Add Active Directory with integrated Windows
authentication
You can use
VMware Aria
Suite Lifecycle
to create a Active
Directory with integrated Windows authentication directory type when you plan to connect to
a multi-domain Active Directory environment. The connector binds to Active Directory by
using Integrated Windows Authentication. Verify that you have the
required user credentials to add a directory.
- ClickIdentity and Tenant Managementon the My Services dashboard.
- Navigate to Directory Management tab, clickDirectories.
- Click+Add Directoryand clickAdd Active Directory Over IWA.
- On theDirectory Detailtab:FieldsDescriptionDirectory InformationEnter a valid Directory Name.Directory Sync and AuthenticationSelect the connector to sync with Active Directory. Connector is aVMware Workspace ONE Accessservice component that synchronizes users and group data between Active Directory andVMware Workspace ONE Accessservice. It authenticates users. EachVMware Workspace ONE Accessappliance node contains a default connector component. If necessary, a dedicated connector can also be deployed through a global environment scale-out.Authentication EnabledYou can indicate whether the selected connector also performs authentication. If you are using a third-party identity provider to authenticate users, clickNo.Directory Search AttributeSelect a search attribute from the drop-down menu.Certificates
- If your Active Directory requires access over SSL/TLS, select theDirectory requires all connections to use STARTTLScheck box in theCertificatessection, and copy and paste the domain controllers Intermediate (if used) and Root CA certificates into theSSL Certificatetext box. Enter the Intermediate CA certificate first, then the Root CA certificate. Ensure that each certificate is in the PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines. If the domain controllers have certificates from multiple Intermediate and Root Certificate Authorities, enter all the Intermediate-Root CA certificate chains, one after the other. If your Active Directory requires access over SSL/TLS and you do not provide the certificates, you cannot create the directory.
Join Domain DetailsEnter the Domain Name, Domain Admin user name, and Domain Password.Bind User Details- Enter theBind UsernameandBind Passwordof the bind user who has permission to query users and groups for the required domains. Enter the user name assAMAccountName@domain, where domain is the fully qualified domain name. Using a Bind user account with a non-expiring password.
- ClickCreate and Next.You can select the domains that should be associated with the Active Directory connection.
- On theDomain Selection Detailtab, select the domain and clickSubmit and Next.The Active Directory with IWA populates the list of domains and you can select or edit the domains as required.
- To verify that theVMware Workspace ONE Accessdirectory attribute names are mapped to the correct Active Directory attributes, on theMap Attributetab, select the required attribute and clickSubmit and Next.
- On theGroup Selectiontab, specify the Group DN details and clickNext.To select groups, clickAdd Group Distinguished Name, and specify one or more group DNs and select the groups under them. Specify group DNs that are under the Base DN that you entered in the Base DN text box in the Add Directory section. If a group DN is outside the Base DN, users from that DN will be synced but you cannot log in.When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.
- Select theSync Nested Group Membersoption.
- On theUser Selectiontab, enter the User DN details and clickNext.Suite administrators is a user name in the Active Directory who acts as an Admin user for the deployed suite products, Logs, and AD table.When this option is enabled, all the users that belong directly to the group you select and all the users that belong to nested groups under it are synced when the group is entitled. Note that the nested groups are not synced; only the users that belong to the nested groups are synced. In theVMware Workspace ONE Accessdirectory, these users are members of the parent group that you selected for sync. If theSync nested group membersoption is disabled, when you specify a group to sync, all the users that belong directly to that group are synced. Users that belong to nested groups under it are not synced. Disabling this option is useful for large Active Directory configurations where traversing a group tree is resource and time intensive. If you disable this option, ensure that you select all the groups whose users you want to sync.
- On theDry Run Checktab, read the Summary.
- ClickSync and Completeto start the sync to the directory. The connection to Active Directory will be established and users and group names are synced from the Active Directory to theVMware Workspace ONE Accessdirectory.
- ClickSubmit.
- To edit, click theEditicon on the specific active directory in the list of active directories. New information is appended to the configuration onVMware Workspace ONE Access. However, if removed by editing you can only remove the configuration from theVMware Aria Suite Lifecycleinventory and not from theVMware Workspace ONE Access.
- To delete, click theDeleteicon on the specific active directory in the list of active directories. You can delete the active directory only fromVMware Aria Suite Lifecycleinventory and not fromVMware Workspace ONE Access.