You can convert a directory of type Other, which stores users and groups synced from Workspace ONE UEM, to a directory of type Active Directory over LDAP or Active Directory over Integrated Windows Authentication, which are associated with the Workspace ONE Access connector. After you convert the directory, the Directory Sync service of the Workspace ONE Access connector is used instead of ACC to sync users and groups from your enterprise directory to the Workspace ONE Access service.

Prerequisites

  • Install the Directory Sync service and the User Auth service components of the Workspace ONE Access connector, version 20.01.0.0 or later. See Installing and Configuring VMware Workspace ONE Access Connector for information.
  • The following Active Directory information is required:
    • If you are converting to Active Directory over LDAP, the Base DN, and Bind user DN and password are required.

      The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

      • Read
      • Read All Properties
      • Read Permissions

      Using a Bind user account with a non-expiring password is recommended.

    • If you are converting to Active Directory over Integrated Windows Authentication, the user name and password of the Bind user who has permission to query users and groups for the required domains is required.

      The Bind user must have the following permissions in Active Directory to grant access to users and groups objects:

      • Read
      • Read All Properties
      • Read Permissions

      Using a Bind user account with a non-expiring password is recommended.

    • If your Active Directory requires access over SSL/TLS, the Intermediate (if used) and Root CA certificates of the domain controllers for all relevant Active Directory domains are required. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, all the Intermediate and Root CA certificates are required.
    • For Active Directory over Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.
    • For Active Directory over Integrated Windows Authentication:
      • For all domain controllers listed in SRV records and hidden RODCs, nslookup of hostname and IP address should work.
      • All the domain controllers must be reachable in terms of network connectivity.

Procedure

  1. In the Workspace ONE Access console, navigate to Identity & Access Management > Manage > Directories.
  2. Click the directory that you want to convert.
  3. In the directory page, click the Convert button.
  4. In the Add Directory page, change the name of the directory if required and select the type of directory to which you want to convert the Other directory, Active Directory over LDAP or Active Directory over Integrated Windows Authentication.
  5. Enter the Active Directory connection information and continue with the wizard to set up the directory.
    The process is the same as creating a new directory. See Configuring Active Directory Connection to the Workspace ONE Access Service for detailed information.

    Follow these guidelines while setting up the directory.

    • In the Directory Sync and Authentication section, for Directory Sync Hosts, select the Directory Sync service that you installed.

      All connector instances that have the Directory Sync service installed are listed. You can select multiple instances. Workspace ONE Access uses the first selected instance in the list to sync the directory. If the first instance is unavailable, it uses the next selected instance, and so on. You can reorder the list from the directory's Sync Settings page after creating the directory.

    • For Authentication, select Yes. Also select the User Auth service instances to use for authentication.
    • Ensure that you set up the converted directory identically to the Workspace ONE UEM directory so that it has the same directory structure. Select the same domains. When you specify users and groups to sync, make the same selections as the Workspace ONE UEM directory so that the same users and groups are synced to the converted directory.
  6. On the last page of the wizard, click Sync Directory.
    The directory is converted and set up to use the Directory Sync service to sync users and groups. If you set the Authentication option to Yes, an identity provider named IDP for directoryname and a Password (cloud deployment) authentication method are automatically created for the directory.
  7. (Optional) To enable other authentication methods for the directory, navigate to the Identity & Access Management > Manage > Enterprise Authentication Methods page and create authentication methods for the directory.
    See <Auth guide> for information.
  8. Edit the default_access_policy_set and any custom policies to replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
    1. In the Identity & Access Management tab, click the Policies tab.
    2. Click Edit Default Policy, then click Configuration in the Edit Policy wizard.
    3. Edit each policy rule and replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
    4. Click the Policies tab again and edit custom policies, if any, to replace the Password (AirWatch Connector) authentication method with Password (cloud deployment).
    5. (Optional) Modify policies to use additional authentication methods, as needed.
    Important: If you do not change Password (Airwatch Connector) to Password (cloud deployment) or another User Auth service authentication method, users of the converted directory will not be able to log in.

What to do next

Stop directory sync from Workspace ONE UEM to the converted directory.