and more in a single search tool across platforms. Read the announcement here. |
01/16/2024 10:46 PM - last edited on 01/17/2024 03:02 AM by Sunil
Hi - As per Saviynt connector documentation for ADSI, one of the pre-requisite is to install ".NET Framework 4.5 and ASP.NET 4.5 are installed on the server where IIS is installed."
Question is, can we use any other version available on our sever for both .NET and ASP.NET or we have to use version 4.5 only?
Another query is - how / from where we can export public key certificate required for secure AD connection? Any document to guide on this or steps you can share would be helpful.
Regards
Gaurav
[This message has been edited by moderator to merge reply comment]
01/17/2024 08:07 PM
4.5 and later should work
To export a public key certificate for secure Active Directory (AD) connection, you typically follow these steps:
Using Microsoft Management Console (MMC):
Using PowerShell:
Make sure to replace CertificateThumbprint with the actual thumbprint of your certificate and set a strong password for the exported PFX file.
Using Certificate MMC Snap-in:
01/18/2024 09:10 AM
Hi @GauravJain,
How to Setup the LDAPS at AD server,
1. Create Server Authentication certificate with Subjact as FQDN of the DC, for ex. Subject = "CN=<DC fqdn>"
2. Start Microsoft Management Console (MMC).
3. Add the Certificates snap-in that manages certificates on the local computer.
Expand Certificates (Local Computer), expand Personal, and then expand Certificates. A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.
4. Restart the domain controller.How to Verify an LDAPS connection
1. After a certificate is installed, please restart the domain controller.
2. Start the Active Directory Administration Tool (Ldp.exe).
3. On the Connection menu, click Connect.
4. Type the name of the domain controller to which you want to connect.
5. Type 636 as the port number.
6. Click OK.
[Note : RootDSE information should print in the right pane, indicating a successful connection. ]
01/25/2024 03:35 AM
Hi @rushikeshvartak @DixshantValecha
Another query i have w.r.t ADSI connector pre-requisite is on Service account permissions. Following are the permissions listed in document Preparing for Integration (saviyntcloud.com) :
"Provide the Least Privilege to the Service Account if the domain administrator rights are not granted to it:
Directory replication permissions across domains in a forest. This is only required for import.
Permissions to create, update, move, or delete an object and add or remove access from resources in a cross-domain environment. The account must also be a member of the Enterprise Admins group. This is only required for provisioning.
"
Is it necessary to have "Enterprise Admins" access on Service account for provisioning purpose? As we know this is one of the highest privileges in AD and we may not want to take that much risk. Do we have any alternative to this or its a must requirement from AD provisioning perspective.
Please let me know if any questions.
Regards
Gaurav
01/25/2024 05:27 AM
Access to "Enterprise Admins" for a service account in ADSI is not a must. It's recommended to avoid assigning such high privileges. Explore alternative approaches like delegating specific permissions using RBAC or customizing permissions to meet AD provisioning needs with reduced security risks.
01/25/2024 05:40 AM
then why saviynt documentation says "The account must also be a member of the Enterprise Admins group".
01/28/2024 10:48 PM
Hi @rushikeshvartak i have raised a feedback on documentation for this change. Will close this post considering its not a "must" requirement.
01/28/2024 11:02 PM
Hi @rushikeshvartak While configuring a high availability connection, is it possible to configure multiple comm separated domain url's instead of configuring multiple comma separated Domain controllers?
01/29/2024 05:32 AM
elaborate with example please
01/31/2024 12:21 AM
Hi @rushikeshvartak As per Saviynt documentation Preparing for Integration (saviyntcloud.com)
under heading "Configuring a High-Availability Connection" - "To support high-availability, the connector uses the domain controller (DC) locator process to locate an active domain controller. "
this is a dynamic way of finding an active domain controller where we have to configure an active AD domain. One domain can have multiple domain controllers. So, the DC locator feature used by connector will find an active domain controller and use it for establishing the connection.
So my question is, can we define multiple domain url's as comma separated so that if connector cant find an active domain controller in one domain then it will go and fetch from another domain.
secondly, another way of doing this is, we can configure multiple comma separated domain controller url's as a static list in connector. but we dont want to do this because its a static list and in future if a domain controller gets decommissioned then we will have to manually update this configuration. so, ideally its not good for setting up HA connection.
this is an important aspect and we need clarification on it.
Let me know if you require any further inputs.
01/31/2024 08:24 PM
You can define URL as LDAP://100.100.100.10:389,LDAP://200.100.36.31:389,LDAP://145.100.36.32:389,LDAPS://abc.me.com:636
This currently supported
02/05/2024 11:01 PM
Thanks @rushikeshvartak @DixshantValecha I will try out the given suggestions and get back.
Can you also confirm on the AD certificate - can we use root CA (certified authority) to establish secure connectivity with our AD server (LDAPS)?
02/06/2024 08:59 PM
Yes, you can use a root certificate authority (CA) to establish secure connectivity with your Active Directory (AD) server using LDAPS (LDAP over SSL/TLS). LDAPS provides secure communication between LDAP clients and servers by encrypting the data exchanged between them.
04/08/2024 10:15 AM
Do we know from which version onwards comma separated format is supported?
04/08/2024 11:46 AM
5.5x
04/08/2024 11:50 AM
Oh ok. So AD connector URL parameter supports comma separated DC urls from 5.5 onwards!? Didn’t know. Thanks for that info