Delinea Connector Best Practices

When using the Delinea Connector, keep the following best practices in mind.

Supporting user authentication for multiple domains

If all your Delinea Platform users have their accounts on a single domain controller, you can skip this topic.

You install the Delinea Connector on a machine that is joined to Active Directory (AD) to authenticate Delinea Platform users who have accounts in that domain. If you want the Delinea Platform to authenticate users in other domains, you can configure the connector to do so. The technique you use depends on whether the accounts are in trusted domains within a single forest or in multiple forests without trust.

Configuring authentication for trusted domains

Use this technique when users' Active Directory accounts are in one or more domains that have a two-way, transitive trust relationship with the domain the connector is joined to.

In this case, you have a single connector for the entire domain tree within a single forest. After installing the first connector, it is advisable to install one or more on a separate server(s) for additional resiliency. The host server for each connector must be joined to the same Active Directory domain. For additional details, see Installing additional Delinea Connectors.

The platform communicates through this connector for all authentication requests. If the user account is in another domain, authentication requests are handled based on the trust relationships between the domains, such as tree-root, parent-child, forest, and shortcut trust settings.

By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. When configuring the trust relationship, be sure to select Forest Trust. This establishes a transitive trust between one forest root domain and another forest root domain. For more information about trust relationships, see How Domain and Forest Trusts Work in Microsoft TechNet.

The Delinea Platform automatically creates a login suffix for the domain to which the host computer is joined, plus all the domains that the connector can see. The visibility of domains depends on two criteria:

  • The trust relationship between domains. All domain trusts in an AD forest with two-way transitive trust meet this criterion.

  • The connector’s user account permissions. By default, the connector is installed as a Local System user account on the Windows host. The permissions granted to this account can affect its ability to see other domains. For more information, see Alternate Accounts and Organizational Units permissions.

When the Admin searches Active Directory domains for users and groups (for example, when adding a user or group to a role) in the platform portal, it only searches the Active Directory Users container in the domain controllers visible to the connector.

By default, the connector does not perform cross forest user look-up from a local forest. To enable this functionality, contact the Delinea Support team. Once enabled, avoid installing connectors in each of the forests where trust exists. For example, if you decide to run connectors on machines linked to both Forest A and Forest B, the same user will appear in both forests as distinct users with conflicting IDs and UPNs. This causes considerable confusion among users, because they are seen as separate entities within each forest. This makes the resolution of such issues challenging.

Configuring authentication for multiple forests without trust

Use this technique when users' Active Directory accounts are in multiple forests without trust, such as in a restricted access forest model or when you have distinct forests due to organization or administrative boundaries (such as mergers or separate business units).

In this model, a separate connector is designated for each independent domain tree or forest. The Delinea Platform determines which connector to use for the authentication request based on the login-suffix-to-domain mapping it creates and maintains. When a user account resides within the domain controller associated with a connector, the authentication requests are processed according to the tree-root, parent-child, forest, and shortcut trust relationship settings among the domain controllers within that forest or domain tree.

After installing the first connector for each independent domain tree or forest, it is recommended to install one or more additional connectors on separate servers for each domain tree or forest. Each server hosting a connector must be joined to the same Active Directory domain as the initial connector for that specific tree or forest. For detailed instructions, see Installing additional Delinea Connectors.

The Delinea Platform automatically generates a login suffix for the domain to which the host computer is joined, as well as for all the domains that are visible to the connectors for each independent domain.

When conducting a search in the platform portal for Active Directory domains for users and groups (for example, when adding a user or group to a role), the search is limited to the Active Directory Users container in the domain controllers accessible by the connectors.

By default, the connector is installed as a Local System user account on the Windows host. The permissions you grant to this account can affect its ability to see other domains. For more information, see Alternate Accounts and Organizational Units permissions.

Delinea Connector redundancy

To ensure continuous uptime for Delinea Platform services, it is advisable to implement redundant connectors by adhering to the following guidelines:

  • Deploy two or more connectors for each forest to ensure redundancy.

  • Isolate each connector on its own Active Directory server.

  • Whenever possible, install each connector in a separate physical location to mitigate the risk of localized failures affecting all connectors.

  • Ensure that each connector has its own Internet connection to avoid a single point of failure in network connectivity.

  • The Delinea Platform features load balancing across all connectors that have the same services installed. When a request is received, the Delinea Platform distributes the request among the available connectors. Should one connector become unavailable, the platform automatically reroutes the request to the remaining available connectors, ensuring automatic failover.

Installing additional Delinea Connectors

Use the same procedure to download the installation wizard to the host server, then run the wizard to install and register additional connectors. After you install and register the connector, it is added to the Delinea Connector settings page.

See Download the Delinea Connector and Get a Registration Code for more information.

Additional information

  • AD changes are pushed from the connector to the platform according to a schedule. You can configure how frequently Active Directory updates, such as user account information or new domain controllers (DCs), are synchronized to the platform by updating the "Setting update interval" configuration field in the Delinea Connector configuration application. The default synchronization interval is 10 minutes. Additional delays may occur as information is fully synchronized, processed, and reflected in the platform. You can force changes to AD users to be picked up earlier by using the 'reload rights' action for a user.

  • The connector supports look-up for global AD security groups, universal AD security groups, and user attributes/claims named groups. It does not support distribution lists. See the Note below.

  • To automate the installation process of the Delinea Connector, see the Delinea GitHub repository. It contains details on installing the connector through the command line and provides an example script for automating the entire installation procedure.

  • Avoid installing the connector on an Active Directory Domain Controller.

  • If you are using both the Delinea Connector and federation, the User Mapping settings in the federation configuration should be set to Required. This will prevent the creation of duplicate users by disabling the ability to create local users when mapping is not possible. For more information, see Mapping Federated Users.

The platform supports the following types of groups: global AD security groups, universal AD security groups, and user attributes/claims named groups. It does not support distribution lists. A distribution list, sometimes inaccurately called a distribution group , is used to send email to users specified on the list. But on any access control system including the Delinea Platform, groups are used for access control. A distribution list cannot be used for access control because it cannot be listed in discretionary access control lists (DACLs). A distribution list has no index, so you can’t query it to determine if a user (trying to access something) is or is not on the list, rendering the distribution list useless for purposes of controlling access.