If your organization uses Microsoft Active Directory (AD), you can import users, groups, Organizational units (OUs) and computers from multiple AD domains into the Endpoint Security Management Server. After the objects have been imported, you can assign policies.
When you first log in to SmartEndpoint, the Users and Computers tree is empty. To populate the tree with users from the Active Directory, you must configure the Directory Scanner.
The Directory Scanner scans the defined Active Directory and fills the Directories node in the Users and Computers tab, copying the existing Active Directory structure to the server database.
Required Permissions to Active Directory
For the scan to succeed, the user account related to each Directory Scanner instance requires full read permissions to:
An object deleted from the Active Directory is not immediately erased but moved to the Deleted Objects container. Comparing objects in the AD with those in the Deleted objects container gives a clear picture of network resources (computers, servers, users, groups) that have changed since the last scan.
The Active Directory Scanner does not scan Groups of type "Distribution".
Required Configuration for Domains
On the Active Directory server, set the Groups Scope to Domain Local only.
A scanner instance defines which path of the Active Directory will be scanned and the scan frequency. One scanner instance can include the full Active Directory domain, or a part of the domain, for example an OU.
If you want to scan more than one domain or different parts of the same domain, configure in SmartEndpoint more than one scanner. For example, if you want to scan the "HOME" domain and the "OFFICE" domain, configure one scanner instance for each.
Do not create a scanner instance for an OU that is included in a different scan. If you try to create a scan that conflicts with a different scan, an error message shows.
Note - If the scanner is for a specific OU in the domain, only the groups and group members in the OU are included in the scan. If your groups contain members from different OUs we highly recommend configuring the LDAP Path of the scan to the root of the domain, to avoid inconsistencies.
If the domains use DNS servers, make sure that:
To create a scanner instance:
The scan shows in the Organization Scanner window.
Note - Scanning the Active Directory takes time. AD objects show in the sequence they are discovered. |
In the Deployment tab > Organization Scanners page, you can see all configured scans and their statuses. You can also do these operations:
At the specified interval of a scanner instance, the Directory Scanner synchronizes Endpoint Security nodes in the Users and Computers tree with nodes in the Active Directory. When synchronization occurs:
You can delete these users manually using SmartEndpoint.
Issue |
Solution |
---|---|
The account of the Directory Scanner instance does not have the required read permissions to the Active Directory or to the deleted objects container. |
Supply the required permissions. |
A corrupted object exists in the Active Directory. |
Remove the object or deny the account used by the Directory Scanner read permission to that object. If the corrupt object is a container object, permission is denied for all objects in the container. |
If you use an SSL connection for the Directory Scanner communication, you might see a message that is related to SSL configuration. Find the problem and solution here.
Issue: Stronger authentication is required
Solution:
Try to connect with SSL with these steps:
Issue: Wrong SSL Port
Solution:
Change the SSL port or disable SSL. You can do this in the configuration.
Issue: Cannot connect to the domain controller
Solution:
Make sure that an LDAP server is running on the LDAP path of the configured domain controller.
Issue: SSL certificate is not installed
Solution:
or
GSSAPI, Generic Security Service API, is an interface used to access security services. Kerberos is the implementation of GSSAPI used in Microsoft's Windows platform and is supported by Active Directory authentication protocols. During Kerberos authentication, a domain’s KDC (Key Distribution Center) must be found through a DNS request.
The DNS server configured on the Endpoint Security Management Server must be able to resolve IP address by name and name by IP address for all domains that are scanned by the Directory Scanner. If DNS is not configured properly, the authentication fails.
Make sure that:
To make sure the DNS server is configured correctly for GSSAPI authentication:
nslookup
.By default Active Directory authentication uses the LDAP protocol and a simple authentication method. You can make the authentication more secure by changing the authentication protocol to LDAPS, with or without GSSAPI authentication. GSSAPI authentication is based on Kerberos v5.
To change the authentication protocol to LDAPS, GSSAPI, or the two of them:
$UEPMDIR/engine/conf/ldap.utils.properties
use.ssl=false
to use.ssl=true
use.gssapi=false
to use.gssapi=true
You can set LDAPS and GSSAPI to true.
For GSSAPI, no additional configuration is necessary.
Additional steps for LDAPS:
To import a certificate to the keystores on the Endpoint Security Management Server:
certutil -store -v MY
The output of this command is a list of certificates. The certificates are separated by a line like this:
================ Certificate 0 ================
where 0 is the index number of the certificate.
DC.mulberry.com
This is the number which appears in the separation header before each certificate. In this example it is 0.
|
certutil -store MY <certificate index> <path_to>\<file name>
For example:
certutil -store MY 0 C:\certificates\DCCert.cer
cd $CPDIR/jre_64
./bin/keytool -import -keystore ./lib/security/cacert -file <cert file name> -alias <alias>
For example:
./bin/keytool -import -keystore ./lib/security/cacert -file /certif/DCCert.cer -alias DCSSLCert
uepm_stop
uepm_start