Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send InviteCancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
This is an example of setting up an AD server.
Note: A functional IT Advisor web client is required.
To illustrate how an authentication server might look, Apache Directory Studio is used, to connect and show an authentication server.
The following two illustrations show what the Authentication server settings look like (image 1) when you are connecting to an AD Server, without groups (image 2).
(image 1)
126182890_800x1228_360038425373.png
(Image 2)
126182889_900x932_360038425373.png
When configuring group info, you have two options based on your type of authentication server:
Your authentication server may support none (skip this step), one or both options.
Parse user attribute for list of groups.
Documentation: https://msdn.microsoft.com/en-us/library/ms677099.aspx
search for groups containing users.
Documentation: https://msdn.microsoft.com/en-us/library/ms677097.aspx
Configuration of option 1 - parse user attribute for list of groups:
128760812_600x397_360038425373.png
128760813_750x586_360038425373.png
Configuration of option 2 - search for groups containing users:
128760852_600x409_360038425373.png
128760073_750x458_360038425373.png
Now that your server is set up, check whether there are any groups available in the User Groups Browser to confirm your connection.
Configuring authentication servers in the ITA web client provides access to ITA for remote users provided they have been authenticated by the configured authentication server.
About remote users, certificates, and authentication methods
When a remote user attempts to log on to the ITA server, the credentials are sent to the authentication server associated with that user. It is that server, and not the ITA server, that authenticates the logon attempt.
Note
If you use SSL, ensure there’s at least one local user on the ITA server so you’ll be able to log in and accept new SSL certificates from authentication servers when the current ones expire.
This is necessary because when a certificate expires for an AD, LDAP, or DCE server used for authenticating remote users in ITA, the ITA server will no longer be able to verify that the logon attempts come from a trusted server, and therefore will not allow any of these users to log in.
Log in as a local user on the ITA server and trust the new certificate from the AD, LDAP, or DCE server to reenable authentication.
See more about working with SSL certificates here.
Configuring remote user authentication
In Configuration > Authentication Servers, click to add an authentication server.
Enter authentication server settings, starting with predefined authentication method from the drop-down list. The name, email address, and password data is supplied by the authentication server.
When you are setting up a remote user, user information is stored on:
Data Center Expert server as a remote repository with user information. The IT Advisor server requires connection setup to the Data Center Expert server in order to obtain the user information.
LDAP or Active Directory server. The IT Advisor server requires connection setup to the server and logon information is required.
When a remote user attempts to log on to the IT Advisor server, the user credentials (user name and password) are sent to the authentication server associated with that user. It is that server, and not the IT Advisor server, that authenticates the logon attempt.
Indirect AD authentication (via DCE) is not recommended.
LDAP and Active Directory specifications
Support for LDAPv3, both ldaps:// and ldap://
ITA's Active Directory integration supports mutual trust between child and parent Domain Controllers (Active Directory servers)
mutual trust allows the user which authenticates an Active Directory server to authenticate against a parent or child Domain controller of your Active Directory server.
The username of a user that has access to reading users and groups from the authentication server can, because of mutual trust, be defined with the child domain name as part of the username. Example: username@child-domain or username@child-domain.domain
How-to setup an Active Directory server: Set up AD server
The operations done are only read operations on the following fields: cn, uid, mail
You can import individual users or user groups from a remote authentication server. Users in groups are automatically added to ITA and will appear in the user interface. Users are not automatically deleted, however, permissions are removed if a user is removed from a group.
Tested and verified OS versions for Enterprise Active Directory:
Windows OS: Windows Server 2008 R2 SP1 and 2012 SP1
Forest function level: Windows Server 2008 and 2012
Domain functional level: Windows Server 2008 and 2012
LDAP and Active Directory Limitations
Active Directory has an LDAP query limit of 1000 objects, to prevent excessive load and Denial of Service attacks
The default method to get around this limitation, is to break up the query to return at most 1000 objects at a time. For example, query only for objects starting with the letter a, then query for objects starting with the letter b and so forth.
The more efficient method for large environments is to enable paging. Paging automatically splits the results into multiple result sets so the integration does not have to split up the query into multiple requests.
A more comprehensive list of limitations and work-arounds can be found here: LDAP policy in Active Directory