Active Directory

Active Directory

The integration of Active Directory (AD) with SupportCenter Plus enables you to import user information from the Active Directory server into SupportCenter Plus. It also lets you schedule user import from AD, sync deleted users from AD, and configure AD authentication.
 
Role Required: SDOrgAdmin 

To configure AD related settings in ESM setups, go to ESM Directory > Users > Active Directory.

Set local authentication password for imported users

You can set a default local authentication password for users imported through AD.  Users can change this password after their first login.

You can enforce users to update the default password after their first login from Security Settings.
  1. Hover over the Local Authentication Password fields and click Edit.
  1. You can choose to generate a random password for every user or set a predefined password for all users.
  2. Click Save.

Ensure that the predefined password meets all requirements of the password policy.

 

 

Users will be notified about their password via their login emails. You can configure email notifications for users from ESM > General Settings > Notification Rules > Send Self-Service Login details.

The local authentication password set for AD imported users is also applicable for users imported via LDAP as well as CSV files.

Import Users from Active Directory

You can import users from any of the domains and their subsequent organizational units (OUs) present in the Active Directory. By default, AD users are imported using LDAP protocol and port 389.
Click Import User(s) on the Active Directory configuration page. Use the following pointers to configure the Import From Active Directory window pop-up.

Field Name

Description

Domain Name*

Select the domain to import users from.

If you have already provided the domain controller and login credentials for the domain in Windows Domain Scan, the Domain Controller and Login details will be auto-populated on selecting the domain.

Domain Controller*

Specify the domain controller that provides access to resources in that domain.

Login Name*

Enter the login name of your user account in the selected domain.

Password*

Enter the password of the above user account.

LDAP SSL


Toggle LDAP SSL option ON to enable secure communication between the SupportCenter Plus and Active Directory via port 636.
Ensure your Active Directory supports SSL before enabling this field.

Select fields for import

Select the default user fields to be imported from the Active Directory. Specify the field name configured in the Active Directory beside the selected field to map them accurately.

If the user already exists in SupportCenter Plus MSP, their default field values will be overwritten with the values present in AD. To avoid overwriting of values, unselect the relevant fields during import.

If a field value is null in AD, the corresponding field will not be updated in SupportCenter Plus MSP.

Select UDF for import

If you have configured user additional fields in SupportCenter Plus, you can select the UDF fields. Specify the field name configured in the Active Directory beside the selected field to map them.

If you have not configured any user additional fields, use the Click here to configure link. You will be redirected to the User - Additional Field page where you can configure the additional fields to be imported from Active Directory.
The numeric additional fields hold up to 19 digits. If your numeric value exceeds 19 digits, then configure the value in text field.

Move associated assets

If the site associated with the user/department is changed in the Active Directory, the assets belonging to the user/department should also be moved to the new site. To update this information on every import, select Move associated assets.

Update empty values
Enable this option to import and update <empty> data from Active Directory. For example, with this option enabled, user data with the First Name : Admin changed to First Name: <empty> in Active Directory will be updated in the application. If this option is disabled, then the First Name: <empty> data will not be updated and old values will be retained.

* Indicates mandatory fields


Click Next

In the import wizard, you can select the various OUs or enter the group names available in that domain to import users. You can also add users manually.
  1. To select OUs, enable the OU check box. Choose the OUs from which you wish to import users by selecting the checkbox beside them.
  2. To select AD groups, enable the Group check box. Enter the sAMAccountName of group in the text box as comma separated values.




If both OUs and groups are selected, the users present in both the OUs and groups will be imported.
You can import up to 5000 groups from the AD.

Click Import Now. If scheduled AD import is enabled, you can import the users later by selecting Save and Import in Schedule. 
The imported users are listed in the users list view under Admin > Users. You can perform further actions on the imported users such as editing the details or associating workstations from the users list view.

Import results notified to SDAdmins via bell notifications:
  1. If the user information is imported immediately, the data on how many records were added, overwritten, or failed to import will be notified.
  2. If the import is scheduled for later, the notification will be sent after the schedule is completed.
  3. Invalid group names will be notified along with the results of the current import and also as a banner during the subsequent import.
  4. If the users are imported by selecting both OUs and groups, the imported users' count will be tracked separately for OUs and groups. For users present in both OU and group, the count will be added twice.
  5. The total user count for both the selected OU and group will be notified.
For scheduled import, the user information imported depends on the type of import schedule configured under Import Schedule.
Domain failures during import will be notified to SDAdmins via bell notifications.

