The Active Directory feature has 2 implementation modes. Choose the mode that best meets your needs.
In Active Directory Integration mode, the following information is shared between Active Directory and Ektron:
In user authentication only mode, the following information is shared between Active Directory and Ektron:
Active Directory Integration strives to maintain consistent user and user group information between AD and Ektron. First, user information is imported from AD into Ektron. When this is complete, user group information is imported.
Ektron does not write to Active Directory; it only reads from it. This changes the way Ektron manages user and user group information.
Ektron imports the following AD user information.
Field in AD | AD Attribute | Corresponding Field in Ektron |
---|---|---|
User logon name (pre-Windows 2000) | sAMAccountName | Domain and Username |
Last Name | sn | Lastname |
First Name | givenName | Firstname |
email Address |
NOTE: Users and user groups can share a name in different domains, for example, [email protected] and [email protected]. Otherwise, user names must be unique.
The following diagram illustrates the Active Directory feature's components.
The Active Directory feature uses multiple Ektron screens to edit domains, set up Active Directory, display AD status, and view and search for users and user groups.
Use the Edit Domains screen to identify each network domain you will use with Ektron's Active Directory Integration. The screen lets you add new domains, modify existing ones, or delete obsolete ones. Use this to define domains, as opposed to using auto discovery to find them.
Domains are used during signon. In addition to username and password, users must select a domain. Domains are also referenced when defining the users and user group that map to the Ektron users and groups.
Prerequisite: To enable the Edit Domains screen, edit web.config
as explained in Setting Up Active Directory via the Advanced Domains Method .
To add a new domain:
The Active Directory Setup screen lets you enable or disable AD and manage other AD settings, such as whether users and groups are automatically updated.
To enable AD and manage settings:
Active Directory Installed
Auto Add
User Property Association
mail
, but you can change it to any AD property.givenName
, but you can change it to any AD property.sn
, but you can change it to any AD property.For more information on user properties, see MSDN Library
http://msdn.microsoft.com/
en-us/library/windows/desktop/
ms677980%28v=vs.85%29.aspx
EktronAdministrator Group Association
Also, if any Ektron user or group names include a domain (for example, [email protected]) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain.
Message | Explanation |
Active Directory Authentication is Enabled and Requires More Configuration. | Some Ektron users are not associated with AD users. Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated. |
Active Directory Authentication is disabled, but needs further configuration | Some Ektron users and/or groups are no longer unique. This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, 2 users or groups can no longer share a name—each must be unique. |
Use the Active Directory Status screen to identify and resolve discrepancies between Ektron and AD:
Any combination of these messages may be displayed depending on the issues requiring resolution. The following procedure provides steps to resolve all 3 issues.
If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.
The screen also displays the following buttons.
If you cannot easily locate specific users on the View Users screen, use the search function.
The View User Groups Screen displays all AD user groups that have been imported to Ektron.
This section explains importing AD user information when integration is first enabled and on an ongoing basis.
AD user information is initially imported to Ektron in different ways depending on whether:
For a populated Ektron database:
For a Ektron database with only a few users, go to the Search Active Directory for Users screen and select AD users that will use Ektron. You can only select AD users that do not exist in Ektron. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.When you add a user, his AD information is imported to Ektron. See Also: Viewing and Searching for Users
You can also manually add AD users to Ektron:
When AD integration has been established, new AD user information is imported to Ektron when either of these events occurs:
Maintenance tasks include:
If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see Editing the Builtin Username and Password.
This section explains how a user’s group membership is imported from AD to Ektron after integration is enabled. When assigned to a group, the user automatically receives all Ektron permissions and approval process responsibilities associated with it.
NOTE: Active Directory has 2 kinds of user groups: security and distribution. Ektron does not distinguish between them. As long as a user is a member of either kind of group, group information can be imported to Ektron.
Before using AD integration, import all AD groups you will use into Ektron:
NOTE: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.
Users' membership in AD Groups are imported to Ektron in different ways depending on the state of existing Ektron user groups:
In the case of a discrepancy between AD and Ektron user groups:
Alternatively, if Enable automatic addition of user to groups field is unchecked, you can add the user to groups and remove him from groups independently of his AD group memberships.
On the Active Directory Setup screen, you identify the AD group that maps to the Ektron Administrator group using a syntax of AD group name@AD domain. Members of this group receive administrator privileges.See Also: Administrator Role Privileges
If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.
Note that only one AD group can be mapped to the Ektron Administrator group. You cannot have an AD administrator group within each AD domain.
NOTE: Unlike other Ektron user groups, whose names are imported from AD, the Ektron Administrator and Everyone group names cannot be changed.
Maintenance tasks include:
When you disable AD integration, domain names are dropped, which may cause user and user group names to not be unique. For example, 2 users are named [email protected]
and [email protected]
. When AD is enabled, domain names make the users and user groups unique. However, when AD is disabled and domain names are dropped, the names are now identical. You need to make the users and user groups unique.
To disable AD authentication or integration:
In user authentication mode, AD is only used to authenticate users logging in to Ektron. User groups are managed within Ektron, not AD.
Ektron does not write to AD; it only reads from it. This changes how usernames, domains, and passwords are handled in Ektron.
Ektron refers to the following AD authentication information during sign-in: password, user logon name, and domain. Note that the password is not stored in Ektron; Ektron only refers to the password during sign-in.
Adding user information in user authentication mode is the same as in AD integration mode.
If a user’s logon name changes in AD, it no longer matches the Ektron logon name. This discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. Go to the Associate CMS Users to Active Directory Users screen, where you can update the user information.
Alternatively, you could:
See Also: Maintaining AD User Information
Ektron does not write to AD. This means that you can only change the Username and Domain fields from AD. You can change the following fields on the Ektron Edit User screen:
WARNING! If you replace a user in user authentication-only mode, the user’s first name, last name, and email address are not overwritten with information in AD.
Because the scope of user authentication mode is limited to authentication, only some fields on AD Integration screens are used: