Implementing Active Directory

The Active Directory feature has 2 implementation modes. Choose the mode that best meets your needs.

In Active Directory Integration mode, the following information is shared between Active Directory and Ektron:

In user authentication only mode, the following information is shared between Active Directory and Ektron:

Active Directory integration

Active Directory Integration

Active Directory Integration strives to maintain consistent user and user group information between AD and Ektron. First, user information is imported from AD into Ektron. When this is complete, user group information is imported.

Impact of AD integration on use of Ektron

Impact of AD Integration on Use of Ektron

Ektron does not write to Active Directory; it only reads from it. This changes the way Ektron manages user and user group information.

  • After you enable AD integration, many changes to user and user group information must be made in AD. Several fields on the Edit User and User Group screens become view-only.
  • When adding new users or groups, you can only select from users and groups in AD. If a user or group does not exist in AD, create it there then import it to Ektron.
Which AD information is imported to Ektron

Which AD Information is Imported to Ektron

Ektron imports the following AD user information.

  • Authentication (user logon name and domain) for signing in to Ektron. The AD password is not stored in Ektron but only refers to it during sign in.
  • Group name (AD attribute cn), which corresponds to the Ektron domain and user group name.
  • User information
    —Information fields—

    Field in AD

    AD Attribute

    Corresponding Field in Ektron

    User logon name (pre-Windows 2000)

    sAMAccountName

    Domain and Username

    Last Name

    sn

    Lastname

    First Name

    givenName

    Firstname

    Email

    mail

    email Address

NOTE: Users and user groups can share a name in different domains, for example, [email protected] and [email protected]. Otherwise, user names must be unique.

The following diagram illustrates the Active Directory feature's components.

—Image: Active Directory components—

Configuring Active Directory integration mode

Configuring Active Directory Integration Mode

The Active Directory feature uses multiple Ektron screens to edit domains, set up Active Directory, display AD status, and view and search for users and user groups.

Editing domains

Editing Domains

Use the Edit Domains screen to identify each network domain you will use with Ektron's Active Directory Integration. The screen lets you add new domains, modify existing ones, or delete obsolete ones. Use this to define domains, as opposed to using auto discovery to find them.

Domains are used during signon. In addition to username and password, users must select a domain. Domains are also referenced when defining the users and user group that map to the Ektron users and groups.

Prerequisite: To enable the Edit Domains screen, edit web.config as explained in Setting Up Active Directory via the Advanced Domains Method .

To add a new domain:

  1. Navigate to Workarea > Settings > Configuration > Active Directory > Domains.
  2. Click Edit. The Add New Domain and Remove Last Domain options appear.
  3. Click Add New Domain. The Edit Domains screen appears.

  4. Enter the domain’s DNS in the Domain DNS field. Contact your server administrator for this information. For example, corp.example.com.
  5. If your NetBios is the same as your domain name, leave the box checked. Otherwise, uncheck the box and enter your NetBIOS setting in the NetBIOS field. Contact your server administrator for this information.
  6. Enter the name of the user with permission to sign on to the domain server in the Username field. The name is in the format username@domainDNS. For example, [email protected].
  7. Enter the password of the user in the Password field.
  8. Enter the IP address or DNS name of your domain controller in the Domain Controller IP field. If using Active Directory with LDAP across a firewall, the IP address should be that of the firewall. On the firewall, traffic on port 389 (LDAP) should be allowed. Active Directory with GC uses different ports.
Setting up Active Directory

Setting Up Active Directory

The Active Directory Setup screen lets you enable or disable AD and manage other AD settings, such as whether users and groups are automatically updated.

To enable AD and manage settings:

  1. Go to Settings >Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  2. Click Edit.
  3. Enable options or enter information in fields as required.
    —Active Directory Setup field descriptions—

    Active Directory Installed

    • Disable Active Directory and LDAP Authentication—Disables the use of Active Directory and LDAP Authentication. See Disabling AD Integration.
    • Enable LDAP Authentication—If enabled, you must complete the LDAP-related fields (Type, LDAP Server, Port, Organization, Domain, Attribute, Use SSL, Path). See Enabling LDAP.
    • Enable Active Directory Authentication—If enabled, user authentication is functional, and you can enable the following 3 fields. If you do not enable these fields, you are using User Authentication Only Mode. For information on LDAP, see Using LDAP with Ektron
      • Enable Active Directory Integration—If enabled, the Active Directory Integration feature is functional and you can enable the next 2 fields.
      • Enable automatic addition of user from AD—If enabled, user information is imported from AD to Ektron when that user logs in or when the user is added to Ektron.
      • Enable automatic addition of user to groups—If enabled, a user’s group membership is first imported from AD when a user logs in or is added.

    Auto Add

    • User Type—Choose the type of user to be automatically added: Author or Member.

    User Property Association

    • EmailAddr1—Enter the Active Directory property that maps to the user’s last name in Ektron. By default, this is mail, but you can change it to any AD property.
    • FirstName—Enter the Active Directory property that maps to the user’s first name in Ektron. By default, this is givenName, but you can change it to any AD property.
    • LastName—Enter the Active Directory property that maps to the user’s last name in Ektron. By default, this is sn, but you can change it to any AD property.

      For more information on user properties, see MSDN Library
      http://msdn.microsoft.com/
      en-us/library/windows/desktop/
      ms677980%28v=vs.85%29.aspx

    EktronAdministrator Group Association

    • AD Group Name @ AD Domain—Enter the Active Directory user group and domain name that map to the Ektron administrator group. If your AD does not have a user group that includes all Ektron administrators, you should create one then enter it here. See Mapping the Administrator Group.
    • Domain—If you want to restrict the search of new users and groups to one AD domain, select that domain. The Search Active Directory for Users and Search Active Directory for Groups screens let you search the selected domain only.

      Also, if any Ektron user or group names include a domain (for example, [email protected]) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain.

  4. Messages may be displayed near the top of the Active Directory Setup screen to notify you that additional configuration steps are required. If either message appears, click it. The Active Directory Status screen appears, which helps you resolve the discrepancies.
    —Active Directory Setup screen messages—

    Message

    Explanation

    Active Directory Authentication is Enabled and Requires More Configuration.

    Some Ektron users are not associated with AD users.

    Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated.

    Active Directory Authentication is disabled, but needs further configuration

    Some Ektron users and/or groups are no longer unique.

    This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, 2 users or groups can no longer share a name—each must be unique.

Displaying Active Directory status

Displaying Active Directory Status

Use the Active Directory Status screen to identify and resolve discrepancies between Ektron and AD:

  • Ektron user needs to be associated with an AD user
  • Ektron user group needs to be associated with an AD user group
  • Ektron user’s group membership need to be associated with the same AD user’s group membership

Any combination of these messages may be displayed depending on the issues requiring resolution. The following procedure provides steps to resolve all 3 issues.

  1. Go to Settings > Configuration > Active Directory > Status.
  2. Click a link on the Active Directory Status screen to display a new screen lets you resolve the discrepancy.
  3. Click CMS users need to be associated with Active Directory users on the Active Directory Status screen. The Associate CMS Users with Active Directory Users screen appears. Use this screen to associate Ektron users with AD users.

  4. Depending on the user, perform the appropriate action:
    • If a user with the same username exists in AD, that name and domain appear in the AD Username and AD Domain fields. If the user exists in more than one AD domain, select a domain from the pull-down list.
    • If there is no default and you know the AD user name to associate with an Ektron user, enter that in the AD Username and AD Domain fields. If you do not know the AD username, click Search to find the user in AD.
    • If you decide to change the username in AD to match the Ektron username, make the change in AD. Then, click Refresh () to update Ektron and resolve the discrepancy.
    • If a user should not exist in Ektron, click the Delete box.
  5. After you complete the changes, click Save.
  6. Click CMS relationships need to be associated with Active Directory relationships on the Active Directory Status screen. The Associate CMS Relationships with Active Directory Relationships screen appears. The screen displays a user’s group membership that exists in Ektron, but does not exist in AD. Use this screen to coordinate Ektron user group membership with AD user group membership.

  7. After viewing the discrepancy, perform the appropriate action:
    • To associate the user with the same user group in AD, go to AD and assign the user to the group. Then, return to this screen and click Refresh () to update user group information in Ektron. See Also: Importing a User’s AD Group Information to Ektron
    • To remove the user’s group membership in Ektron, check the Delete box and
  8. After you complete the changes, click Save ().
  9. Click CMS groups need to be associated with Active Directory groups on the Active Directory Status screen, the Associate CMS User Groups with Active Directory Groups screen appears. Use this screen to associate Ektron groups with AD groups.
  10. Depending on the group, perform the appropriate action:
    • If there is no default, enter that in the AD Group Name and AD Domain fields. If you do not know the AD group name, click Search to find the group in AD.
    • If a group should not exist in Ektron, click the box under the Delete column to delete the group.
  11. After you complete the changes, click Save.
Viewing and searching for users

Viewing and Searching for Users

  1. Click Settings > Usersfrom the Workarea. The View users screen appears.
  2. Click a user to display detailed information for that user. The View User Information screen appears.

  3. If you are using user authentication mode, Username and Domain can only be edited in AD. You can edit all other fields on this screen.

    If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.

    The screen also displays the following buttons.

    • Edit—Edit information on screen.
    • —Delete user.
    • —Retrieve latest information from AD into Ektron. This button is not displayed in user authentication mode.
    • —Replace CMS user with different AD User.
    • —Return to previous screen

    If you cannot easily locate specific users on the View Users screen, use the search function.

  4. Click Add User. The Search Active Directory for Users screen appears.

  5. Enter as many search criteria as you know to reduce the number of users that the search returns. For example, if you know the user’s last name is Jackson and he is in the planets domain, enter those criteria to get fewer results.
  6. Click Search. The Active Directory Users screen appears.
  7. Check the box next to each user you want to add to Ektron.
  8. Click Saveto import the information.
Viewing and searching for user groups

Viewing and Searching for User Groups

The View User Groups Screen displays all AD user groups that have been imported to Ektron.

  1. Go to Settings > User Groups. The View User Groups screen appears.
  2. Click the group name to display detailed information for the group. The View Users in Group screen appears, showing the following information for each user in the group:
    • username and domain
    • first and last name
    • language
  3. To add AD groups to Ektron, click the toolbar button () that lets you add AD groups to Ektron. TheSearch Active Directory for Groups screen appears.
  4. If the Domain setting on the Active Directory Setup screen is set to restrict AD integration to one domain, you can only search for groups in that domain.

  5. Click Search. A new screen appears that lists all AD groups that satisfy the search criteria.
  6. Click the box next to groups you want to create in Ektron.
  7. ClickSaveto import their information.
Importing AD user information to Ektron

Importing AD User Information to Ektron

This section explains importing AD user information when integration is first enabled and on an ongoing basis.

AD user information is initially imported to Ektron in different ways depending on whether:

  • the Ektron database has already been populated with users
  • the Ektron database has not yet been fully populated with users. (At least one user is always present because of the default admin user.)
  • users are manually added to the Ektron database

For a populated Ektron database:

  1. If Enable automatic addition of user from AD is checked on the Active Directory Setup screen, user information is imported from AD to Ektron when that user logs in or is added to Ektron. See Also: Setting Up Active Directory
  2. At that time, AD information overwrites all Ektron information.
  3. If 2 or more AD users have the same Ektron user logon name but different domains (for example, JDoe in Eng.Example.com and JDoe in Mkt.Example.com) and that username (JDoe) also exists in Ektron, the Active Directory Setup and Active Directory Status screens indicate this discrepancy via this message: CMS users need to be associated with Active Directory users.
  4. Click the message to proceed to the Associate Ektron Users to Active Directory Users screen. From there, you can link an AD user to an Ektron user. See Also: Maintaining AD User Information

For a Ektron database with only a few users, go to the Search Active Directory for Users screen and select AD users that will use Ektron. You can only select AD users that do not exist in Ektron. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.When you add a user, his AD information is imported to Ektron. See Also: Viewing and Searching for Users

You can also manually add AD users to Ektron:

  1. From the Workarea, click Settings > Users.
  2. Click Add Users. The Active Directory Users screen appears.
  1. From the Domain pull-down list, select the domain from which you want to add a user.
  2. Enter as much information as you know into the other fields.
  3. Click Search. A screen displays all users that satisfy the search criteria.
  4. Check the box next to each user you want to add.
  5. Click Save.
Maintaining AD user information