Schedule AD import

You can schedule Active Directory import at regular intervals to keep your user repository in sync with the Active Directory. When you schedule an AD import, data from all domains in the application is imported once every specified number of days. Users and user details from all the domains in the application are synced to SupportCenter Plus in two ways:

  • Full Sync - Syncs all user data.
  • Delta Sync - Syncs the data of updated user details and newly added user accounts once every 30 minutes.
  • Delta sync will be auto-initiated when full sync is enabled. Ensure that you perform a full sync once every 30 days to keep your user details completely updated.
To configure an import schedule,
  1. Hover over the Import Schedule fields and click Edit.
  2. Enable the Schedule AD import once in every option and specify the import period.
  3. Specify the date and time to begin the schedule.
  4. Click Save.

 

 

User details from domains will be imported periodically as per the number of days specified after the start date and time. The differences in the data will be updated every 30 minutes. You can view the last import time and the next schedule time in the Import Schedule section.

 

 

During delta sync, only the user details that failed during import will be notified to the SDOrgAdmins via bell notification.

The criterion for User Account overwrite in Active Directory User Imports:

While performing a user import from Active Directory,

 

Criteria 1: ObjectGUID - If the ObjectGUID of a user account in SupportCenter Plus matches with the user account in Active Directory, the record in SupportCenter Plus will be overwritten.

 

Criteria 2: Login name and Domain - If the login name and domain of a user account in SupportCenter Plus matches with the user account in Active Directory, the record in SupportCenter Plus will be overwritten.

 

Criteria 3: Email address - If the 'Override based on EmailId' option is enabled under ESM Directory > Application Settings and if the email address of the user account in SupportCenter Plus matches with the Active Directory user account, the record in SupportCenter Plus will be overwritten.

 

Criteria 4: Login name and domain is '-' (not associated) - If a user account in SupportCenter Plus contains only a login name with an email address without a domain association and if the login name matches with the Active Directory user account, the record in SupportCenter Plus will be overwritten.

 

When a user is imported from AD, the ObjectGUID of the user is used as a unique identifier to update the user details in SupportCenter Plus. If the 'ObjectGUID' does not match for any user in SupportCenter Plus,

The 'loginname+domainname' of the user is used as a unique identifier to update the user details in SupportCenter Plus.
  1. If the 'loginname+domainname' does not match for any user in SupportCenter Plus, the 'email address' of the user will be used as a unique identifier.
  2. If the email address does not match, then the 'loginname + domain=NULL'  ( where loginname is Howard (example) and domain name is NULL) is used as a unique identifier to update user details.
In cases where none of the specified conditions like 'ObjectGUID' , 'loginname+domainname', 'email address','loginname + domain=NULL' are absent in SupportCenter Plus, a new user will be added.

Sync deleted users from Active Directory



This option lets you sync the deleted users from Active Directory into SupportCenter Plus. Syncing of deleted users can be scheduled after a manual user import.

 

After the sync is completed, a list of deleted users is displayed. Based on the type of user, you can remove the deleted users from the list as mentioned below:

  • Requesters - You can enable automatic deletion for non-technicians from the deleted users list. When a requester is deleted from the active directory, the user will be removed from SupportCenter Plus as well.
  • Technicians - You can review the deleted technicians from the deleted users list and remove them manually. Automatic deletion is not available for technicians.

 

To configure syncing of deleted users,

  1. Hover over the Sync Deleted User(s) from Active Directory checkbox and click Edit.
  2. Choose your deletion method - automatic or manual. Note that even if you select automatic deletion, deleted technicians will not be removed automatically.
  3. You can schedule syncing of deleted users periodically by enabling Schedule delete sync once in every option.
  4. Specify the sync periodicity.
  5. Enter the date and time to begin the syncing of deleted users
  6. Click Save.

 

 

After the syncing of deleted users is scheduled, you can view the last imported time and the upcoming schedule time in the Sync Deleted Users section.

 

 

If manual delete is enabled, the link to the deleted users list will be displayed as a note on the top of the Active Directory configuration page. Use the links in the note to access and verify the deleted users before removing the deleted users from SupportCenter Plus.


If sync is disabled for deleted users, the deleted user details from AD will not be synced with SupportCenter Plus during manual or scheduled import.
Deleted user details will be notified to the SDOrgAdmins through bell notification.

