Configuring Active Directory Connection to the Service

In the VMware Identity Manager console, enter the information required to connect to your Active Directory and select users and groups to sync with the VMware Identity Manager directory.

The Active Directory connection options are Active Directory over LDAP or Active Directory over Integrated Windows Authentication. Active Directory over LDAP connection supports DNS Service Location lookup.

Prerequisites

(SaaS) Connector installed and activated.
Select which attributes are required and add additional attributes, on the User Attributes page. See Select Attributes to Sync with Directory.
Make a list of the Active Directory users and groups to sync from Active Directory. Group names are synced to the directory immediately. Members of a group do not sync until the group is entitled to resources or added to a policy rule. Users who need to authenticate before group entitlements are configured should be added during the initial configuration.
Note: VMware Identity Manager connector version 19.03 and older versions do not support the / and $ characters in a group's name or distinguishedName attribute. This limitation applies to groups that you add to the group DN as well as to groups that are not directly added to the group DN but are synced as part of a parent group when nested group memberships are enabled.
Do not use the / or $ character in a group's name or distinguishedName attribute if you plan to sync the group to VMware Identity Manager and you are using connector version 19.03 or older versions.
For Active Directory over LDAP, you need the Base DN, Bind DN, and Bind DN password.
The Bind DN user must have the following permissions in Active Directory to grant access to users and groups objects:
- Read
- Read All Properties
- Read Permissions
Note: Using a Bind DN user account with a non-expiring password is recommended.
For Active Directory over Integrated Windows Authentication, you need the user name and password of the Bind user who has permission to query users and groups for the required domains.
The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:
- Read
- Read All Properties
- Read Permissions
Note: Using a Bind user account with a non-expiring password is recommended.
If the Active Directory requires access over SSL or STARTTLS, the Root CA certificates of the domain controllers for all the relevant Active Directory domains are required.
For Active Directory over Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
For Active Directory over Integrated Windows Authentication:
- For all domain controllers listed in SRV records and hidden RODCs, nslookup of hostname and IP address should work.
- All the domain controllers must be reachable in terms of network connectivity

Procedure

In the VMware Identity Manager console, click the Identity & Access Management tab.
On the Directories page, click Add Directory.
Enter a name for this VMware Identity Manager directory.

Select the type of Active Directory in your environment and configure the connection information.

Option	Description
Active Directory over LDAP	In the Sync Connector text box, select the connector to use to sync with Active Directory. In an on premises deployment, a connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down menu. If you install multiple VMware Identity Manager instances for high availability, the connector component of each appears in the list. Additional, standalone connectors are also listed. In the Authentication text box, if this Active Directory is used to authenticate users, click Yes. If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication. In the Directory Search Attribute text box, select the account attribute that contains username. If you want to use DNS Service Location lookup for Active Directory, make the following selections. In the Server Location section, select the This Directory supports DNS Service Location check box. VMware Identity Manager finds and uses optimal domain controllers. If you don't want to use optimized domain controller selection, follow step e. instead. If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section. Note: If the This Directory supports DNS Service Location option is selected, STARTTLS is used for encryption over port 389. If the This Directory supports DNS Service Location option is not selected, LDAPS is used for encryption over port 636. Also copy and paste the Active Directory Root CA certificate into the SSL Certificate text box. Ensure that the certificate is in the PEM format and includes the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory. If you do not want to use DNS Service Location lookup for Active Directory, make the following selections. In the Server Location section, verify that the This Directory supports DNS Service Location check box is not selected and enter the Active Directory server host name and port number. To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in Active Directory Environments. If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section. Note: If the This Directory supports DNS Service Location option is selected, STARTTLS is used for encryption over port 389. If the This Directory supports DNS Service Location option is not selected, LDAPS is used for encryption over port 636. Also copy and paste the Active Directory Root CA certificate into the SSL Certificate field. Ensure that the certificate is in the PEM format and includes the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines. If the directory has multiple domains, add the Root CA certificates of all the domains, one after the other. Note: If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory. In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com. In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com. Note: Using a Bind DN user account with a non-expiring password is recommended. After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.
Active Directory (Integrated Windows Authentication)	In the Sync Connector text box, select the connector to use to sync with Active Directory. In the Authentication text box, if this Active Directory is used to authenticate users, click Yes. If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication. In the Directory Search Attribute text box, select the account attribute that contains username. In the Certificates section, do not enable the This Directory requires all connections to use STARTTLS option. Directories of type Active Directory over Integrated Windows Authentication use SASL Kerberos binding automatically and do not need LDAPS or STARTTLS to be enabled. (Linux only) Enter the name of the Active Directory domain to join. Enter a user name and password that has the rights to join the domain. See Permissions Required for Joining a Domain (Linux Virtual Appliance Only) for more information. In the Bind User Details section, enter the user name and password of the bind user who has permission to query users and groups for the required domains. For the user name, enter the sAMAccountName, for example, jdoe. If the bind user's domain is different from the Join Domain entered above, enter the user name as sAMAccountName@domain, where domain is the fully-qualified domain name. For example, [email protected]. Note: Using a Bind user account with a non-expiring password is recommended.