Maintaining AD User Information

When AD integration has been established, new AD user information is imported to Ektron when either of these events occurs:

  • the user logs in
  • someone clicks Refresh () on the user’s View User Information screen

Maintenance tasks include:

  • Editing—Because Ektron does not write to AD, you can only change some fields on the Edit User screen. Edit read-only fields from AD.
  • Deleting—If a user is deleted in AD, Ektron does not delete him. However, his login fails because he cannot be authenticated. To delete the user from Ektron, use the Delete User function described in Deleting a User.

    If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see Editing the Builtin Username and Password.

  • Replacing—If you associate the wrong AD user with an Ektron user, you can replace the user. If you do, all Ektron permissions and approval process responsibilities transfer from the old to the new user.
  1. Go to Settings > Users.
  2. Click the user you want to replace.
  3. Click Associate CMS User with Different AD User ().
  4. Select a user to replace the previously selected user.
  5. Click Save. The first user is deleted from Ektron.
Importing AD user group information

Importing AD User Group Information

This section explains how a user’s group membership is imported from AD to Ektron after integration is enabled. When assigned to a group, the user automatically receives all Ektron permissions and approval process responsibilities associated with it.

NOTE: Active Directory has 2 kinds of user groups: security and distribution. Ektron does not distinguish between them. As long as a user is a member of either kind of group, group information can be imported to Ektron.

Before using AD integration, import all AD groups you will use into Ektron:

  1. From the Workarea, choose Settings > User Groups.
  2. Click Add Groups. The Search Active Directory for Groups screen appears.
  1. From the Domain drop-down list, select the domain of the user group you want to add.

    NOTE: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.

  2. Enter as much information as you know into the Active Directory Group field.
  3. Click Search. A screen displays all groups that satisfy the search criteria.
  4. Check the box to the left of each group you want to import to Ektron.
  5. Click Save.
Importing a user's AD group information to Ektron

Importing a User’s AD Group Information to Ektron

Users' membership in AD Groups are imported to Ektron in different ways depending on the state of existing Ektron user groups:

  • If CMS user groups already exist—If Enable automatic addition of user to groups is checked on the Active Directory Setup screen, a user’s group membership is imported from AD to Ektron when a user first logs in or is added. At this time, any AD group memberships overwrite Ektron group memberships except the Everyone group, to which all users belong.

    In the case of a discrepancy between AD and Ektron user groups:

    • If a user belongs to an AD user group that does not exist in Ektron, no action is taken. The AD Integration feature assumes that not all AD groups are meaningful in Ektron.
    • If a user belongs to an Ektron user group that does not exist in AD, the discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. From these screens, you can import AD group information into Ektron.
    • If the user should belong to an AD group, add the group membership within AD. Then, refresh the user on the View User Information screen to import AD group information into Ektron.
  • If only default user groups exist in the CMS—Follow the procedure described in Importing AD User Information to Ektron to import AD user groups to Ektron. Then, as users in those groups are added to Ektron, their group memberships are applied.
  • After AD integration is enabled—a user’s group memberships in Ektron are updated when all of the following are true:
    • The Enable automatic addition of user to groups field is checked on the Active Directory Setup screen
    • A user is added to Ektron or his AD group membership changes
    • The user logs in or someone clicks Refresh () on the user’s View User Information screen

Alternatively, if Enable automatic addition of user to groups field is unchecked, you can add the user to groups and remove him from groups independently of his AD group memberships.

Mapping the administrator group

Mapping the Administrator Group

On the Active Directory Setup screen, you identify the AD group that maps to the Ektron Administrator group using a syntax of AD group name@AD domain. Members of this group receive administrator privileges.See Also: Administrator Role Privileges

If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.

Note that only one AD group can be mapped to the Ektron Administrator group. You cannot have an AD administrator group within each AD domain.

NOTE: Unlike other Ektron user groups, whose names are imported from AD, the Ektron Administrator and Everyone group names cannot be changed.

Maintaining AD user group information

Maintaining AD User Group Information

Maintenance tasks include:

  • Removing users from a group—If you delete a user from an AD group, the user is removed from the associated Ektron group the next time his information is updated.
  • Adding user groups—If AD integration is enabled, you can only add user groups in AD. Then log on to Ektron and use the Search Active Directory for Groups screen to import the AD user group to Ektron as described in Importing AD User Group Information .
  • Adding a user to a group—You cannot add a user to a user group within Ektron; you must do so in Active Directory.
  • Replacing a group—If you associated the wrong AD user group with an Ektron user group, replace the user group.
    1. From the Workarea, click Settings > User Groups.
    2. Click the user group that you want to replace.
    3. Click Associate CMS Group with Different AD Group ().
    4. Select a group to replace the group you selected in Step 2.
    5. Click Save.
  • Deleting a group—You can delete a user group from AD or Ektron. When deleting user groups, consider the following behaviors:
    • If you delete a user group in AD and users are assigned to the group within Ektron, the group is not deleted in Ektron. However, any Ektron users who were members of the group are no longer members the next time their Ektron information is updated. The discrepancy is flagged on the Active Directory Setup and Active Directory Status screens.
    • If you delete a user group in Ektron and users are assigned to that group within AD, nothing happens. This is because AD Integration assumes that the Ektron administrator only maintains user groups that are meaningful to Ektron, and some AD groups are not meaningful to Ektron.
Disabling AD integration

Disabling AD Integration

When you disable AD integration, domain names are dropped, which may cause user and user group names to not be unique. For example, 2 users are named [email protected] and [email protected]. When AD is enabled, domain names make the users and user groups unique. However, when AD is disabled and domain names are dropped, the names are now identical. You need to make the users and user groups unique.

To disable AD authentication or integration:

  1. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  2. Enable the Disable Active Directory and LDAP Authentication radio button. If any users or groups have the same name with different domains, the following message appears: Active Directory Authentication is disabled, but needs further configuration
  3. Click the message. The Active Directory Status screen appears.
  4. Click the CMS users need to be made unique message. The Make CMS Users Unique screen appears.


    User group names are handled in the same manner. Click the CMS user groups need to be made unique message. The Make CMS Groups Unique screen appears.

  5. Click Save to accept the suggested new names as recommended by Ektron. By accepting the suggested name, you allow the software to automatically associate AD andEktron users or groups if you later decide to re-enable AD integration.
User authentication only mode

User Authentication Only Mode

In user authentication mode, AD is only used to authenticate users logging in to Ektron. User groups are managed within Ektron, not AD.

Transferring user information from AD to Ektron

Transferring User Information from AD to Ektron

Ektron does not write to AD; it only reads from it. This changes how usernames, domains, and passwords are handled in Ektron.

  • Changes to user logon name, domain and password must be made in AD. You cannot update these fields in the Ektron Edit User screens.
  • When adding a new user to Ektron, you can only select AD users. If the user does not exist in AD, create the user there and then import the user into Ektron.

Ektron refers to the following AD authentication information during sign-in: password, user logon name, and domain. Note that the password is not stored in Ektron; Ektron only refers to the password during sign-in.

Adding and maintaining user information

Adding and Maintaining User Information

Adding user information in user authentication mode is the same as in AD integration mode.

If a user’s logon name changes in AD, it no longer matches the Ektron logon name. This discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. Go to the Associate CMS Users to Active Directory Users screen, where you can update the user information.

Alternatively, you could:

  1. Go to the View User Information screen.
  2. Select the user whose AD name changed.
  3. Click Associate the CMS user with Different AD user ().
  4. Select the AD user and domain.

See Also: Maintaining AD User Information

Editing user information in Ektron

Editing User Information in Ektron

Ektron does not write to AD. This means that you can only change the Username and Domain fields from AD. You can change the following fields on the Ektron Edit User screen:

  • First Name
  • Last Name
  • E-Mail Address
  • User Language
  • Disable Receiving of Workflow and Task Email

WARNING! If you replace a user in user authentication-only mode, the user’s first name, last name, and email address are not overwritten with information in AD.

Using AD integration screens in user authentication mode

Using AD Integration Screens in User Authentication Mode

Because the scope of user authentication mode is limited to authentication, only some fields on AD Integration screens are used: