Managing Domain Users

Configuring Active Directory Sync

Secret Server can integrate with Active Directory by allowing users to use their Active Directory credentials to login to Secret Server. According to Common Criteria compliance, Active Directory relies on LDAPv3 (RFC 2251) protocol, which is not configurable by users.

In order to setup Active Directory in Secret Server, you will need to:

  1. Create a Sync Secret

  2. Specify the domain to authenticate against

  3. Configure TLS with Active Directory

  4. Turn on Active Directory Sync

Secret Server relies on a primary “Sync” secret to connect to the LDAPv3 server in Active Directory. Once connection has been made to Active Directory through this secret, Secret Server needs to know which domain within Active Directory to authenticate against, and within that domain which specific Active Directory Group(s) to synchronize with. The Active Directory Sync in Secret Server targets Secret Server user account credentials from Active Directory.

Secret Server will categorize users according to group information from Active Directory, but Secret Server does not create, delete, or alter Active Directory Group Policies.

Create a Sync Secret

Before synchronizing users, you must first create a secret to be used as the Sync Secret. This secret should contain Domain Admin credentials (or an account with appropriate permissions for Read Access to all your organization’s AD objects).

From Secret Server’s dashboard you can create this secret through the Create Secret Widget.

  1. Click Create secret, select Active Directory Account from the Choose a secret template dropdown list.

  2. Add a Secret Name and provide the Domain Name, Username, and Password for the Sync Secret that will be able to access Active Directory with Admin credentials. Save.

Specify the Domain & Enable Active Directory Integration

Specify which domains Secret Server will be able to authenticate against. Secret Server can synchronize with any number of domains.  

  1. Once logged into Secret Server, navigate to Admin > Directory services.

  2. Under the Configuration tab, in the Directory services section, click Edit. Check Enable Directory Services and click Save.

  3. Under the Configuration tab, in the User Synchronization section click Edit. Check to select Enable User Synchronization and specify the following:

    • Synchronization Interval: How often the synchronization will run in days, hours, minutes.

    • User Account Options: Select User status mirrors Active Directory (Automatic) from the drop-down. This allows Secret Server to mirror any changes made to Active Directory automatically.

    • Automatic User Management: Enabling this option will disable inactive users after a specified number of months.

    • Days to Keep Operational Logs: Logs older than this value are removed from the system. This value is typically not modified.

    • Click Save

  4. Under the Domains tab click Add domain and select Active Directory domain from the dropdown.

    • Provide the Fully Qualified Domain Name

    • Provide a Friendly Name

    • Ensure that the box next to Active is checked.

    • Select your Synchronization secret by clicking No Selected Secret and search for the secret created earlier.

    • Select the related Site - the container in which heartbeat, RPC, and other Secret activities occur.

    • Click Validate & save.

The Active Directory Sync Secret will be used to synchronize users and groups, it will require permission to search and view the attributes of the users and groups.  If you plan on using Discovery (NOTE: Discovery is not under Common Criteria’s scope), the account will also need permissions to scan computers on the network for accounts.

Configuring TLS with Active Directory

To ensure that TLS is configured with Active Directory:

  • From the Admin > Directory services, under the Domains tab, click Add domain and select Active Directory domain from the dropdown (continuing from previous section), after entering the requested information, check the Use LDAPS box to enable. Click Validate & save to save this domain.

*If the TLS connection to Active Directory fails, the user will be notified and the failure will be logged. Secret Server does not automatically retry to connect to TLS but will retry the next time a user attempts to connect to AD.

More information for setting up Active Domain with LDAPS can be found at

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/"We're no longer updating this content regularly."

Managing Domain Credentials

Updating Domain Credentials

Updating Active Directory (AD) Credentials and passwords happens directly through Active Directory and syncs with Secret Server according to a schedule. You can synchronize your Active Directory accounts at any time by navigating to Admin > Directory services and clicking the Sync now button. You cannot add or edit Active Directory credentials through Secret Server directly.

When a user logs into Secret Server using Active Directory credentials or uses an AD account to launch a session, the credentials are sent to the Domain Controller in real time for authentication verification. Therefore, if an AD user account has been updated or removed, changes will be reflected immediately in Secret Server.

Failed Domain Authentication

If the connection between Secret Server and the AD domain breaks, domain users Secret Server will fail to authenticate into Secret Server until the connection is re-established. Secret Server will log all failed authentication attempts by users.

To find these audit logs, navigate to Admin > Users > select a user and select the Audit tab.