (i.e., DC=example;DC=com). The installation wizard uses this base level domain information to construct the following Root user container DN (Distinguished Name).

EXAMPLE: CN=Users;DC=example;DC=com

Note:

If CN=Users isn鈥檛 the Root User Container you want to use in your AD instance, you can update the path in the agent configuration file, 鈥榡cadimportagent.config.json鈥, after the AD Import agent install completes. This is covered after the installation section of this document.

Create the 探花大神 ADI Integration Security Group in AD

A Security Group for the integration must be created within the Root User Container you鈥檝e defined in the previous step. This Security Group is required. Any member of this group will be exported to your 探花大神 tenant.

Warning:

If you do not create this group or give it a unique name across domains, the ADI will fail to function properly.

  1. Open the ADUC Menu by clicking Start, typing dsa and clicking the Active Directory Users and Computers icon.
  2. Find your Root User Container.
  3. Right Click on the Root User Container鈥檚 folder and select New > Group.
    • Ensure the Security Group is a Global Security Group.
    • Give the Security Group a name that helps identify it as the group used by the ADI (e.g., 鈥溙交ù笊疋 for single domain environments, 鈥溙交ù笊 (Domain)鈥 for multi-domain environments).
    • Click OK.

Warning:

In multi-domain environments, the security group must have a unique name within each domain (e.g., 鈥溙交ù笊 (mydomain1)鈥 and 鈥溙交ù笊 (mydomain2)鈥).

Create the AD Import Service Account

  1. Open the ADUC Menu by clicking Start, typing dsa and clicking the Active Directory Users and Computers icon.
  2. Find your Root User Container.
  3. Right Click on the Root User Container鈥檚 folder and select New > User.

Important:

This user cannot:

  • Be a Domain Administrator
  • Be a member of the 探花大神 integration security group
  • Have the username of 鈥溙交ù笊疋
  1. Enter the following values for the 探花大神 Import Service Account user:
    • First Name: 探花大神
    • Last Name Import
    • User logon name: jcimport

Tip:

Use jcimport to distinguish what this user is for and to which agent it is attached.

Warning:

The user logon name cannot be 鈥溙交ù笊疋.

  1. Enter a password for the jcimport user and ensure that it is set to Never Expire since this will be a service account for the Import Agent.

Note:

This password should still be rotated periodically for security reasons.

  1. Click Save.

Delegate read-only control for the 探花大神 import account

Note:

If you plan to modify your Root user container DN, you need to do this step on that chosen container in your AD

  1. Navigate to the Root User Container in ADUC that you have selected, right-click the container and select Delegate Control. This launches the Delegation of Control Wizard.
  2. Click Next.
  3. Add the 探花大神 Import Agent account to the Delegation of Control Wizard. 
  1. Click Next, then select Read all user information.
  1. Click Next, then click Finish at the final screen.

Install the AD Import Agent

Create an ADI domain instance in 探花大神

Create a new ADI domain instance in 探花大神 if one does not already exist

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  1. Click ( + Add ADI Domain )
  2. Select Manage users and passwords in Active Directory.
  1. Enter the name of an Active Directory domain that you want to integrate with your 探花大神 tenant. For example, 鈥淒C=example;DC=com鈥.