Issue
Understand methods for integrating Security Expert with Active Directory for creation and management of Operators and Users.
Product Line
EcoStruxure Security Expert
Environment
- Security Expert
- Active Directory
- SX-AD-OPR
- SX-AD-USR
- SX-DB-SYNC
Cause
Security Expert Active Directory Integration provides synchronization and authentication for Active Directory users enabling organizations to leverage on the user management and security policies that Active Directory provides. This article looks at the details between each integration option.
Resolution
There are four options for Active Directory Integration.
1. Default Windows Authentication option.
- This allows for logging in to Security Expert with the Windows User account credentials which could include AD users if on a Domain.
- Operator object must be created in Security Expert and configuration of windows authentication option has some specific steps to be followed for it to work.
Unable to login to Security Expert using Windows Authentication - Remember to use syntax "<domain>\<username>" for the username when configuring the Operator for a Windows user ON a Domain.
- Remember to use syntax "<computername>\<username>" for the username when configuring the Operator for a Windows user that is NOT on a Domain.
- Operator object must be created in Security Expert and configuration of windows authentication option has some specific steps to be followed for it to work.
- No extra license is required for this.
2. SX-AD-OPR : License for adding Security Expert Operators from AD.
- Security Expert Operators will need to be added manually using the following steps:
- Navigate to Operators and click Add.
- Check the Windows Authentication box.
- Click the ellipsis adjacent to the User Name.
- Use the Active Directory Users window to search for the AD credentials you wish to use.
- Once the Operator has been added, you may check the Windows Authentication option when logging in.
3. SX-AD-USR : License for adding Security Expert Users from AD.
- This will allow an active directory domain windows group to be periodically polled for updates that will in turn update the Users in Security Expert.
- Individual options for importing users, disabling user if AD user is disabled, disabling user if AD user is deleted.
- Only user names are imported, other than this only action can be disabling of users in Security Expert. No other details can be updated or added.
- See application note AN-141 Security Expert LDAP User Import Configuration.
4. SX-DB-SYNC : Data Sync Service with Powershell script.
- Powershell script pulls user details out of AD and writes to a CSV file that the Data Sync Service then imports into Security Expert.
- Can perform more functions than SX-AD-USR as any attribute from AD users can be mapped to any attribute in Security Expert users.
- Will require use of powershell experience as the sample script will likely need to be tweaked.
- Here is a really good video Using Data Sync to Transfer Information from Active Directory to ProtegeGX on using Windows Active Directory as a source of Users/Operators for the Data Sync Service. It provides a good overview of how this is accomplished and how easy it can be to setup.
- See Security Expert Data Sync Service and sample Powershell script SXFetchADUsers.zip attached
