Configuring Active Directory

To allow users to log in with their Active Directory (AD) credentials, you can configure your AD domain settings in Secret Server and then add users either individually or by group.

Step 1: Enabling Active Directory Integration

  1. Select Admin > Directory Services. The Directory Services page appears.
  2. Click the Configuration tab.

  3. If Enable Directory Services says No:

    1. Click the Edit link next to Directory Services.
    2. Click the Enable Directory Services check box.
    3. Click the Save button.

Step 2: Adding a Domain

  1. Select Admin > Directory Services. The Domains tab of the Directory Services page appears.
  2. Click the Add Domain button and select Active Directory Domain. The Active Directory popup appears.
  3. Type the FQDN and friendly name in their text boxes.
  4. If you wish to use Secure LDAP, enable the Use LDAPS checkbox.
  5. If you have an existing sync secret, click the No Secret Selected link next to Synchronization Secret to select the secret containing the username and password for connection. Otherwise, click the Create New Secret link to create one.
  6. Click the Site dropdown list to select the site for the AD location.
  7. Click the Multifactor Authentication dropdown list to select the desired MFA, if any.
  8. Click the Validate & Save button.

Now you are ready to add individual users or groups of users for access to Secret Server with AD credentials. See the relevant section below for instructions.

Step 3: Setting Up Synchronization Groups

Once you add a domain, add the applicable synchronization groups users from these groups are available for login, subject to synchronization settings. These groups can also be used to assign permissions, roles, and sharing. To add groups:

If the specific group does not exist, one can be created by your Active Directory administrator. If you create domain users manually or want to convert local users to domain users, see the corresponding sections below before setting the synchronization group.
  1. Click the Domain Name link on the Domains tab. The page for that domain appears.
  2. Click the Groups tab.
  3. Click the Edit link next to Synchronized Groups. The top Synchronized Group table and search box represent the available sync groups. The Select Groups list shows all the groups belonging to the domain (those with selected check boxes).
  4. Type the name of the desired group in the Search domain for groups search text box or scroll down the list to find a group.
  5. Click the group. The users belonging to the group appear below in a list to provide a preview to aid selecting groups.

Step 4: Adding or Removing Groups

  1. Click the check box in the Select Groups list to add or remove groups from the domain.
  2. If you want to remove an entire group instead of not selecting it (leaving it for later use), click the Remove link next to the group name in the Synchronized Groups table.
  3. Click the Save button.
Enabled users count towards your Secret Server user licensing.

Step 5: Enabling Active Directory Synchronization

Two safeguards are built into the synchronization process to prevent the system from erroneously disabling users as a result of receiving incomplete information from the directory server. If communication with a directory server returns an error, then no membership changes are made to users from that directory. Similarly, if communication with a directory server returns zero users, no membership changes are made to users from that directory.

  1. Return to the Directory Services page.

  2. Click the Configuration tab.

  3. Click to select the Enable User Synchronization check box. Additional settings appear.

  4. Choose how often you want Secret Server to sync with AD by configuring the Synchronization Interval. The default value is one day.

  5. Click the User Account Options Dropdown list to select a default status for users. See below for a description of each option. We recommend selecting Users are disabled by default (Manual) for initial testing. The options are:

    • Users are enabled by default (Manual): Secret Server users are automatically enabled when they are synced as new users from AD. If they were disabled explicitly in Secret Server, they are not automatically re-enabled. If creating a new user will cause the user count to exceed your license limit, the user created disabled. Secret Server

    • Users are disabled by default (Manual): Secret Server users are automatically disabled when they are pulled in as new users from AD. If they were enabled explicitly in SS, they are not automatically re-disabled.

    • User status mirrors Active Directory (Automatic): When new users are pulled in from AD, they are automatically enabled if active on the domain. The exception is when this will cause you to exceed your license count. For existing users, they are automatically disabled if they are removed from all synchronization groups, deleted in AD, or disabled in AD. They are automatically re-enabled when they are part of a synchronization group and are active in AD. See Understanding Active Directory Automatic User Management.

  6. Change the Days to Keep Operational Logs text box to set the period to keep AD-related logs that might contain PII. Secret Server automatically deletes logs older than that (in days).

  7. Click the Save button.

Step 6: Running Active Directory Synchronization

From the Directory Services page, click the Sync Now button to run a sync. As the sync progresses, you can click the Refresh button to monitor the logs until you see the message Completed Domain synchronization for all domains.