Active Directory User Synchronization (ADUS)
Purpose of this Guide
This guide describes the procedures and requirements for installing and configuring AuthAnvil Two Factor Auth Active Directory User Synchronization (ADUS) on Microsoft’s Windows Server 2003, Small Business Server 2003 (SBS2003), Server 2008, Small Business Server 2008 (SBS2008) and Server 2008 R2 platforms.
This guide is intended for consultants and administrators with a need to synchronize users between their Active Directory network infrastructure and their AuthAnvil Two Factor Auth strong authentication infrastructure.
Active Directory User Synchronization (ADUS) solves the problem of getting large numbers of users into AuthAnvil Two Factor Auth by allowing it to synchronize with Active Directory. The ADUS client can watch Active Directory groups for additions, modifications, and deletions, and synchronize those changes up to the ADUS Web Service on an AuthAnvil Two Factor Auth 4.0 or later server, based on policies set on the AuthAnvil Two Factor Auth server by the AuthAnvil Two Factor Auth administrator. The power of this approach is that it allows users to be automatically created and have their tokens provisioned simply by adding them to an Active Directory group with no other administrator intervention required. Similarly, a user can be removed from AuthAnvil Two Factor Auth, simply by removing them from the group, heavily reducing the administrative overhead of provisioning a new site with AuthAnvil Two Factor Auth.
ADUS Client Installation Requirements
Please review the following information to see if you meet minimum system requirements to use AuthAnvil Two Factor Auth. AuthAnvil Two Factor Auth has been tested on Windows Server 2003 Standard, Small Business Server 2003 SP1 and SBS 2003 R2, Windows Server 2008, Essential Business Server 2008, and Small Business Server 2008 for both 32 and 64 bit versions of Windows (where applicable).
Supported Operating Systems
- Windows Server 2003
- Windows Server 2008
- Small Business Server 2003
- Small Business Server 2008
- Essential Business Server 2008
- Windows Server 2008 R2
- Microsoft Installer Services (MSI) 3.0
- The server must be able to communicate with the AuthAnvil Two Factor Auth server in order to successfully synchronize users.
- ADUS is only supported in an Active Directory domain environment, and the client must be installed on an Active Directory Domain Controller.
- The AuthAnvil Two Factor Auth server that ADUS is synchronizing to must be installed on a domain-joined server. Note: The AuthAnvil Two Factor Auth server does not need to be on a domain controller or on a machine on the same domain as the computer running ADUS.
What you need to begin
To begin your deployment of ADUS, we recommend you collect and prepare the following items before installation:
- This ADUS Guide. Consider printing out this page or having it available during your installation session.
- Administrative access to a supported operating system on which you wish to install ADUS client.
Installing the ADUS Client
If AuthAnvil Two Factor Auth is installed on a domain controller, you have the option to install ADUS during the AuthAnvil Two Factor Auth install. If you do not install AuthAnvil Two Factor Auth on a domain controller, or choose not to install ADUS during the AuthAnvil Two Factor Auth install, you can install ADUS standalone:
- Get the ADUSSetup.exe file from C:\Program Files\Scorpion Software\AuthAnvil\AuthAnvilTools on the AuthAnvil Two Factor Auth Server and copy it to the server that you would like to install it on. (Or run it from here, if this *is* the server that you would like to install it on.)
- Run the Installation Wizard, and click “Next” to begin.
- Click “I Agree” to accept the License Agreement and click “Next”.
- Click “Next” to complete the installation.
- Click “Finish” to close the installer and launch the ADUS configuration tool.
NOTE: ADUSSetup is available as an MSI package in the same location for convenient silent-mode installation using your favorite RMM tool, such as Kaseya, LabTech, or LPI.
Configuring the ADUS Client
The ADUS Configuration tool allows you to configure the ADUS Client’s settings. This tool is available under Start > All Programs > Scorpion Software > AuthAnvil Two Factor Auth > ADUS Configuration Editor on any machine where the ADUS Client is installed.
The following ADUS settings are configurable:
ADUS Beacon Information - Configuration information about the AuthAnvil Two Factor Auth server that ADUS synchronizes with.
- The URL of the ADUS web service on the AuthAnvil Two Factor Auth Server.
- The Site ID of the AuthAnvil Two Factor Auth site that ADUS is synchronizing against. (If you’re not sure, this is usually 1).
- The Shared Secret between the ADUS clients and the ADUS web service. This needs to be the same on all clients that report in to the ADUS service on the same AuthAnvil Two Factor Auth site.
ADUS Service Settings – Settings for the local ADUS Windows service.
- The location of the Cache File where ADUS keeps its synchronization database.
- The time of day that ADUS performs a full synchronization of users with the ADUS Web Service on the AuthAnvil Two Factor Auth server.
- How often the ADUS Windows Service synchronizes changes with the ADUS Web Service on the AuthAnvil Two Factor Auth Server.
Active Directory Information – Information about the Active Directory groups synchronized by ADUS.
- Whether or not to synchronize hardware and software token users with AuthAnvil Two Factor Auth.
- What group should be used to synchronize each token type.
When finished, click “OK” to save the configuration changes.
Configuring the ADUS Web Service
The ADUS Web Service is the back-end web service that runs on the AuthAnvil Two Factor Auth server and receives updates from the ADUS Agents deployed in the field. If you install AuthAnvil Two Factor Auth on a domain controller, you have the option of installing the ADUS client and activating the ADUS web service at install time, otherwise ADUS starts disabled and needs to be enable through the AuthAnvil Two Factor Auth Manager. To activate and configure ADUS, complete the following steps:
- Log into the AuthAnvil Two Factor Auth Manager (http(s)://<yourserver>/AuthAnvil/Manager), and click on the “Settings” tab, then the “Active Directory User Synchronization (ADUS)” tab.
- Click “Enable ADUS” and enter a shared secret into the boxes. This shared secret is used to authenticate connections between the ADUS Web Service and the ADUS agents, and must be the same on all ADUS agents that communicate with this AuthAnvil Two Factor Auth server.
- Optionally, click “Advanced ADUS Policies” and set the policies to match the requirements of your organization.
- Click “Save Settings” when finished.
ADUS allows you to set policies to chose what actions it will take in the cases of the following scenarios:
Scenario 1: A user has been added to one of the ADUS groups in Active Directory
- Add the user to AuthAnvil Two Factor Auth and automatically provision them a token based on their group membership (Default)
- Add the user to AuthAnvil Two Factor Auth, but not provision a token
- Do nothing
Scenario 2: The user’s details, such as first name or last name, have been changed in Active Directory
- Reflect these changes to the user in AuthAnvil Two Factor Auth (Default)
- Do nothing
Scenario 3: The user has been deleted from Active Directory, or has been removed from the ADUS group.
- Disable the user and disable their token (Default)
- Delete the user’s AuthAnvil Two Factor Auth account
- Do nothing
Please refer to the Scorpion Software Knowledge Base for the most up to date ADUS troubleshooting information.