In the administration console, specify the information required to connect to your Active Directory and select users and groups to sync with the VMware Identity Manager directory.

About this task

The Active Directory connection options are Active Directory over LDAP or Active Directory Integrated Windows Authentication. Active Directory over LDAP connection supports DNS Service Location lookup.

Prerequisites

  • (SaaS) Connector installed and activated.

  • Select which attributes are required and add additional attributes, if necessary, on the User Attributes page. See Select Attributes to Sync with Directory.

    Important:

    If you plan to sync XenApp resources with VMware Identity Manager, you must make distinguishedName a required attribute. You must make this selection before creating a directory as attributes cannot be changed from optional to required after a directory is created.

  • List of the Active Directory groups and users to sync from Active Directory.

  • For Active Directory over LDAP, the information required includes the Base DN, Bind DN, and Bind DN password.

    Note:

    Using a Bind DN user account with a non-expiring password is recommended.

  • For Active Directory Integrated Windows Authentication, the information required includes the domain's Bind user UPN address and password.

    Note:

    Using a Bind DN user account with a non-expiring password is recommended.

  • If the Active Directory requires access over SSL or STARTTLS, the Root CA certificate of the Active Directory domain controller is required.

  • For Active Directory Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.

Procedure

  1. In the administration console, click the Identity & Access Management tab.
  2. On the Directories page, click Add Directory.
  3. Enter a name for this VMware Identity Manager directory.
  4. Select the type of Active Directory in your environment and configure the connection information.

    Option

    Description

    Active Directory over LDAP

    1. In the Sync Connector field, select the connector to use to sync with Active Directory.

    2. In the Authentication field, if this Active Directory is used to authenticate users, click Yes.

      If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

    3. In the Directory Search Attribute field, select the account attribute that contains username.

    4. If the Active Directory uses DNS Service Location lookup, make the following selections.

      • In the Server Location section, select the This Directory supports DNS Service Location checkbox.

        A domain_krb.properties file, auto-populated with a list of domain controllers, will be created when the directory is created. See About Domain Controller Selection (domain_krb.properties file) .

      • If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

        Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

        Note:

        If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.

    5. If the Active Directory does not use DNS Service Location lookup, make the following selections.

      • In the Server Location section, verify that the This Directory supports DNS Service Location checkbox is not selected and enter the Active Directory server host name and port number.

        To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in Active Directory Environments.

      • If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

        Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

        Note:

        If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory.

    6. In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com.

    7. In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.

      Note:

      Using a Bind DN user account with a non-expiring password is recommended.

    8. After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.

    Active Directory (Integrated Windows Authentication)

    1. In the Sync Connector field, select the connector to use to sync with Active Directory .

    2. In the Authentication field, if this Active Directory is used to authenticate users, click Yes.

      If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

    3. In the Directory Search Attribute field, select the account attribute that contains username.

    4. If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS checkbox in the Certificates section and copy and paste the Active Directory Root CA certificate into the SSL Certificate field.

      Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.

      If the directory has multiple domains, add the Root CA certificates for all domains, one at a time.

      Note:

      If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.

    5. In the Bind User UPN field, enter the User Principal Name of the user who can authenticate with the domain. For example, username@example.com.

      Note:

      Using a Bind DN user account with a non-expiring password is recommended.

    6. Enter the Bind User password.

  5. Click Save & Next.

    The page with the list of domains appears.

  6. For Active Directory over LDAP, the domains are listed with a check mark.

    For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

    Note:

    If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

    Click Next.

  7. Verify that the VMware Identity Manager directory attribute names are mapped to the correct Active Directory attributes and make changes, if necessary, then click Next.
  8. Select the groups you want to sync from Active Directory to the VMware Identity Manager directory.

    Option

    Description

    Specify the group DNs

    To select groups, you specify one or more group DNs and select the groups under them.

    1. Click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com.

      Important:

      Specify group DNs that are under the Base DN that you entered. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.

    2. Click Find Groups.

      The Groups to Sync column lists the number of groups found in the DN.

    3. To select all the groups in the DN, click Select All, otherwise click Select and select the specific groups to sync.

    Note:

    When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

    Sync nested group members

    The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync.

    If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

  9. Click Next.
  10. Specify additional users to sync, if required.
    1. Click + and enter the user DNs. For example, CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
      Important:

      Specify user DNs that are under the Base DN that you entered. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.

    2. (Optional) To exclude users, create a filter to exclude some types of users.

      You select the user attribute to filter by, the query rule, and the value.

  11. Click Next.
  12. Review the page to see how many users and groups are syncing to the directory and to view the sync schedule.

    To make changes to users and groups, or to the sync frequency, click the Edit links.

  13. Click Sync Directory to start the sync to the directory.

Results

The connection to Active Directory is established and users and groups are synced from the Active Directory to the VMware Identity Manager directory. The Bind DN user has an administrator role in VMware Identity Manager by default.

What to do next

  • If you created a directory that supports DNS Service Location, a domain_krb.properties file was created and auto-populated with a list of domain controllers. View the file to verify or edit the list of domain controllers. See About Domain Controller Selection (domain_krb.properties file).

  • Set up authentication methods. After users and groups sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, configure that identity provider in the connector.

  • Review the default access policy. The default access policy is configured to allow all appliances in all network ranges to access the Web portal, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.

  • (On premises) Apply custom branding to the administration console, user portal pages and the sign-in screen.