Active Directory Authentication

You can authenticate users login in ServiceDesk Plus via Active Directory. AD-based authentication can be configured in two ways:
 
Login using AD Credentials:
Facilitate login for users into ServiceDesk Plus using the login name and password of their system.
  1. Hover over Active Directory Authentication fields and click Edit.
  2. Select Enable Active Directory Authentication checkbox.
  3. Click Save.
In the Login screen, the users can specify their system/AD login credentials and select the Domain to log into ServiceDesk Plus. They can also bypass AD authentication during login by selecting Local Authentication from the Domain drop-down and specifying their local authentication credentials.

If a user account is not imported before configuring AD Authentication, the user will be added to SupportCenter Plus via dynamic user addition if proper login details are entered during authentication. Click here to learn how to enable dynamic addition of users.
If LDAP SSL is enabled for a domain in AD import page, AD authentication will also occur through LDAP SSL.

 Allow Single-Sign On (SSO) using AD Credentials:

SSO allows users to instantly access SupportCenter Plus without providing any login credentials. During login, users are automatically authenticated via an Identity Provider(IdP). You can enable SSO for AD users from SAML by configuring ADFS as the IdP. To learn more, click here.


You can also configure other identity providers such as Okta or OneLogin to enable SSO. 
Ensure that the AD users are imported to the IdP before configuring SSO.
 

 

 

Prerequisites for configuring LDAP SSL

By default, LDAP communications between client and server applications are not encrypted. This leaves the communication between the LDAP client and server computers vulnerable to network monitoring jump devices/software. SupportCenter Plus employs LDAP SSL to secure the communication between the AD server and SupportCenter Plus MSP server.

Follow the prerequisites mentioned below to configure LDAP SSL for your AD server:

  • Ensure the server FQDN (Fully Qualified Domain Name) is accessible from client. Else, add the host entry in the host file in the client machine.
  • The Active Directory Certificate Services must be installed to use LDAP SSL certificate as explained in this documentation.
  • Enable your AD server to support LDAP over SSL. Click here to learn how.
  • The LDAPS certificate imported to AD server in the previous step must be fetched and imported it to the client machine (SupportCenter Plus server) in the Personal folder as explained below:
    • Click Start, type mmc, and then click OK.
    • Click File and then click Add/Remove Snap-in.
    • Click Certificates and then click Add.
    • In Certificates snap-in select Computer account and then click Next.
    • On the Certificate Store page, right-click Personal > Import certificate, import the LDAP certificate from the copied folder, and provide the password set while creating the certificate.
  • Import Root CA certificate in Trusted Root Certificate Authority to allow your client machine to trust the imported LDAP certificate. This is vital since imported LDAP certificates will not be trusted due to cross domains, by default.

    • Access the CA web console: https://<CA Server>/certsrv and provide Administrator credentials. If the URL is not accessible, install Certificate Enrollment Web Service as explained in this guide.
    • In the console, click Download a CA certificate, certificate chain, or CRL.
    • On next page click Download CA certificate and save the certificate.
    • Import the downloaded CA certificate to the Trusted Root Certificate Authority as explained in the below steps,

      • Click Start, type mmc, and then click OK.
      • Click File and then click Add/Remove Snap-in.
      • Click Certificates and then click Add.
      • In Certificates snap-in select Computer account and then click Next.
      • On the Certificate Store page, right-click Trusted Root Certificate Authority and import the above certificate.

    • Related Articles

    • Pass Through Authentication

      You can enable single sign-on for SupportCenter Plus to directly authenticate support reps' login credentials. Thus the support reps need not log in again to access SupportCenter Plus. SupportCenter Plus Pass-through Authentication uses NTLMV2 which ...
    • Configuring Azure as the Identity Provider

      To enable users from Azure Active Directory to access the SupportCenter Plus application via SAML authentication, you must configure SupportCenter Plus as an enterprise application in Azure. Follow the steps given below to configure SupportCenter ...
    • SAML Authentication

      SAML Authentication   Security Assertion Markup Language(SAML) brings an easier alternative to conventional sign-in methods already available for online services. Users will no longer have to provide passwords specific to each service they access. ...
    • Support Reps

      Support reps can be added and managed by the administrator. Adding a Support Rep To add a support rep: 1. Go to Admin>>Users>>Support Reps (for portal-specific support reps) or go to Global settings>>User Management>>Users (for all support reps ...
    • Configuring OneLogin as Identity Provider

        Log in your OneLogin domain and click Applications under the Applications tab.     In the displayed page, click Add App.     Search for SAML from the search box and select SAML Test Connector (Advanced) from the search results.       Provide a Name ...