Configuring Active Directory Authentication

AD integration for Login Enterprise has been created to give users easy access to the Login Enterprise webinterface. There are two permission levels within Login Enterprise. 

  • Login Enterprise Administrator
  • Login Enterprise Read-Only

The Login Enterprise Administrator has full and unrestricted access to the Login Enterprise webinterface and has the possibility to change settings and configurations.

The Login Enterprise Read-Only accounts only have the ability to view the Dashboard, Charting, Events and Export Data from the webinterface. 

If you are added to both permission groups the highest permission counts, i.e. administrator permissions wins over the Read-Only permissions. 

To configure Active Directory integration select "AD AUTHENTICATION" from the home page of the virtual appliance. We recommend creating a separate Login Enterprise Administrators and Login Enterprise   Read-Only groups for easy access control.

mceclip0.png

The AD Authentication accepts the following inputs;

  • AD Domain FQDN - FQDN of the domain we will use to authenticate against (e.g., contoso.com)
  • Domain controller - The DC that is responsible for handling the requests
  • Port - Port used for LDAP
  • Login Enterprise Admin Group - Group name of the users that will have administrator access to the Enterprise web interface
  • Login Enterprise Read-Only Group - Group name of the users that will have read-only permissions to the Enterprise web interface. 
  • Username - Username for the account used to make the connection. (will not be saved)
  • Password - Password used for the account used to make the connection. (will not be saved)

mceclip1.png

After this has been saved, you can log out and log in with your domain account.

Multi Domain Support

Starting from versions 4.4.X and upwards we also support multi domain configurations.

Note: Weve tested and support using a single parent domain with 2 direct subdomains of that parent domain. Resources from any domain can be used in this configuration. So users can reside in a subdomain while the domain controller and groups are used from the top level domain.

This does require a different configuration. Instead of using the group name (which isnt unique across multiple domains) we require the group distinguished name. So configuration can look like this:

mceclip2.png

To find out how to find the distinguished name please see this external link.

When logging in, please use the UPN name, eg. testuser@subdomain.contoso.com.

*Minimum requirements for secure AD Authentication / LDAPS (port 636):

  • Protocol TLS 1.2
  • 2048 bit certificate