Installing the Delinea Connector

This page tells how to install the Delinea Connector. Be sure you have first met the conditions in the next section, Requirements.

Server Requirements

The following list describes the requirements for the server or virtual machine where the Delinea Connector is installed:

  • Always running and accessible on the internal network.

  • Running Windows Server 2019 or newer.

  • Running in 64-bit mode with 8 GB of memory or more, of which 4 GB or more must be available for connector cache functions.

  • Running Microsoft .NET version 4.8 or newer. If it isn't already installed, the connector installer installs it for you, but in this situation, you must manually restart your machine to complete installation.

  • If the connector is integrating with an on-premises Active Directory, the machine where it is installed must be joined to Active Directory to use as the identity store.

  • Set up for outbound Internet access on port 443 (no Internet-facing ingress ports are required). For details on the connector’s network requirements, see Delinea Connector. Use of deep packet inspection filtering of HTTPS or SSL traffic by web proxies or security software may cause connectivity issues. In all cases, the ports and addresses discussed should be excluded from packet inspection to allow for normal service operation.

  • If your network is configured with a web proxy server that you want to use to connect to the platform, you must specify this server during the installation process, and the web proxy server must support HTTP1.1 chunked encoding.

  • As a best practice, avoid installing the connector on a domain controller.

Account Permission Requirements

Platform permissions

To generate a connector registration code or manage the connector settings, you must belong to the Administrator group on the Delinea Platform.

Delinea Connector Permissions

You must be a local administrator on the machine where you are installing Delinea Connector, so that you can copy files to Program Files, set up a Windows service, and make registry settings.

Connector Security Permissions

The machine where the Connector is installed should have user access and other permissions assigned the same way they are assigned to an Active Directory domain controller. Access to the registry on the Connector machine should be appropriately restricted (and not available to all users).

Alternate Accounts and Organizational Units permissions

You can run the Delinea Connector service as an Active Directory service account or as a Local System account. Make sure you have set up all permissions required for the account type you choose. For example, if you run the connector service as a specific Active Directory service account, the account must:

  • be a member of the local Administrators group

  • have at least read permission to the container, with platform user accounts and Active Directory Groups used as members of platform groups

  • have read permission to the root DSE to gather necessary topology information

You should not run a Windows service with an Active Directory built-in account or an Active Directory user account.

You must verify that the relevant accounts have permission to read Active Directory users and groups as if authentication would work. Each time role permissions are reassessed, the connector tries to resolve the Active Directory groups mapped to any role in which the Active Directory user is potentially a member.

The computer account of the server where the connector is installed must also have read access to the container or organizational unit (OU) that stores the user accounts. Without read access, the connector cannot authenticate the user. Domain computers have this permission by default; however, the connector machine may not. This most often occurs in multi-forest or multi-domain setups, and can occur even when two-way trust is already defined. You can tell when this occurs, because the connector log would show the error message "Unable to locate forest or user object." In this case, you need to give the Local System account read access permission to the containers or organizational units.

Set Read Access Permission to the User Account Container or Organizational Unit

  1. Open Active Directory Users and Computers.

  2. Select the user account container and open the Properties.

  3. Select the Security tab.

  4. Click Add to add the user account you are using to run the connector service.

  5. Click OK after you add the user account.

  6. Click the user account in Group or User Names and select the Allow checkbox for the Read permission.

  7. Click OK.

Any user or group with permissions to read and write the LockoutTime attribute for an OU or other container can unlock user accounts that reside in that container.

Set Read Access Permission to User Account Container with Powershell

Requirements

  • An account with Domain Admin credentials

  • Dacls.exe – This is installed on all Domain Controllers and can be installed on Member servers as part of the Delinea Platform

  • An Elevated PowerShell shell

Step 1: Run the test command below from an elevated PowerShell session under Domain Admin credentials. This command returns the current permissions to the folder you need access to.

dsacls "CN=Deleted Objects,DC=delineacloud,DC=com" /takeownership

This example domain is delineacloud.com. Replace the delineacloud and com with the FQDN of your domain.

If the test command succeeds, the output looks similar to what appears in the screen shot below (these are the initial settings for this folder on a Windows 2022 Server).

Step 2:  At the PowerShell prompt, enter the command below:

dsacls "CN=Deleted Objects,DC=delineacloud,DC=com" /g dcloud\adsync:LCRP

This command applies the user level account (not a Domain Admin) dcloud\adsync from the delineacloud.com domain to the folder.

Troubleshooting: If you run this command under Domain Admin credentials, and you get the error below, the default settings for this container have been altered.

The workaround is to temporarily place the account with the Domain Admin credentials in the domain Builtin\Administrators group. Once that is done, run steps 1 and 2 again.

External References

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/non-administrators-view-deleted-object-container

https://activedirectorypro.com/install-rsat-remote-server-administration-tools-windows-10/#windows-server

https://activedirectorypro.com/install-rsat-remote-server-administration-tools-windows-10/#rsat-powershell

Download the Delinea Connector and Get a Registration Code

To download the Delinea Connector, follow these steps:

  1. Log in to the Delinea Platform.

  2. Click Settings from the left navigation, then click Connectors.

  3. Click Add connector.

  4. On the Add connector page, download the connector installation package.

  5. Copy the tenant URL and save it for use during the connector installation process.

  6. Create a new registration code or copy an existing one and save it for use during the connector installation process.

The auto-generated registration code is created with default values only. It does not have an expiration time or limits on how many times the registration code should be used.