Option

Description

Active Directory over LDAP

In the Sync Connector text box, select the connector to use to sync with Active Directory.
In an on premises deployment, a connector component is always available with the VMware Identity Manager service by default. This connector appears in the drop-down menu. If you install multiple VMware Identity Manager instances for high availability, the connector component of each appears in the list. Additional, standalone connectors are also listed.
In the Authentication text box, if this Active Directory is used to authenticate users, click Yes.
If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.
In the Directory Search Attribute text box, select the account attribute that contains username.
If you want to use DNS Service Location lookup for Active Directory, make the following selections.
- In the Server Location section, select the This Directory supports DNS Service Location check box.
  VMware Identity Manager finds and uses optimal domain controllers. If you don't want to use optimized domain controller selection, follow step e. instead.
- If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use SSL check box in the Certificates section.
  Note: If the This Directory supports DNS Service Location option is selected, STARTTLS is used for encryption over port 389. If the This Directory supports DNS Service Location option is not selected, LDAPS is used for encryption over port 636.
  Also copy and paste the Active Directory Root CA certificate into the SSL Certificate text box. Ensure that the certificate is in the PEM format and includes the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
  
  Note: If the Active Directory requires STARTTLS and you do not provide the certificate, you cannot create the directory.
If you do not want to use DNS Service Location lookup for Active Directory, make the following selections.
- In the Server Location section, verify that the This Directory supports DNS Service Location check box is not selected and enter the Active Directory server host name and port number.
  To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in Active Directory Environments.
- If the Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box in the Certificates section.
  Note: If the This Directory supports DNS Service Location option is selected, STARTTLS is used for encryption over port 389. If the This Directory supports DNS Service Location option is not selected, LDAPS is used for encryption over port 636.
  Also copy and paste the Active Directory Root CA certificate into the SSL Certificate field. Ensure that the certificate is in the PEM format and includes the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines.
  
  If the directory has multiple domains, add the Root CA certificates of all the domains, one after the other.
  
  Note: If the Active Directory requires SSL and you do not provide the certificate, you cannot create the directory.
In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com.
In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.
Note: Using a Bind DN user account with a non-expiring password is recommended.
After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.

Active Directory (Integrated Windows Authentication)

In the Sync Connector text box, select the connector to use to sync with Active Directory.
In the Authentication text box, if this Active Directory is used to authenticate users, click Yes.
If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.
In the Directory Search Attribute text box, select the account attribute that contains username.
In the Certificates section, do not enable the This Directory requires all connections to use STARTTLS option. Directories of type Active Directory over Integrated Windows Authentication use SASL Kerberos binding automatically and do not need LDAPS or STARTTLS to be enabled.
(Linux only) Enter the name of the Active Directory domain to join. Enter a user name and password that has the rights to join the domain. See Permissions Required for Joining a Domain (Linux Virtual Appliance Only) for more information.
In the Bind User Details section, enter the user name and password of the bind user who has permission to query users and groups for the required domains. For the user name, enter the sAMAccountName, for example, jdoe. If the bind user's domain is different from the Join Domain entered above, enter the user name as sAMAccountName@domain, where domain is the fully-qualified domain name. For example, [email protected].
Note: Using a Bind user account with a non-expiring password is recommended.

