Configuring an AD Authentication Provider

Prerequisite

You have permissions to access the administrator portal.

Setting Up an AD Server

Windows Server 2012 R2 is used as an example to describe how to set up a domain server.

1. In Server Manager, choose Manage > Add Roles and Features in the upper right.
2. In the Add Roles and Features Wizard dialog box, click Next until the Select server roles page is displayed. Select Active Directory Domain Services and click Add Features in the displayed box.
3. Click Next until the Confirm installation selections page is displayed. Click Install to start the role installation process.
4. After the installation is complete, click the yellow triangle icon displayed in the upper right, and click Promote this server to a domain controller. The Active Directory Domain Services Configuration Wizard window is displayed.
5. On the Deployment Configuration page, select Add a new forest and set a domain name, such as oneaccess.com.
6. Click Next. On the displayed page, enter the DSRM password of a non-domain user.
7. Click Next until the Prerequisites Check page is displayed. Click Install. After the installation is complete, the server is automatically restarted.

Creating a Domain Account

1. Choose Tools > Active Directory Users and Computers in the upper right corner.
2. Right-click the target domain, choose New > User, enter a username, and click Next.
3. Set Full name and User logon name and click Next. For example, john@oneaccess.com.
4. Enter a password for the domain account and enter the password again. Deselect all check boxes. (You do not need to change the password at the first login.)

Configuring LDAP to Connect to AD

1. Download and install ApacheDirectoryStudio, an LDAP client.
2. Choose LDAP > New Connection and set the connection parameters. If the connection is successful, user and organization information in the AD is displayed.
   Figure 1 Creating a connection
   
   Figure 2 Setting parameters
   

Adding an AD Authentication Provider

1. Log in to the administrator portal.
2. On the top navigation bar, choose Authentication > Authentication Providers.
3. Choose Enterprise Authentication Providers > AD.
4. On the AD Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.
   Figure 3 Setting parameters
   

   Table 1 Configuration parameters

   Parameter	Description
   Display Name	Mandatory. Display name of the authentication provider, for example, AD.
   Connection Mode	You can choose Directly connect (default) or Connect by CloudBridge agent.
   AD Address	Mandatory. Connection address of AD in the format "ldap://{hostname}:{port}/", where {hostname} indicates the AD server address and {port} indicates the port. The default port is 389. For details, see Configuring LDAP to Connect to AD.
   rootDN	Mandatory. A node of AD used to authenticate users. The format of the value is "dc=,dc=". For details, see Configuring LDAP to Connect to AD.
   Domain Name	Optional. Domain name set when the AD server is set up. If this parameter is set, the query condition consists of the "login name + @ + domain name". If this parameter is left blank, the query condition contains only the login name. For details, see 5.
   Query Conditions	Mandatory. Consists of the object class and user login name. Adjust userPrincipalName to meet service requirements. If the placeholder is {0}, query is performed based on the username entered by a user during login and the domain name, for example, mike@companya.cn. If no domain name exists, the domain name of the authentication provider is used. If the placeholder is {1}, query is performed only based on the username entered by a user, for example, mike.
   Source Attribute	Mandatory. Attribute of the AD user associated with the user login name. For example, userPrincipalName. Obtain the attribute from Configuring LDAP to Connect to AD.
   Related User Attribute	Mandatory. User attribute mapped by AD in the system. The user attribute must be a unique text.
   No User Associated	Mandatory. Operation that will be performed if a user logs in successfully but fails to be associated with a system user.

   

   Define more user attributes if needed. The attributes must be unique texts. For details, see Adding an Extended Attribute.

Enabling AD Authentication

1. On the top navigation bar, choose Resources > Applications.
2. On the Applications page, click User Portal.
3. Click the user portal icon to go to the general information page.

4. Choose Login Settings > Web Applications, click in the Operation column of AD to enable AD authentication, and select the authentication provider added in Adding an AD Authentication Provider.
   

   When AD authentication is enabled, the password login mode text box is used. You need to click in the Operation column of Password to disable the database authentication mode. If LDAP authentication is enabled, click in the Operation column of LDAP to disable LDAP authentication.

FAQs

1. When creating a domain account, why am I prompted that the AD cannot be opened because the domain does not exist or cannot be connected?
   1. Check whether the Netlogon and DFS services have been started.
   2. Run the net share command to check whether the sharing is normal.

      If the sharing is abnormal, change the value of SysvolReady in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters to 1. Run the net share command again. The sharing should become normal.

   3. For the AD domain, check the logs in the event viewer and use the Dcdiag tool to locate the error.
2. Why is [LDAP: error code 49-80090308:LdapErr:……AcceptSecurityContext error.data.52e.vece] displayed during LDAP configuration for AD connection?

   The password or credential is invalid. The correct username format is "{Username}@{Domain name}".