Application Note
Active Directory integration with EntraPass This application note explains how to integrate and configure EntraPass card holders with Microsoft Active Directory users.
Requirements You need the following components to configure EntraPass with Microsoft Active Directory: EntraPass v7.10 or higher: o Corporate edition, part number E-COR-LDAP o Global edition, part number E-GLO-LDAP EntraPass Smartlink running on your computer.
System requirements To ensure appropriate performance use the following component specifications: Intel i5 processor or equivalent 8 GB RAM 7200 RPM, 1 TB hard drive PCI express graphics card with 1 GB memory and DirectX 9.0 support
Active Directory pre-requirements To connect to the Active Directory (AD), and import AD users into EntraPass, complete the following steps: 1. Log in as a domain user. For example, ktsadmin. 2. Add the domain user to the Domain Users and the Domain Admins groups. 3. To isolate the AD users you want to import, create a new domain group. 4. If the existing AD fields do not match the EntraPass fields, create custom attributes fields for CardType, AccessLevelGroup, and CardNumber. These are in addition to the AD preset attributes. See the following table for the credentials you need before you begin to configure the two systems. Table 1: Active Directory credentials
Active Directory Purpose Domain user name and password To connect to the AD Domain group To isolate the users that you want to import to EntraPass as card holders Internet Protocol (IP) address or To connect to the Windows domain controller domain name (DN) of the domain controller
Registering the AD license To register the AD license using the EntraPass workstation, complete the following steps: 1. Click the Options tab, and then click Registration from the menu. 2. From the Optional or additional system components list, select EntraPass LDAP. 3. Click the Click here to install component button.
1
Application Note DN2173-1909
Figure 1: Additional components list
4. In the Component registration window, enter the Option serial number. If the code is correct, the registration details within the list box become active. 5. Use one of the following options to obtain the Registration confirmation code: a. For North America, call the Kantech technical support line on 1 888 222 1560. For other regions, see the support details in the Support list. b. Log in to www.kantech.com. Click the Support tab and then click Kantech Registration. 6. From EntraPass, in the Component registration window, enter the Registration confirmation code. If you enter the correct code, the OK button becomes active. Click OK. You should now see the LDAP component in the System Component – Features list on the Registration window.
Configuring the Active Directory To configure the initial Active Directory connection in EntraPass, complete the following steps: 1. Click the System tab, and then click Active Directory from the menu. 2. Click the New button and name the AD connection accordingly. 3. Select one of following communication types, and enter their appropriate values: The Active Directory Domain controller IP address. The Active Directory Domain name. 4. In the LDAP base DN (User) field, enter the Domain group previously created in the AD. 5. In the LDAP binding DN field, enter the Domain user created to connect to the AD as Username. Note: You may need to use the format mydomain\username. 6. In the LDAP password field, enter the LDAP binding DN password. 7. In the Sync interval (hh.mm.ss) field, enter the amount time that you want between each sync. Click the Save button.
2
Application Note DN2173-1909
8. Click the Import AD/LDAP button. The number in the Imported fields changes when the import completes.
To confirm the Active directory connection, click Desktop #1 from the Desktops menu. The Active directory connection restored event appears. Figure 2: Active directory connection restored event
Mapping EntraPass user fields with Active Directory attributes To map EntraPass user fields using the EntraPass workstation, complete the following steps: 1. Click the System tab, and then click Active Directory from the menu. 2. Select the Active Directory integration that you want from the Active Directory list. 3. Click the User Mapping tab and use the Managed by Active Directory checkboxes to select the EntraPass fields you want. 4. Enter the Active Directory corresponding label in the Active Directory fields. Note: Different fields require different types of data: use text or a combination of text and numerical data. EntraPass manages the fields that it can or cannot map. Figure 3: The Active Directory User Mapping tab
5. Click the Save button, and then click Sync now. Wait for EntraPass to synchronize the changes; the time varies based on the delay time set.
3
Application Note DN2173-1909
When the import is complete, click the Desktops tab to view the Messages list. The following event is an example of what occurs in EntraPass. Figure 4: Event
Working examples of correct configuration in LDAP prior to EntraPass configuration In this example, you see the properties of the Name and Active Directory Domain Services Folder. The user must be a member of the LDAP Base DN (User) group. The example uses EntraPassUsers. Figure 5: Member Of Properties
In this example, you see the properties of a new user with a card number in the HH:00000 format and an integer Card type. Follow these conditions: The cardNumber attribute value must include a colon, for example ab:54321. The cardType attribute value is an integer. Use the component ID. To obtain the ID, see Obtaining the component ID in EntraPass in the General information section. If an attribute is blank in the AD, it will be blank in EntraPass. Figure 6: Attribute Editor Properties
General information This section includes additional information that may be useful when you integrate and configure EntraPass Card holders with Microsoft Active Directory users.
4
Application Note DN2173-1909
If an AD attribute is not visible in the Active Directory list but exists in the AD, then you can manually type the exact name. Prior to deactivating a user in LDAP, deactivate the user in EntraPass using the mapped attribute assigned for Stolen/lost or Card State. EntraPass only imports Card holder information from LDAP. EntraPass will not update any attribute values in LDAP. EntraPass automatically links the Card user name to the AD Display Name. You cannot modify this. If Managed by Active Directory is in the Card window, only LDAP can modify user fields. EntraPass operators cannot modify imported fields using the EntraPass Workstation, Web or Go. Figure 7: Managed by Active Directory in Card window
Obtaining the component ID in EntraPass Use the component ID needed in the LDAP configuration for importing database fields like Card Type and Card Access Groups. There are two procedures for obtaining the component ID, one is for an individual component and one is for a complete list. To obtain the component ID, choose from the following options: Individual component ID 1. From the EntraPass Workstation, click the Users tab and then click Card Type from the menu. 2. Select the card type you want from the Card Type list. 3. Hover over your selection to display the card type ID in the tool tip. Figure 8: Individual component ID reference number
Complete lists 1. From the EntraPass Workstation, click the Users tab and then click Card Type from the menu. 2. Click the Printer icon.
5
Application Note DN2173-1909
3. Select the card types you want, and then click Preview. The component ID for each card type displays in parentheses after the category name. Figure 9 List of card types
Figure 10: List of component ID reference numbers
© 2019 Johnson Controls. All rights reserved. JOHNSON CONTROLS, TYCO and KANTECH are trademarks and/or registered trademarks. Unauthorized use is strictly prohibited. Specifications are subject to change without prior notice. Contact telephone numbers: 1 450 444 2030. Toll free: 1 888 222 1560. www.kantech.com
6