Active Directory Integration

Setting up windows user authentication

Key Concepts

Each PlanetTogether Instance can be configured to allow users part of an Active Directory Group to log in with their existing credentials. This article will outline the steps required to sync an Active Directory Group to your PlanetTogether instance.

Users must be using PlanetTogether version 11.49.8 or later and Instance Manager version 12.0.61 or later.

1) APS System Service

On the server, the APS System Service must be configured with a Log On As user with permissions to read the Active Directory domain.

2) PlanetTogether System

  1. Create a User called 'AdTemplate.'
    1. This is the user that will be copied when creating and syncing AD Users.
    2. The level of permission for users will be specified in the Instance Manager (see below).
  2. In PlanetTogether, go to Settings | Users.
  3. Click the 'New' button to create a new user, then double-click on the row selector or click the 'Open' button to open the User Settings.
  4. Change the name to 'AdTemplate.'
  5. Save and Close.

3) Instance Manager

The user running InstanceManager must also have permission to view the Active Directory Groups.

Data Publish Tab

  1. In the Data Publish tab of the Instance Manager, ensure that the 'Accept Web Transmissions' option is checked.
  2. Note: You must restart the Extra Services Service after this step.

 

Clients Tab

  1. Ensure that the 'Allow Active Directory Login' option is checked.
  2. Sync Groups
    1. You should see a list of Active Directory Groups in the drop-down menu under the 'Sync Groups' section. Select the AD Group to sync to this Instance.
  3. Sync AD Group Users
    1. Choose the User Permissions you want to set for the users within the AD Group.
    2. Click 'Sync AD Group Users.'
      1. This will create users in PlanetTogether.
        • First Name and Last Name will be set from the Active Directory User
        • User Login Name will be the AD user's Principle Context Name
        • A random password will be generated for new synched users. This is to prevent normal PT user login on that user.
        • Permissions will be based on what was specified from the drop-down menu.
      2. 2 UDFs will also be created for each user—one for the AD Group name and the other for the AD User GUID.
      3. Other properties, including default workspace, will be copied from the template user.
    1. Note: Users that do not exist in PlanetTogether will be created while other users will not be updated.

Remove AD Group Users

  • Clicking the 'Remove AD Group Users' will remove PlanetTogether users found within the AD Group specified in the drop-down menu.

4) PlanetTogether APS Client Sign-In

When users log into PlanetTogether clients, they will have three methods:

  1. First, use PlanetTogether standard user authentication. This method is available even when Active Directory login is enabled. To Enable this login method, an Admin or the user may set a new password from within the PlanetTogether user settings.
  2. Use the current Windows user account. The login name will be filled automatically, and no password is required.
  3. Use a different Windows user account. With this method, the user may provide a specific Windows Active Directory user account and the password.