Associating an AD Server with a Cloud Administration Group

If you want to add AD users and groups to the permissions lists for your Windows Access Control Policies, you need to associate at least one AD server with each Cloud Administration group in which you plan to create these policies. After you have associated the AD server with the Cloud Administration group, Cloud Admins can select the appropriate AD domain for each user from a drop-down list.

If you want to use the same AD server for multiple groups, you need to associate the server with each one of the groups individually. There is no default AD server association.

  1. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
  2. In the top menu bar, click Workloads.
  3. Navigate to the Active Directory tab.
  4. Select Actions > Add Active Directory.

  5. In the Add Active Directory Server dialog box, specify the options you want to use.

    Field

    Description

    Cloud Admin Group

    Select the Cloud Administration group with which this AD server should be associated.

    Note: You cannot change the group name after you save the AD server.

    Server URL

    The AD domain controller IP address or hostname. Select LDAP:// or LDAPS:// from the drop-down list and enter the controller's URL in the text field. To include a port number, specify :port after the name. For example, 10.238.66.33:389.

    KeyControl does not support multiple AD domain controllers defined in the same Server URL field. If you want to use multiple domain controllers, you need to add a separate entry for each controller.

    Important: Enter the URL of your AD domain controller, not the URL of a specific AD domain. If you use a specific AD domain, you may encounter authorization issues the next time you upgrade KeyControl.

    STARTTLS

    Enable this option if you want KeyControl to use Transport Layer Security (TLS) protocol when communicating with the AD server. If you select this option, you must upload a CA certificate for the AD server.

    Note: This option is only available if the Server URL starts with LDAP://.

    Service Account

    The AD account that KeyControl should use when logging into the AD server.

    Specify the account using one of the following formats:

    • Distinguished Name (DN). For example, CN=Administrator,CN=users,DC=hytrust,DC=com
    • User Principal Name (UPN). For example, administrator@hytrust.com.
    • Account username. For example, administrator.

    The AD account is usually an administrative user and it can have read only permissions on the AD server.

    Service Account Password

    The password for the Service Account.
    CA Certificate

    If you are using LDAPS:// or have selected the STARTTLS option for LDAP://, click Load File and select the CA certificate for the AD server.

  6. When you are done, click Add.