One way to pull users into the intranet is to synchronize with Active Directory. This article walks through setting up the synchronization with Active Directory and performing the first synchronization to pull the users into the intranet.
In this Article
Preparing AD for Synchronization
Advanced preparation will give you cleaner data in your intranet.
- Clean up your Active Directory structure
- Ensure user profiles are populated with the data you need
- AD sync account and password will be required
- The password should not have a special character, such as @ \ # and that can cause issues with LDAP(S) connections for Lucee
- Ensure Domain Controller and Web Server are on the same domain
Accessing Active Directory Settings
To access the AD settings, go to the Admin area, click the Security tab, and under the Logins section click the Active Directory Synchronization option. To edit an existing connection, click the Edit beside the desired connection, to add a new connection select Add Connection.
Delegate Rights for AD Sync Account
AD Sync Account requires permissions to the following on the Domain Controller:
- Read object
- Read object properties (only for objects pulling into the Intranet)
- List Content and Read Property rights to the Deleted Objects Container (Required to have the Intranet automatically disable disabled/deleted users in AD)
Delegating Read Object and Read All Object Properties Rights
- Open Active Directory Users and Computers from Administrative Tools
- Right-click the appropriate domain
- Click Delegate Control
- Click Next to skip the introduction
- Click Add
- Specify the desired user object(s) and click OK
- Click Next
- Select the Create a custom task to delegate option
Use a separate connection for each domain to synchronize.
- If you have more than one domain to synchronize, ensure there is a 2-way trust setup between the domains.
For each connection, enter the domain name, domain controller name, Admin username and password.
- The domain controller name needs to just be the host name. Using the fully qualified host name will present errors as we append the domain where required creating an incorrect domain name.
Select whether you need to use Secure LDAP.
- If you select Secure LDAP, the port will change automatically, and you may need to import the SSL Certificate for the Domain Controller into Lucee, as well as Trusted Root Certificate Authority (MMC Certificates Snap-in).
- Refer to our Enable SSL (HTTPS) article for how to import the SSL certificate
Learn more about the upcoming changes from Microsoft in March 2020 - LDAP channel binding and LDAP signing requirement.
Select your sync interval.
- This scheduled synchronization will sync changes only.
Test the connection and ensure it is successful before clicking Save & Continue.
If there are multiple connections, be sure not to have more than one user with the same username. This may affect user login and user profile.
Select your Object Type
- Employees - individuals who will have access to the intranet and will have a profile.
- Logins - reserved for individuals who need access to the intranet but don't have a profile such as vendors or volunteers.
- Groups - security groups in AD (note: if you select Groups as an Object Type, you can't use the Group Filter)
Select your Organizational Unit
- Select the top level of your domain or an OU present in your domain.
- We don't see into built-in containers such as ‘Users’. If all of your users reside in the Users OU, you may want to select the top level domain and filter by group membership.
- Use the Object Preview to see what will be synchronized.
- Use the Group Filter to filter the OU by group membership. This is a useful way of reducing the number of objects from the OU to be synchronized.
- Save a target by clicking Add Target in the upper right corner; targets are added one at a time. You can add as many targets as required.
- Verify the target(s) in the Sync Target List.
- Delete an incorrect target using the garbage can at the end of the target in the Sync Target List.
Having troubles syncing users over? Check out our AD troubleshooting article
- If you list the users' manager(s) in AD, you can select to synchronize this as the Supervisor for the individual in the Intranet. This is useful when creating workflows and for the simple organizational chart.
- You can have Intranet Connections automatically disable any account that is disabled or deleted in AD. This is a one-way synchronization only; Intranet Connections will never update AD. This will only work if the user is not moved out of the synchronized OU in AD.
Disabled Users: If a user is disabled, the sync will not bring the user into the Intranet. If an account is disabled after being synchronized, the account will be disabled in the Intranet. If that account is re-enabled in future, and is still in the target OU, the account will be re-enabled in the Intranet in AD Sync v2.0 only.