Installing and Configuring the Delinea Connector

  1. On the Delinea Connector machine, run the connector Installer file you downloaded in the previous section. The connector Installation Wizard launches.
    Alt

  2. Click Next.

  3. Click the Connector tab.

  4. Click Register. The Connector Configuration Wizard launches.
    Alt

    During the configuration process, we recommend keeping default settings except where these instructions indicate otherwise. You can choose to configure the connector to change TLS to 1.2 for every .net app on the machine globally.

  5. Click Next.

  6. Select the Enable strong encryption protocols system-wide checkbox.

  7. If you are using a web proxy server to connect to the platform, select the Use a web proxy server for the Delinea Platform connection checkbox. Specify the IP Address, Port, User name, and Password to use.

  8. Click Next.
    Alt

  9. In the Tenant URL field, paste the tenant URL you copied and saved earlier.

  10. Select the Temporarily add Tenant URL to [browser's] trusted sites list checkbox.

  11. Select the Use Registration Code checkbox.

  12. Paste the registration code you copied and saved earlier into the Use Registration Code field.

  13. This step is optional: You must be the domain administrator of the Active Directory domain for the relevant deleted objects container. If you are deleting users in multiple domains, make sure you are the domain administrator for all those domains. If you wish to enable the synchronization of user deletions in Active Directory with the Delinea Platform, follow these instructions:

    • Choose the domain(s) you wish to monitor and provide the required credentials for permission assignment.

    • Essential: grant the connector read access to the deleted objects container. You can provide the necessary permission by running the following commands on each connector:

      • If you do not already have the necessary permissions to change the permissions of the deleted objects container, run this command:

        dsacls "CN=Deleted Objects,DC=\<EXAMPLE\>,DC=\<COM\>" /takeownership

      • The following command grants the Delinea Connector permission to read the deleted objects container in Active Directory:

        dsacls "CN=Deleted Objects,DC=\<EXAMPLE\>,DC=\<COM\>" /user:administrator@\<EXAMPLE.COM\> /passwd:\* /g \<EXAMPLE\>\\\<MACHINENAME\>\$:LCRP /I:T

        If this command fails, it means the default settings for this container have been altered. The workaround is to temporarily place the account with the Domain Admin credentials in the domain Builtin\Administrators group. Then run the steps again.

    • Apply read permissions to the service account for the deleted objects container in the corresponding domain.

      If you fail to perform any of the actions above, users deleted in Active Directory will still be listed on the Users page in the Delinea Platform until you manually remove them. However, these users will not have access to any platform functionality.



  14. Click Next. The wizard performs checks to validate the network environment.
    Wait for the checks to complete.

  15. Click Next. The screen displays a bar indicating the progress of the configuration. Wait for the bar to be full.

  16. Click Next. You should see a notice saying, "Connector setup is complete."

  17. Click Finish.

Enabling Auto-Update for the Delinea Connector

You can configure the connector to automatically poll the Delinea Platform for software updates and install them. If an update is available, the connector downloads and installs the update, then restarts. The connector is enabled to poll automatically by default. You can also specify the auto-update time windows as needed.

  1. Log in to the Delinea Connector server.

    Alt

  2. Click the Windows Start menu and open the Delinea Connector Configuration program.

  3. Select the Enable auto-update checkbox to enable automatic updates.

  4. Click the Schedule button associated with the Enable auto-update option to configure the auto-update time window.

  5. Click Apply.

Updating the Delinea Connector

  1. Click the Windows Start menu and open the Delinea Connector Configuration program.

  2. In the lower left of the Status tab, right-click the update icon and select Update. The connector updates and displays a message indicating that the software is up to date.
    Alt

Checking the Delinea Connector Status

To verify the status of the connector, click Ping connector.

If all components are functioning correctly, a success banner displays the message Ping to connector was successful. If any communication issues are detected between the platform and the connector, an error message is displayed. The timestamp for the last ping is updated to reflect the most recent successful ping check.

Supported AD Group Types on the Delinea Platform

The Delinea Platform supports the following types of Active Directory (AD) groups for access control:

  • Global AD Security Groups

  • Universal AD Security Groups

These group types are designed to manage and enforce access control effectively, leveraging their compatibility with access control systems such as the Delinea Platform.

Why Distribution Lists Are Not Supported

The Delinea Platform does not support distribution lists for access control. While distribution lists, sometimes referred to as "distribution groups," are useful for communication purposes (e.g., sending emails to a specified set of users), they are fundamentally unsuitable for managing access permissions.

Purpose of Distribution Lists:

  • A distribution list is a mechanism for sending emails to a defined group of recipients. It is optimized for messaging and not for permission management.

Limitations in Access Control:

  • Distribution lists cannot be included in Discretionary Access Control Lists (DACLs), which are essential for determining access permissions in systems like the Delinea Platform.

  • Unlike security groups, distribution lists do not have an index that can be queried to confirm whether a specific user is a member of the list.

  • This lack of searchability makes it impossible to verify if a user attempting to access a resource is part of a distribution list, rendering them ineffective for access control purposes.

Difference Between Security Groups and Distribution Lists:

  • Security Groups: Used explicitly for access control and can be referenced in DACLs to enforce permissions.

  • Distribution Lists: Only serve as a tool for communication and are not designed to interact with access control mechanisms.