Configuring Active Directory Authentication


To facilitate user access to the Login Enterprise virtual appliance, you need to configure Active Directory (AD) integration. The appliance offers two permission levels to choose from:

  • Login Enterprise Administrator - this role grants full and unrestricted access to the appliance, enabling users to modify settings and configurations as needed.
  • Login Enterprise Read-Only - this role allows users to view the Dashboard, Charting, Events, and Export Data functionalities, but does not permit them to make any modifications or changes.

If you are assigned to both permission groups, the highest level of permission takes precedence. For instance, Administrator permissions override Read-Only permissions.

Configuring Active Directory

To set up Active Directory integration, follow these steps:

  1. In the Login Enterprise sidebar menu, scroll down and find Other > Access Control.

Frame 81.png

For simplified access control, we recommend establishing distinct 'Administrators' and 'Read-Only' groups.

2. In Access Control, provide the following information:



AD Domain FQDN

The fully qualified domain name (FQDN) of the domain used for authentication.

Domain controller

The domain controller responsible for processing the requests. As of Login Enterprise 5.10, you can configure up to 5 Domain Controllers for LDAP authentication.


The port utilized for LDAP.

SSL/TLS Settings

  • Select Enable SSL for the Login Enterprise to use SSL/TLS encryption to establish a secure connection with the AD server. This is the recommended choice to enhance security and protect sensitive information during authentication.
  • Select Ignore SSL errors to instruct the Login Enterprise to bypass SSL certificate validation errors that may occur during the connection process. While this option can be useful in certain situations, e.g. dealing with self-signed certificates, it also introduces potential security risks by allowing connections to proceed without proper certificate validation.

AD Timeout

The Active Directory controller's response time. As of Login Enterprise 5.6, you can extend the default 60-second AD timeout up to 180 seconds.

Admin Group

The group name for users granted administrator access to the Login Enterprise.

Read-Only Group

The group names of users granted read-only permissions to the Login Enterprise.

Frame 227.png

3. Click Save Changes to apply your AD authentication integration. Following this, you can log out and log back in using your domain account.

Multi-domain controller in LDAP

The support for multiple domain controllers allows the configuration of up to five domain controllers for LDAP authentication. This ensures that if the primary domain controller becomes unavailable, the system will automatically attempt to connect with the next available controller in the list. The feature enhances the system’s availability and reliability by enabling a fail-over mechanism across multiple domain controllers (DC).

To configure and utilize it, as a Login Enterprise administrator, you need to have administrative access to the Login Enterprise.

Configuring multi-domain controllers

1. Access the Access Control panel: Navigate to the LDAP settings in your system’s administration console.

2. Update Domain Controllers list: Input the domain controllers in the order of priority in the field Domain controller as a semicolon-separated list. For example:;;;;

a. All DCs must be available and the configured port (389) must be open.

b. Otherwise, the application throws an error message with incorrect DCs:

Frame 226.png

3. Save and apply changes: Confirm the settings and apply them to enable the feature.

4. Log off and log in again.

Using multi-domain controllers

Once configured, the system will handle authentication requests across the specified domain controllers without further user intervention.

1. In case one of the DCs is unavailable (stopped) the corresponding info is logged to the IdentitySerever container log:

[19:34:28 INF] Attempting to connect to LDAP server
[19:34:28 INF] Connecting to (ssl: False)
[19:34:28 ERR] Connection failed to ldap:// Connect Error (Ldap result #91 Connect Error)
LdapException: Unable to connect to server (91) Connect Error
System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (00000005, 0xFFFDFFFF): Name or service not known
[19:34:28 INF] Connecting to (ssl: False)
[19:34:28 INF] Connected to LDAP server
[19:34:28 INF] Attempting to bind to LDAP server with username:
[19:34:28 INF] Binding user credentials
[19:34:28 INF] Bind succeeded, authentication DN:

2. The same if the port is closed:

[09:50:45 INF] Connecting to (ssl: False)
[09:50:45 INF] Checking if port 389 is open
[09:50:45 INF] Connecting to
[09:50:50 ERR] Connection failed to ldap:// due to configured timeout of 5 sec for port open check.
[09:50:50 INF] Connecting to (ssl: False)
[09:50:50 INF] Checking if port 389 is open
[09:50:50 INF] Connecting to
[09:50:50 INF] Port 389 is open
[09:50:50 INF] Connected to LDAP server
[09:50:50 INF] Attempting to bind to LDAP server with username:
[09:50:50 INF] Binding user credentials
[09:50:50 INF] Bind succeeded, authentication DN:
[09:50:50 INF] Successfully bound to LDAP server

Security requirements

The minimum requirements for secure AD Authentication / LDAPS (port 636) are:

  • Protocol TLS 1.2
  • 2048-bit certificate

Additional resources

  • For troubleshooting login problems with LDAP/Active Directory, see Login problems with LDAP/Active Directory (Note that this is a workaround/temporary solution if you’re using Login Enterprise 5.6, or higher).