Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADSI Connector Questions

Go to solution
Jordan
New Contributor II
New Contributor II

‎04/21/2023 07:28 AM

We have multiple forest / domains that need to be integrated into Saviynt and we are trying to determine if using the ADSI connector is the right approach or if we should use separate AD connectors. Below are a few of my initial questions.

  1. Does the ADSI connector require that all Forests / Domains have two way trusts?
  2. When you create the integration in Saviynt, does it represent each Domain as separate endpoints under the security system or is it only one endpoint?
  3. Is there any limitations between using the ADSI connector vs the AD connector?
  4. We are currently using the AD connector for the primary domain we are integrated with for ILM, would we switch to using the ADSI connector for everything?
  5. The solution requires an IIS server with Saviynt's ADSI agent running on it. Is this one IIS server running in the primary domain that reaches out to all other Forests / Domains?
  6. How does the Saviynt connector authenticate to the IIS Server to run commands through ADSI agent?
  7. In the Connector, how do I deal with multiple accounts that are joined to the same user for something like a termination where there is a termination OU in each forest and I have to move that AD object to the termed OU in each forest?
Labels:
0 Kudos
5 REPLIES 5

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎04/23/2023 11:59 PM

Hello @Jordan,

Please refer to the following documentation which may help you in finding answers to your questions:

 https://docs.saviyntcloud.com/bundle/Saviynt-for-AD-v2020x/page/Content/Saviynt-for-Microsoft-Activ...
https://docs.saviyntcloud.com/bundle/ADSI-v23x/page/Content/Preparing-for-Integration.htm 

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
Jordan
New Contributor II
New Contributor II
In response to sudeshjaiswal

‎04/24/2023 07:21 AM

Hello @sudeshjaiswal,

Thank you for your reply. I have reviewed the available documentation from the Saviynt Docs site. While the articles you provided touch on some of my questions, I don't believe they provide explicit answers. I was directed by our TAM to post these questions in the Forum.

Kind Regards

0 Kudos

Go to solution
timchengappa
Saviynt Employee
Saviynt Employee

‎04/24/2023 12:35 PM

Hello @Jordan 

Considering you have reviewed the documents set by @sudeshjaiswal, please let us know the specific questions for which you may not find your answer. Thanks 

0 Kudos

Go to solution
Jordan
New Contributor II
New Contributor II
In response to timchengappa

‎04/24/2023 01:16 PM

Hello @timchengappa,

We met with our TAM today and were able to get a few questions answered. Below are the follow-up questions from reviewing the documentation and meeting with the TAM.

  1. Does the ADSI connector require that all Forests / Domains have two way trusts?
    1. We believe the answer is yes it does require two way trust, but wanting to confirm.
  2. The solution requires an IIS server with Saviynt's ADSI agent running on it. Is this one IIS server running in the primary domain that reaches out to all other Forests / Domains?
  3. How does the Saviynt ADSI connector using REST authenticate to the IIS Server?
  4. In the Connector, how do I deal with multiple accounts that are joined to the same user for something like a termination where there is a termination OU in each forest and I have to move that AD object to the termed OU in each forest?
    1. Looking for Use Case / Configuration Samples
  5. If we have a Forest with a Parent Domain and one Child Domain, can we use the AD Connector to manage both or would we use the ADSI connector to manage both?
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎04/25/2023 01:55 AM - edited ‎04/25/2023 03:56 AM

Hello @Jordan 

Please find the answers to the questions above provided below:

Question:-Does the ADSI connector require that all Forests / Domains have two-way trusts?

Answer:
The trusts between domains in a forest are transitive and two-way. You must create trust between domains of different forests if you want to allow users from one domain to access resources in another domain in a different forest.

Forest-level trust is configured when objects belong to different forests.

ForRef: https://docs.saviyntcloud.com/bundle/ADSI-v55x/page/Content/Preparing-for-Integration.htm 


Question:- The solution requires an IIS server with Saviynt's ADSI agent running on it. Is this one IIS server running in the primary domain that reaches out to all other Forests / Domains?

Answer:
When IIS is installed on a member server of a primary domain, the trust evaluation performance is better than installing it on a member server of the child domain. Saviynt recommends you to install IIS on a member server of a primary domain for the following reasons:

1. Transitive trusts for all child domains in a forest are evaluated from the primary or root domain of a forest.

2. The forest level trust of all forests in a cross-forest integration is evaluated from the primary or root domain of a forest.

3. If a child domain is down due to a maintenance activity, you cannot connect to other domains to perform your operations

For Ref: https://docs.saviyntcloud.com/bundle/ADSI-v23x/page/Content/Preparing-for-Integration.htm 


Question:- How does the Saviynt ADSI connector using REST authenticate to the IIS Server?

Answer:
The Saviynt ADSI connector using REST authenticates to the IIS server using a service account. This service account must be configured with the necessary permissions to run commands through the ADSI agent on the IIS server.
These permissions are required for the service account to be able to run commands through the ADSI agent on the IIS server. Once the service account is configured, the Saviynt ADSI connector will use it to authenticate to the IIS server and perform the necessary operations on Active Directory.

https://docs.saviyntcloud.com/bundle/ADSI-v2022x/page/Content/Connection-Architecture.htm

Question:- In the Connector, how do I deal with multiple accounts that are joined to the same user for something like a termination where there is a termination OU in each forest and I have to move that AD object to the termed OU in each forest

Answer:
You can use moveObjectToOU: Specify the Active Directory container where you want to move the user object.
For Ref: https://docs.saviyntcloud.com/bundle/ADSI-v23x/page/Content/Configuring-the-Integration-for-Provisio...  


Question:- If we have a Forest with a Parent Domain and one Child Domain, can we use the AD Connector to manage both or would we use the ADSI connector to manage both?

Answer: 
AD Connector is to be used with Single Domain whereas ADSI connector is to be used for multiple domains and/or forests.

For Ref:- 
https://docs.saviyntcloud.com/bundle/Saviynt-for-AD-v23x/page/Content/Saviynt-for-Microsoft-Active-D... 

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
Copyright © 2024 Khoros, LLC