Active Directory (On-Premises)

Overview

The integration of Active Directory (On-Premises) with IPI Enterprise Server allows organizations to automatically synchronize users from their corporate Active Directory environment. This integration supports centralized user management, automated domain password updates, and enables passwordless authentication scenarios using IPI Keys and the IPI Authenticator mobile application.

Key Benefits

  • Centralized User Management: Synchronize users directly from Active Directory groups to IPI Enterprise Server.

  • Passwordless Authentication Enablement: Facilitate passwordless login to Windows domains. Users can unlock their workstations and log into Remote Desktop Protocol sessions without passwords by using either the IPI Key or the IPI Authenticator mobile application.

  • Support for Multiple Domains: Manage users from multiple Active Directory domains within a single IPI Enterprise Server instance.

  • Flexible User Management Policies: Define whether to keep, deactivate, or delete users removed from Active Directory groups.

  • Scheduled Synchronization: Perform automatic synchronization with Active Directory every hour to ensure user data remains current.

Prerequisites

  • Access to a working Active Directory (On-Premises) environment.

  • An Active Directory account with the following requirements:

    • To read users and group memberships, a regular user account is sufficient.

    • To change user passwords, the account must have permission to reset passwords and must be a member of the Account Operators group or the Domain Admins group.

Note: Alternatively, password reset permissions can be delegated to a custom security group in Active Directory according to organizational policies. For detailed instructions on how to delegate password reset permissions in Active Directory, refer to the Microsoft guide:

  • Creation of two specific groups in Active Directory:

    • A IPI Users Sync (for user synchronization with IPI Enterprise Server).

    • A Security Key Auto Password Change (optional, for enabling automatic password changes).

  • A secure Lightweight Directory Access Protocol over SSL (LDAPS) connection must be configured between IPI Enterprise Server and Active Directory, with port 636 open for communication.

Active Directory (On-Premises) Connection

1. Configure Domain Settings in IPI Enterprise Server

  • Navigate to Settings → Parameters → Add Domain Settings in IPI Enterprise Server.

  • Complete the following fields:

    • Active Directory Domain Name: Provide the fully qualified domain name.

    • User Logon Name: Specify the username of the account that will be used to connect to Active Directory. This can be either:

      • a regular user account (if synchronization is only needed to add selected users), or

      • an Active Directory administrator account (if password management features, such as automatic password change, are required).

    • Password: Enter the password corresponding to the selected Active Directory account.

  • Users Sync Group Name: Provide the name of the Active Directory group for user synchronization (for example, IPI Users Sync).

  • Users Auto Password Change Group Name (optional): Provide the name of the Active Directory group for automatic password updates (for example, Security Key Auto Password Change).

  • Auto Password Change Interval (days): Specify the number of days after which user passwords should automatically change (applies only to users in the automatic password change group).

2. Behavior when Removing a User from a Sync Group

When a user is removed from the Active Directory synchronization group, IPI Enterprise Server can handle the user's status based on the selected policy:

  • Keep: Users remain active in IPI Enterprise Server even after being removed from the Active Directory group.

  • Deactivate: Users are deactivated but not deleted from IPI Enterprise Server. Their accounts remain available for reactivation if needed.

  • Delete: Users are completely removed from IPI Enterprise Server after removal from the Active Directory synchronization group.

Additional Configuration: Passwordless Login without User Synchronization

In cases where you do not need to import users from Active Directory, but you need to configure passwordless authentication for workstations joined to the Active Directory (On-Premises) domain, you can enable the Disable Domain Synchronization option in IPI Enterprise Server.

This setting allows you to:

  • Configure passwordless workstation login using the IPI Authenticator mobile application without importing user accounts from Active Directory.

  • Manage authentication policies for domain-joined devices independently from user synchronization.

Important: When Disable Domain Synchronization is enabled, IPI Enterprise Server does not automatically update or remove user accounts based on Active Directory group membership.

PreviousUser-Initiated Password ChangesNextImport and Sync Users from Active Directory (On-Premises)

Last updated