You can integrate the Workspace ONE Access service with an Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.

Single Active Directory Domain Environment

With a single Active Directory domain deployment, you can sync users and groups from a single Active Directory domain.

For this environment, you can create a directory either of type Active Directory over LDAP or type Active Directory over Integrated Windows Authentication in the Workspace ONE Access service.

For more information, see:

Multi-Domain, Single Forest Active Directory Environment

In a multi-domain, single forest Active Directory deployment, you can sync users and groups from multiple Active Directory domains within a single forest.

For this environment, in the Workspace ONE Access service you can create either a single Active Directory over Integrated Windows Authentication directory, or an Active Directory over LDAP directory configured with the global catalog option.
  • The recommended option is to create a single Active Directory over Integrated Windows Authentication directory.

    When you add a directory for this environment, select the Active Directory over Integrated Windows Authentication option. Make sure that a direct (non-transitive) two-way trust is set up between domains in the directory and the domain that the Directory Bind user is a member of.

    For more information, see:

  • If Integrated Windows Authentication does not work in your Active Directory environment, create an Active Directory over LDAP directory and select the global catalog option.

    Some of the limitations with selecting the global catalog option include:

    • The Active Directory object attributes that are replicated to the global catalog are identified in the Active Directory schema as the partial attribute set (PAS). Only these attributes are available for attribute mapping by the service. If necessary, edit the schema to add or remove attributes that are stored in the global catalog.
    • The global catalog stores the group membership (the member attribute) of only universal groups. Only universal groups are synced to the service. If necessary, change the scope of a group from a local domain or global to universal.
    • The bind DN account that you define when configuring a directory in the service must have permissions to read the Token-Groups-Global-And-Universal (TGGAU) attribute.
    • When Workspace ONE UEM is integrated with Workspace ONE Access and multiple Workspace ONE UEM organization groups are configured, the Active Directory Global Catalog option cannot be used.

    Active Directory uses ports 389 and 636 for standard LDAP queries. For global catalog queries, ports 3268 and 3269 are used.

    When you add a directory for the global catalog environment, specify the following during the configuration.

    • Select the Active Directory over LDAP option.
    • Deselect the check box for the option This Directory supports DNS Service Location.
    • Select the option This Directory has a Global Catalog. When you select this option, the server port number is automatically changed to 3268. Also, because the Base DN is not needed when configuring the global catalog option, the Base DN text box does not display.
    • Add the Active Directory server host name.
    • If your Active Directory requires access over SSL, select the option This Directory requires all connections to use SSL and paste the certificate in the text box provided. When you select this option, the server port number is automatically changed to 3269.

Multi-Forest Active Directory Environment with Trust Relationships

In a multi-forest Active Directory deployment with trust relationships, you can sync users and groups from multiple Active Directory domains across forests where two-way trust exists between the domains. In the Workspace ONE Access service, for this Active Directory environment create a single Active Directory over Integrated Windows Authentication directory.

When you add a directory for this environment, select the Active Directory over Integrated Windows Authentication option. Make sure that a direct (non-transitive) two-way trust is set up between domains in the directory and the domain that the Directory Bind user is a member of.

For more information, see:

Multi-Forest Active Directory Environment Without Trust Relationships

In a multi-forest Active Directory deployment without trust relationships, you can sync users and groups from multiple Active Directory domains across forests without a trust relationship between the domains. In this environment, you create multiple directories in the Workspace ONE Access service, one directory for each forest.

For more information, see: