Requirements for creating an Active Directory connection

The Active Directory (AD) Wizard lets you create and configure Active Directory connections. For the provider to establish a connection to Active Directory, you must provide the following:

  • Active Directory service account Account credentials that can be used for Active Directory authentications. This account must:

    • Have the required permissions to access the Active Directory forest or domain(s) that you want to include in the connection.

    • Be provided in User Principal Name (UPN) format (administrator@example.com).

  • Host The connection provider can resolve the following address types:

    • The host name must be provided as a fully qualified domain name (FQDN).

  • Host name for the forest, domain, or domain controller For a forest or domain, the provider enables access to the forest or domain hosted at the address, and also discovers trusts that enable access to objects based on the search roots you select in the wizard.

    For a domain controller, the provider enables access to the domain hosted at the first resolved IP address.

  • Forest or domain name If the provider attempts to resolve the host and discovers more than one Active Directory service, you are prompted to select the service you want to use. For example, if the provider analyzes the host and discovers both a forest and a domain, the wizard prompts you to select one of the them.

    Venafi recommends not creating Active Directory connections that overlap. In some cases, the provider cannot resolve the Trust Protection Platform user’s permissions assignment properly. An example of overlapping connections is Active Directory connection #1 includes domain A which has a trust relationship with domain B, and Active Directory connection #2 includes domain C which also has a trust relationship with domain B.

  • Active Directory connection type The type will either be Simple or Secure (default) based on your Active Directory implementation. This configuration determines the LDAP protocol bind type that the connection provider uses to communicate with Active Directory.

Cloud Active Directory Providers

Azure Active Directory Domain Services and AWS Managed Microsoft AD are considered compatible with Trust Protection Platform.

The same requirements listed above also apply to cloud Active Directory providers.

NOTE  In Trust Protection Platform, user directories are closed systems. This means that local users can see only local users and groups. Likewise, external users can see only external users and groups within their own directory (or, if enabled within their own directory and the local directory). For example, if you have three LDAP connections, you must log in to LDAP1 to see its contents, LDAP2 to see its contents, and LDAP3 to see its contents.

For information about allowing external identities to see local identities, see Allowing AD and LDAP users to see teams and local users.