Active Directory Domain Prerequisites
Before installing the Cloud Access Connector you need to create and correctly configure the Active Directory Domain. You need to create an AD service account that has the following permissions to:
- Create Computer Objects
- Delete Computer Objects
The permissions on the Computer Objects must be set to:
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Passwords
- Reset User Passwords
- Validated write to DNS host name
- Validated write to service principal name
For information on how to create and install a self-signed certificate on a Windows 2016 AD server to test LDAP connections, see KB 1707.
For information on creating these computer objects and configuring their associated parameters, see Service Account Permissions.
Domain Controller Certificates
If all DC certificates have expired, the Cloud Access Connector will stop working. An error indicator will display on the Connectors page when a Cloud Access Connector has a DC with expired certificates.
A warning indicator that details the current state of the DC certs will display on the same page when a Cloud Access Connector has a certificate that less than a week away from expiring.
Service Account Permissions¶
The following section outlines the steps to enable permissions to create and delete computer objects, permissions on these objects, and permissions to change and reset user credentials. These permissions are the minimum level of permissions required for a service account in a Cloud Access Manager deployment.
Organisational Unit [OU] Permissions Dialog
Permissions are being assigned to the service account through the OU permissions dialog.
Permissions to Create and Delete Computer Objects¶
The following section outlines how to add permissions to create and delete computer objects through the OU permissions dialog:
- Go to the security tab of the OU you want to give permissions to.
- Right-click the relevant OU and click Properties.
- Go to the security tab and click Advanced.
- Click Add and browse to your user account. As stated above you need to add the user account to the OU.
- Select This object and all descendant objects and select the following permissions:
- Create Computer Objects
- Delete Computer Objects
- Click OK.
Permissions on the Computer Objects¶
The following section outlines how to select permissions on the computer objects through the OU permissions dialog:
- Go to the security tab of the OU you want to give permissions to.
- Right-click the relevant OU and click Properties.
- Go to the security tab and click Advanced.
- Click Add and browse to your user account. As stated above you need to add the user account to the OU.
- Limit the Apply Onto scope to Descendant Computer objects and select the following settings:
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Validated write to DNS host name
- Validated write to service principal name
- Click OK.
DNS and service principal name permissions
The validated write to DNS host and service principal name permissions are required so that the DNS record for a remote workstation can be created after it is domain joined.
Permissions to Change and Reset User Passwords¶
The following section outlines how to select permissions to change and reset user passwords applicable to the desired user OU:
- Go to the security tab of the OU you want to give permissions to.
- Right-click the relevant OU and click Properties.
- Go to the security tab and click Advanced.
- Click Add and browse to your user account. As stated above you need to add the user account to the OU.
- Select This object and all descendant objects and select the following permissions:
- Change Password
- Reset Password
- Click OK
Role-based access control with Active Directory
For more information on role-based access control with Active Directory accounts, see Best Practices for Securing Active Directory.
During Installation¶
When the Cloud Access Connector is installed, you will be prompted for the following information:
- The AD domain that the remote workstations should be joined to.
- The AD Service Account username.
- The AD Service Account password.
- AD user group for users that are permitted to log into the legacy Management Interface on the Cloud Access Connector.