Active Directory domains

The Active Directory domains page allows you to view, add, edit, and delete Active Directory domains and associated credentials stored in the Authentication Server database. This area is only available if you are an administrator.

To open the Active Directory domains page, click your profile icon to open the Settings page, click Authentication settings and then click View domains.

You only need to add new Active Directory domains for multi-forest environments with one-way trust relationships. For more details, see Trust relationships between domains.

The Active Directory domains page provides you with the following information and functions:

1. Add – Add a new Active Directory domain.
2. Edit – Edit the details of an existing Active Directory domain. You can only edit one domain at a time.
3. Delete – Delete one or more Active Directory domains.

Add a domain

1. On the Active Directory domains page, click Add.

   The Add domain page displays.

2. Enter a domain name.

   This must be the fully qualified domain name (FQDN) using the format subdomain.domain.com or domain.com.

3. Enter the username and password for the domain. Usernames must be in the format [email protected] or DOMAIN\username. The credentials must be requested from a system administrator beforehand.

   Active Directory domain credentials are stored in the database and are encrypted before storage. The credentials stored for each domain must be that of an Active Directory service account. The service account password must not expire, the service account must not be a user account, and should follow Active Directory service account best practices.

   

4. Click Add.

   The domain name and credentials are validated against the Active Directory domain controller and the added domain displays in the domains list.

Edit a domain

1. On the Active Directory domains page, select a domain and click Edit.

   You can only select one domain at the time.

2. Change the information as required. If you want to edit the domain name, you must delete this domain and create a new domain.

3. Click Save to apply your changes.

Delete domains

1. On the Active Directory domain, select the required domain(s) and click Delete.

   A message displays asking you to confirm the deletion.

2. Click Yes to delete the selected domain(s) or No to cancel.

Trust relationships between domains

For multi-forest environments, trust relationships must be configured between domains. These can be two-way or one-way to the domain that should be trusted.

For example:

• In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A.
• In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions.

Two-way trusts do not require the user to provide domain credentials if the Authentication Server application pool user has relevant read access to the domain that the user belongs to. In these examples, the web server hosting Authentication Server would reside in Domain B. Two-way trusts require credentials to be provided when the user need to query a trusted domain using an account different to the Authentication Server application pool user. One-way trusts require a domain with credentials to be created.

The following trust types are supported:

• External
• Parent-child
• Tree-root
• Forest