Click Save & Next.
The page with the list of domains appears.
For Active Directory over LDAP, the domains are listed with a check mark.
For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.
Note: If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

Click Next.
Verify that the VMware Identity Manager directory attribute names are mapped to the correct Active Directory attributes and make changes, if necessary, then click Next.

Select the groups you want to sync from Active Directory to the VMware Identity Manager directory.

When groups are added here, group names are synced to the directory. Users that are members of the group are not synced to the directory until the group is entitled to an application or the group name is added to an access policy rule. Any subsequent scheduled syncs bring updated information from Active Directory for these group names.

Option	Description
Specify the group DNs	To select groups, you specify one or more group DNs and select the groups under them. Click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com. Important: Specify group DNs that are under the Base DN that you entered. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in. Click Find Groups. The Groups to Sync column lists the number of groups found in the DN. To select all the groups in the DN, click Select All, otherwise click Select and select the specific groups to sync. Note: When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
Sync nested group members	The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync. If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

Option

Description

Specify the group DNs

To select groups, you specify one or more group DNs and select the groups under them.

Click + and specify the group DN. For example, CN=users,DC=example,DC=company,DC=com.
Important: Specify group DNs that are under the Base DN that you entered. If a group DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
Click Find Groups.
The Groups to Sync column lists the number of groups found in the DN.
To select all the groups in the DN, click Select All, otherwise click Select and select the specific groups to sync.

Note: When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

Sync nested group members

The Sync nested group members option is enabled by default. When this option is enabled, all the users that belong directly to the group you select as well as all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In the VMware Identity Manager directory, these users will be members of the parent group that you selected for sync.

If the Sync nested group members option is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.

Click Next.
Specify the users to sync.
Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.
1. Click + and enter the user DNs. For example, CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
  
  Important: Specify user DNs that are under the Base DN that you entered. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.
2. (Optional) To exclude users, create a filter to exclude some types of users.
  You select the user attribute to filter by, the query rule to use, and add the value. The value is case-insensitive. The following characters cannot be in the string, *^()?!$.

Specify the users to sync.

Because members in groups do not sync to the directory until the group is entitled to applications or added to an access policy rule, add all users who need to authenticate before group entitlements are configured.

Click + and enter the user DNs. For example, CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.

Important: Specify user DNs that are under the Base DN that you entered. If a user DN is outside the Base DN, users from that DN will be synced but will not be able to log in.

(Optional) To exclude users, create filters to exclude users based on attribute chosen. You can create multiple exclude filters.

You select the user attribute to filter by and the query filter to apply to the value you define.

Option	Description
Contains	Excludes all users who match the attribute and value set. For example, name contains Jane excludes users named "Jane".
Does not contain	Excludes all users except for those who match the attribute and value set. For example, telephoneNumber does not contain 800, includes only users with a telephone number that includes "800".
Begins with	Exclude all users where the characters begin with <xxx> in the attribute value. For example, employeeID begins with ACME0, excludes all users that have an employee ID that includes "ACME0" at the beginning of their ID number.
Ends with	Exclude all users where characters end with <yyy> in the attribute value. For example, mail ends with example1.com, excludes all users that have an email address that ends in "example1.com".

The value is case-insensitive. The following symbols cannot be in the value string.

Asterisk *
Caret ^
Parentheses ( )
Question mark ?
Exclamation point !
Dollar sign $

Click Next.
Review the page to see how many users and groups are syncing to the directory and to view the sync schedule.

To make changes to users and groups, or to the sync frequency, click the Edit links.
Click Sync Directory to start the sync to the directory.

Results

The connection to Active Directory is established and users and group names are synced from the Active Directory to the VMware Identity Manager directory. The Bind user has an administrator role in VMware Identity Manager by default.

For more information about how groups are synced, see "Managing Users and Groups" in VMware Identity Manager Administration.

What to do next

Set up authentication methods. After users and group names sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, configure that identity provider in the connector.
Review the default access policy. The default access policy is configured to allow all appliances in all network ranges to access the Web portal, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.
(On premises) Apply custom branding to the VMware Identity Manager console, user portal pages and the sign-in screen, if necessary.