Configuring Active Directory

If you want to specify AD-managed Security groups whose members will have access to KeyControl Compliance Manager, you must specify a Windows Active Directory (AD) server.

KeyControl Compliance Manager uses the same settings for both local account authentication and AD Security group authentication. You can specify up to two AD domain controllers for failover, but both controllers must manage the same AD domain.

Note: Configuring Active Directory will disable Local Authentication.

Procedure 

  1. Log into the KeyControl Compliance Manager webGUI with your standard account credentials.

  2. In the side menu bar, select Settings.

  3. Click the Authentication tab.
  4. In the Active Directory section, click Configure.
  5. In the Disable Local Authentication dialog box, click Continue.

  6. In the Details section, enter the following: 

    Field

    Description

    Configuration Method

    Choose whether to use Automatic or Manual configuration.

    Domain Name

    The Domain name to use for account authentication.

    Service Account

    The AD account that the tenant should use when logging into the AD server.

    Service Account Password

    The password for the Service Account.
  7. Click Next.

  8. If you selected Automatic configuration, do the following: 

    1. In the Domains section, verify the domain that you want to use. The default domain is displayed with a star icon.

      Important: KeyControl Compliance Manager automatically adds all of the discovered domain controllers and global catalogs, starting with the closest. If you have a large number, then this will be done in the background. If the domain that you want to use is not visible, and you do not want to wait, then we recommend that you complete the configuration process, then edit your AD configuration later.

    2. Click Next and proceed to step 10.

  9. If you selected Manual configuration, do the following: 

    1. In the Domains section, click the Edit icon to add at least one domain controller and global catalog.

    2. Click Add Domain Controller in the Edit Domain bar.

    3. In the Add Domain Controller section, complete the following:  

      Field

      Description

      Name

      Enter the name of the domain controller.

      Port

      Enter the port number for the domain controller.

      User Search Context (Base DN)

      Enter the Distinguished Name (DN) of the node where the search for users should start.

      For performance reasons, the base DN should be as specific as possible.

      For example, dc=ldapserver,dc=com.

      Group Search Context (Base DN)

      The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

    4. Click Add Global Catalog in the Edit Domain bar.

    5. In the Add Global Catalog section, complete the following:  

      Field

      Description

      Name

      Enter the name of the global catalog.

      Port

      Enter the port number for the global catalog.
      User Search Context (Base DN)

      Enter the Distinguished Name (DN) of the node where the search for users should start.

      For performance reasons, the base DN should be as specific as possible.

      For example, dc=ldapserver,dc=com.

      Group Search Context (Base DN)

      The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

    6. Click Update.

    7. Click Next.

  10. In the Administrator section, enter the following: 

    Field

    Description

    Name

    Enter the name of the domain.

    User

    Enter the name of the Active Directory user.

  11. Click Complete.

You are logged out of the KeyControl Compliance Manager webGUI and can log back in with your AD credentials.