To ensure disabled users are removed from Global Search, the site must be reindexed by going to Admin > Site Search > Reindex my site data
Deleted Users: Deleted users being disabled in the Intranet has a limitation of 1000 objects in the AD Tombstone. If you find deleted users are not being disabled in the Intranet, this limitation is coming into play. In this case, disable the user manually and force a sync prior to deleting the user in AD.
- Domain administrators can automatically be made intranet admins with this selected. If not selected, you will need to manually elevate permissions for individuals to be admins in the intranet.
- Once satisfied with your selections, click Save & Continue.
- The intranet field is on the left and is headed ‘Employee Field’.
- The Active Directory Field is a drop-down selection allowing you to select the field in AD that corresponds to the information you want to have showing in this field in the intranet.
- You can use the Preview to see what information will be synchronized for the corresponding field. The preview will display if an ‘employee’ target has been saved with at least one employee object.
- It's advantageous to have an AD profile open when creating these mappings to ensure you're targeting the correct AD field.
- If you don't see an intranet field that's required, it may not be showing. You can click Admin > Directory and select Manage Fields to ensure the fields you need are selected under the ‘Display’ column to have them show in the Field Mappings area.
- These values are populated from the ADField table in the database. If you need to add an AD field, you can insert the field to the table in the database. The FieldName must match the Attribute LDAP Name, and Common Name must match Attribute Display Name. The field from AD must be a text value; date values, etc., will not be accepted.
- If you map a field that is empty in AD, the intranet will sync the empty field. If a user fills in that data in the intranet, that data will be deleted during the next sync.
From the Intranet Connections Blog
- The ‘sync interval’ setting in the AD Synchronization settings will synchronize changes only and is managed by the scheduled task created during installation.
- The ‘sync now’ button under the AD Synchronization settings will force a full sync.
Login Authentication Types
There are three different authentication modes to choose from in the intranet:
- Form Authentication - Users must enter valid login credentials via the login form and are authenticated against credentials stored by Intranet Connections.
- Windows Authentication - Network credentials (how you log into your workstation) are passed by the browser and authenticated by the server.
- Mixed Mode Authentication - Users have a choice of either form or Windows login on the same login process. AD users can check the 'Windows Authentication' checkbox on the login form and provided they do not explicitly click logout will automatically be signed in using their domain credentials. Users logging in with form accounts can log in normally. Both Anonymous and Windows Authentication need to be enabled in IIS for this site to use this mode.
When first configuring AD Synchronization, it's recommended to use Mixed Mode Authentication until everybody has tested their ability to log into the intranet with Windows Authentication. If no problems present, it's recommended to switch to Windows Authentication at that time.
Pass-Through Windows Authentication
It’s possible to have your browsers automatically log users into the intranet with a modification to your browser security settings to confirm that it's safe to exchange their currently logged in credentials with the intranet site on request. This can be done via GPO for the entire domain or individually.
Microsoft Internet Explorer and Google Chrome
Chrome inherits its settings from IE's Local Intranet Zone. Even if this user is never planning to log in with IE, the following modifications must be made to ensure pass-through on Chrome
- Start the Internet Explorer browser
- Select Tools > Internet Options
- Click on Security Tab
- Click on Local Intranet Zone so that it is highlighted
- Click on Sites then click on Advanced
- Type in the local Intranet Site (http://ipaddressofserver) and click ADD
- Start Firefox. In the address bar type ‘About:Config’
- Once past the agreement prompt, type NTLM into the filter box
- Double click on network.automatic-ntlm-auth.trusted-uris entry
- Type in the local Intranet Site (http://ipaddressofserver) and click OK
Environments limited to Kerberos authentication and do not accept NTLM authentication will need to adjust the network.negotiate-auth.delegation-uris, as well.
To manage this via GPO, please see Microsoft's KB article: Configuring Internet Explorer for Automatic Logon.
Active Directory Synchronization Versions
Intranet Connections Version 13.5 and higher can run Active Directory Synchronization v1.0 or v2.0.
Intranet Connections Version 13.0 and prior is only capable of running Active Directory Synchronization v1.0.
Setup for Versions
Active Directory Synchronization v2.0 setup: