7.5. Active Directory

This chapter describes how an Active Directory can be setup to be used as a user authentication service for users logging into PxM. The following topics are covered:

7.5.1. Active Directory Integration in PxM

You can use Active Directory services to authenticate Active Directory users into the PxM Client. You can also create and manage the passwords of Active Directory accounts, which can then be used during outbound device connections and tasks, or to manage Active Directory devices.

To add Active Directory users to PxM, you can either:

  • Manually create individual Active Directory users in your PxM Client for validation externally in Active Directory.

  • Automatically synchronise users on your Active Directory account with PxM using Active Directory user group synchronisation. All users in your Active Directory global security group are imported to your PxM Virtual Appliance user group and vice versa.

    Note

    For more information, see Manage user groups.

7.5.1.1. Prerequisites

The PxM Platform uses LDAPS (Lightweight Directory Access Protocol over SSL) for Active Directory integration.

7.5.2. Adding an Active Directory

An Active Directory Service must be added before the following functionality can be used:

  • Active Directory user group synchronisation.
  • Active Directory authentication into the PxM Client.
  • Management of Active Directory accounts.
  • Provisioning Active Directory devices.

To add an Active Directory Service:

  1. On left-hand menu, under MANAGE, either:

    • Click the Plus icon icon to the right of Active Directory.
    • Click Active Directory > New Active Directory.

    The New active directory window appears.

    WebUI New Active Directory

  2. In the Create Active Directory window, fill in the configuration information for your Active Directory service.

    Note

    Bold headings are required fields.

    Field Name Description
    Name: The Name will be used internally to reference the Active Directory.
    Domain (FQDN):

    Enter the fully qualified domain name of your Active Directory.

    The domain name will be used with a valid username/password to authenticate and provision the Active Directory.

    Domain Controller IP/Hostname(s):

    Enter the IP / hostname of the Domain Controller with Active Directory configured.

    Multiple Domain Controller IP / hostname(s) can be entered by comma separating them within the field.

    Container:

    For deployments where the PxM Virtual Appliance should be able to create, delete, and manage the passwords and permissions of Active Directory accounts, the Active Directory should be provisioned using a set of Domain Admin credentials. In this type of deployment, the PxM Virtual Appliance will create an Organizational Unit (OU) in which to do this account and group management.

    If the container input field is given a name, for example Management Accounts, then the OU that gets created will be called Management Accounts and will be placed in the root of the Active Directory.

    By default, the container name is OU=Osirium. The container is created in the root of the Active Directory.

    If the container needs to be placed inside another (or multiple) parent OUs then a DN can be specified to define where to add the PxM OU. For example, for PxM to create an OU called Management Accounts inside a parent OU called Management Tools then use the following:

    OU=Management Accounts, OU=Management Tools

    For deployments where the PxM Virtual Appliance does not need to manage accounts in this way, the Active Directory can be provisioned with Domain User permissions. In this case, no OU will be created and any data in this field will be ignored.

    Note

    The reverse order of OUs in the DN. Do not include any Domain Component attributes (DCs). All parent OUs must already exist, PxM does not create any parent OUs.

    Groups of interest:

    The Active Directory group(s) that should be audited by PxM. This field is useful to narrow down the auditing of accounts to those that have high levels of privileges and may pose a security risk.

    Note

    If this field is left blank, all users from the Domain Users group will be audited.

    To add a group of interest, click on the Popup editor icon icon to add the values.

    In the Edit value window, click the New drop-down and select Plus iconAdd entry. A new value field will appear in the table. Add the name of the group you want to be audited. The group name entered must match the name of the group on the Active Directory server.

    WebUI Create AD service Group of Interest

    Multiple groups can be added by selecting New > Plus iconAdd entry again.

    Groups of interest can be removed from the Active Directory, but doing so will make any accounts that are only members of the removed group invisible to the PxM Appliance after the next Active Directory audit. The records for these accounts will no longer be visible in the Active Directory accounts view. If any of these accounts were in a Known or Managed state, you will lose the ability to:

    • Use these accounts as control accounts.
    • Use them as access levels in a profile.
    • Reveal/manage the credentials of the accounts.
    • View their credentials in a new Breakglass report.

    For this reason we do not recommend removing a group of interest until all accounts in that group are set to either an approved or unapproved state.

    Control account:

    Select one of the following control accounts depending on how you want your Active Directory to be managed by PxM:

    • Fully managed

      PxM uses the credentials provided and creates a PxM management account (osirium_authenticationservice_account). This account will be used to authenticate onto the Active Directory and manage it.

    • Managed

      Warning icon Selecting this option will change the password of the Active Directory authentication account used to provision the Active Directory. You will no longer know the password as it will be managed by PxM.

      To recover direct access to the Active Directory account you can either:

      • Use the reveal credentials tool.
      • Generate a Breakglass PDF.
      • Change the control account to Known on the Manage accounts, Active Directory accounts tab.

      The selected Active Directory account will be used to authenticate and manage the Active Directory.

    • Known

      PxM makes NO changes to the Active Directory authentication account used to add the Active Directory. PxM will Never delete this account.

      The selected Active Directory account will be used to authenticate and manage the Active Directory.

    Create control account:

    If the checkbox is ticked, PxM will create a device access account to manage any member servers provisioned as Fully managed.

    The device access account is named osirium_deviceaccess_account. It is located in the Osirium OU, Users OU.

    Alternatively, if you want to switch a Known or Managed member servers to Fully managed, you should select this account as the device’s control account.

    If you don’t create the PxM control account at this time then it can be created another time through the Manage accounts > Active Directory accounts tab > Create account button.

    User Authentication Service:

    Select whether this Active Directory should be used for both inbound Active Directory user authentication.

    Note

    Only one Active Directory service can be selected as the user authentication service.

    Before clicking Yes take note of the following. If you already have another Active Directory service selected as the User Authentication Service, choosing a new User Authentication Service may affect existing Active Directory user authentication into the PxM Client.

    WebUI change user auth service question window

  3. Click Save.

  4. Within the Authentication details window enter a valid Username/Password.

    WebUI Authentication details window

  5. Click Proceed.

    A number of tasks are run by PxM to provision and audit the Active Directory.

    Depending on which control account has been selected the following will happen:

    State Description
    Fully managed

    Runs the Authentication service Provision task:

    • PxM uses the Authentication details provided earlier to logon to the Active Directory Domain Controller and creates a PxM OU, and two Organisational units (OU’s) Admins and Users.
    • The provisioning credentials will need to be have the privilege to:
      • Create the Organizational Unit (OU) specified in the container field.
      • Create new Active Directory user accounts in the provided OU.
      • Manage the passwords of Active Directory user accounts inside the provided OU.
      • Delete Active Directory user accounts from the provided OU.
    • PxM uses the Authentication details provided earlier to logon to the Active Directory Domain Controller, and creates the provided OU with Admins and Users OUs inside it.
    • Within the Admins OU the osirium_authenticationservice_account is created and added to the Administrators and Domain Users groups. This account is used by PxM when managing the the Active Directory Service.
    • The osirium_authenticationservice_account will be marked as the control account on the Manage accounts > Active Directory accounts tab. The account State will be Fully managed icon Fully managed and linked to the user: Osirium Server.

    Runs the Audit Authentication Service task:

    • PxM audits the accounts that exist on the Active Directory. This information is saved in the PxM database. The accounts found will be listed in the Manage accounts > Active Directory accounts tab.
    Managed

    Runs the Authentication service Provision task:

    • PxM uses the Authentication details provided earlier to logon to the Active Directory Domain Controller and, if the supplied account has sufficient privilege, will create an PxM Organizational Unit (OU), with a Users OU inside it. The provided credentials will also be changed, and managed by the PxM Virtual Appliance.

    • Creates a PxM OU, and two Organisational units (OU’s) Admins and Users.

      AD Osirium groups screenshot

    • The authentication account provided will be marked as the Control account on the Manage accounts > Device accounts tab. The account State will be Password managed iconManaged and linked to the user: Osirium Server. This account is used by PxM when talking with the Active Directory. The password will be managed by PxM.

      WebUI Manage accounts showing Password managed

    Runs the Audit Authentication Service task:

    • PxM audits the accounts that exist on the Active Directory. This information is saved in the PxM database. The accounts found will be listed in the Manage accounts > Active Directory accounts tab.
    Known

    Runs the Authentication Service Provision task:

    • PxM uses the Authentication details provided earlier to logon to the Active Directory Domain Controller and, if the supplied account has sufficient privilege, will create an Osirium Organisation unit (OU), and Users OU inside it. The provided credentials are not changed.

      AD Osirium password known groups screenshot

    • The authentication account provided will be marked as the control account on the Manage accounts > Active Directory accounts tab. The account State will be Password icon Known and linked to the user: Osirium Server. This account is used by PxM when talking with the Active Directory.

      WebUI Manage accounts showing Password known

    Runs the Audit Authentication Service task:

    • PxM audits the accounts that exist on the Active Directory. This information is saved in the PxM database. The accounts found will be listed in the Manage accounts > Active Directory accounts tab.

    Note

    If the Create device control account checkbox was ticked for any of the above control account options, the Create device control account task will be run to create the osirium_deviceaccess_account. This account is created in Osirium > Admins OU in Active Directory.

    The osirium_deviceaccess_account will be seen on the Manage accounts > Authentication Service accounts tab and will be linked to the Osirium Server.

7.5.3. Active Directory detail page

The Active Directory detail page provides information relating to the Active Directory service, and allows you to administer it.

To view the Active Directory detail page, click on its name in the table. Alternatively, highlight an Active Directory name, right-click for the context menu. Within the context menu select Show and you will be navigated to the page.

WebUI AD detail window

The following administrative tasks can be carried out for an Active Directory on the details page:

Action Description
Name Change the name you reference your Active Directory within PxM.
Domain Controller IP/hostname(s) Change or add multiple Active Directory Domain Controller IP/hostname(s). Multiple entries should be separated by a comma to separate them.
Groups of interest Enables you to add further groups of interest, Active Directory groups with high levels of privilege that may, therefore, pose a greater security risk.
User Authentication Service

Enable to use the Active Directory for inbound user authentication to the PxM Client.

Note

Only one Active Directory service can be selected as the user authentication service.

Trigger audit See Trigger audit button.

The accounts section displays all the accounts that exist on the Active Directory.

The information presented in the table includes:

Heading Description
Service control account

The account marked as the service control account Checked box icon will be the account (username/password) that will be used by PxM to manage the Active Directory authentication service.

PxM will use the account to perform the following:

  • Create and delete PxM accounts/groups on the Active Directory.
  • Update Active Directory users account information if they already exist in PxM.
  • Create Active Directory users in PxM if they don’t already exist.
  • Audit user accounts.

Note

Only accounts with a state of Known or higher can be made a Service control account.

Device control account

The Device control account will be marked with a Checked box icon. The Device control account will be used by PxM to:

  • Manage the member servers provisioned in PxM.
  • Run tasks on the member servers.
  • Audit the member servers.

Note

Only accounts with a state of Known or higher can be made a Service control account.

State

A State is set for each of the accounts discovered on the Active Directory Service by PxM when a DeviceAudit task is run.

See Manage accounts.

Account Name of the user account that exists on the Authentication service.
Display name Display name that exists on the Active Directory.
User logon name Prefix of the User Principal Name (UPN) that exists on the Active Directory.
sAMAccountName Pre-Windows 2000 logon name that exists on the Active Directory.
Credential(s) changed Timestamp of when PxM last changed the account credentials.
Failed logon Timestamp of when PxM last failed to logon with this account.
Linked to users The PxM user(s) to which the account is linked.

7.5.3.1. Deleting an Active Directory

An Active Directory service cannot be removed if it is being used by member servers. All member servers will need to be unprovisioned before deleting the Active Directory.

To delete an Active Directory:

  1. In the left-hand menu, click on Active Directory.

  2. On the Manage Active Directory page, right-click on the Active Directory to be removed from PxM and select Delete iconDelete from the context menu.

  3. If the Active Directory control account is Managed, PxM will prompt you for a new password for this account. PxM then sets this password on the Active Directory for the control account used, handing control of the account back to you.

    Otherwise, skip to step 4.

    WebUI Auth service unprovision account passwords

  4. Within the Question window, click Yes, if you are sure you want to delete the Active Directory from PxM.

    WebUI Confirm delete service question

    During the deletion of the Active Directory Service from PxM, the following occurs:

    State Description
    Fully managed

    Runs the Authentication Service Unprovision task:

    • The following are removed from the Active Directory:
      • From the Admins OU the osirium_authenticationservice_account is deleted.
      • From the Users OU the osirium_deviceaccess_account is deleted if it was created.
    • Removes the Active Directory Service from PxM.
    Managed

    Runs the Authentication Service Unprovision task:

    • Resets the Active Directory administrator account password to the one provided.
    • Removes the Active Directory Service from PxM.
    • Within the Users OU on the Active Directory server the osirium_deviceaccess_account is deleted if it was created.
    Known

    Runs the Authentication Service Unprovision task:

    • Removes the Active Directory from PxM.
    • The Active Directory username/password are not changed or deleted.
    • Within the Users OU on the Active Directory the osirium_deviceaccess_account is deleted if it was created.