Install and configure the Active Directory Connector

To connect the Active Directory Connector to your Password Boss account, you will need the following:

System Requirements 

  • Windows Server 2012 R2 SP1 or later.
  • .NET Framework 4.6.1 or later
  • RAM: 512MB
  • Disk space: 100MB
  • Outbound TCP Port 443 from the server running the Active Directory Connector to api.passwordboss.com

Service Account

  • You will need the credentials for a service account in your Active Directory (AD) that will run the Active Directory Connector.  The service account will need admin privileges for the server running the Active Directory Connector. 

     

    • If the Active Directory Connector is installed on a domain controller, add your service account to the domain admins group.
    • If the Active Directory Connector will be installed on a member server, add the service account to the server's local administrator group.
    • You will also need to grant your service account permissions to see deleted users
    • See this article for instructions on creating a service account. 
  • If the Active Directory Connector is installed on a domain controller in a single domain AD you can also use the localsystem account to run the Active directory Connector.

Create an AD Group to synchronize to Password Boss

The Active Director Connector uses an AD security group to determine which users to synchronize to Password Boss.  The best practice is to create a new security group in your AD and place all of your Password Boss users in the group.  This method makes it easy to administer which users are sent to Password Boss.

User account requirements

The following attributes must be present on each user account to be synchronized to Password Boss:

  • First name
  • Last name
  • Email address.  This must be a valid, routable email address where the user can receive emails

DZM Installation Requirements

If you will be installing the Active Directory Connector in a DMZ the following ports will need to be open between the DMZ server and your domain controller:

  • TCP/UDP 53 - DNS
  • TCP/UDP 88 - Kerberos authentication
  • TCP/UDP 289 - LDAP

Additional port information can be found in this Microsoft article.

Enabling the Active Directory Connector on your account

  1. The first thing you need to do is to enable the Active Directory Connector on your account.  This is done from the Password Boss Portal. Login to the portal as an admin user and go to Account Settings->Active Directory.
  2. Click Configure AD Connector
  3. Copy the authentication token. You will need to enter this on the server running the Active Directory connector.
  4. Click Next to move to the Sync Rules tab.
  5. The Sync Rules are used to configure how changes from your Active Directory are processed in Password Boss. In most cases the default settings are recommended.  More information on the sync rules can be found at the bottom of this article.
  6. Click OK to save your settings.
  7. Your Password Boss account is now ready to start receiving user data from your Active Directory.

Installing the Active Directory Connector on your server

  1. Download the installer from the Active Directory page of the Password Boss portal.
  2. Login as an administrator on the server where the Active Directory connector will be installed.
  3. Run the installer
  4. Click the Install button to accept the license agreement start the installer.
  5. Change the installation folder if necessary and click Continue.

Configuring the Active Directory Connector

Directory-setup.png

  1. Open the Password Boss Active Directory Connector application.
  2. From the Directory Setup tab enter the credentials for the service account you will be using and select which domain(s) contain your user accounts. If the list of domain is empty it means that the service account your are using does not have the correct permissions into AD.
  3. On the Authentication tab enter the authentication token you received when you enabled the Active Directory Connector on the portal, and click Save.
  4. From the tab click the Edit button to select the the AD group that contains the the user accounts you will be syncing to Password Boss.  We strongly recommend making a dedicated AD group for this.
  5. Users are now being synchronized to Password Boss.  The following step for Group synchronization is optional.
  6. On the Groups tab you have the option to synchronize AD groups to Password Boss. See the additional information at the bottom of this article on group synchronization.

Understanding the sync process

When a user account is sent to Password Boss, the account will go through the following stages:

Creating account - this means the user information has been received by Password Boss and the account is in the process of being created.  This process generally takes just a few seconds per account.

Active - After a user account has been created, the account will show as Active in the portal.  At this point an email is sent to the user with a temporary password that they can use to login to their account. When the user logs in the first time they will also receive a verification code via email that they will need to enter into the application on their computer or mobile device. When the verification code is accepted the user will then be required to change their master password.

Pending approval - This status can occur for one of 2 reasons. 

  1. In the sync rules of the AD connector on the portal, you selected to create pending accounts in Password Boss that must be manually approved.
  2. You have synchronized more users to Password Boss than you have purchased.  You will need to either remove some user from your Password Boss account or purchase additional licenses.

Disabled - When a user account is removed from sync, either from deleting the user in AD, or by removing the user from the group that is synchronizing users to Password Boss, the default action is to disable the user account in Password Boss.

Sync Rules

Sync Rules determine how changes made in AD are reflected in Password Boss.  The Sync rules are configured from the the Password Boss Portal by editing your Active Directory Connector.

sync-rules.png

1. When a new user account is sync'd from Active Directory to Password Boss

  • Create a user account in Password Boss. This is the recommended setting and will work best for most businesses.
  • Create a pending user account in Password Boss that an admin must approve. When this setting is chosen the new accounts will remain in a pending status until an admin manually approves the accounts in the Password Boss Portal.

2. When a user account is deleted in Active directory

  • Disable the user account in Password Boss. This is the recommended setting and will work for most businesses. Note: there is no way to automatically delete accounts in Password Boss from the Active Directory connector.  This is a safety mechanism to avoid accidentally deleting Password Boss accounts if an error is made in AD.
  • Remove the user from your account and convert the user to a personal account. This setting will generally only be useful for businesses where users use their personal email addresses for their Password Boss accounts.

3. When a user account is disabled in Active Directory

  • Disable the user account in Password Boss. This is the recommended setting and will work for most businesses.
  • Remove the user from your account and convert the user to a personal account. This setting will generally only be useful for businesses where users use their personal email addresses for their Password Boss accounts.

4. When an Active Directory account is removed from syncing to Password Boss

  • Disable the user account in Password Boss. This is the recommended setting and will work for most businesses.
  • Remove the user from your account and convert the user to a personal account. This setting will generally only be useful for businesses where users use their personal email addresses for their Password Boss accounts.

Group synchronization

Groups in Password Boss are used by your users when they share passwords in the Password Boss app. If you have groups created in AD that will be useful for your users to use when they are sharing passwords, then enabling Group synchronization in the Active Directory Connector will allow you to administer groups in AD and have changes synchronized to Password Boss.

When Group synchronization is enabled, what happens is that the users who you have configured to synchronize to Password Boss (Users tab in the Active Directory Connector) will also have groups attached to their accounts in Password Boss.

Enabling Group synchronization does not add any additional users to your account in Password Boss.  The only user who will synchronize to Password Boss are the users who are in the group listed on the Users tab of the Active Directory Connector on your Windows Server.

For example if you have the following users and groups:

  • AD Users = User1, User2, User3, User4, User5
  • Group = "Password Boss Users" - User1, User2, User3
  • Group = "Marketing" - User1
  • Group = "HR" - User2, User4
  • Group = "Finance" - User3, User5

This is how the users and groups will be synchronized to Password Boss

  1. On the Users tab of the Active Directory Connector the group "Password Boss Users" is selected
  2. On the Groups tab of the Active Directory Connector "Marketing" and "HR" are selected
  3. The following users will synchronize to Password Boss: User1, User2, User3
  4. The following Groups will synchronize to Password Boss: "Marketing", "HR"
  5. In Password Boss the "Marketing" group will contain: User1
  6. In Password Boss the "HR" group will contain: User2. User4 is not synchronized since User4 is not in the group "Password Boss Users"
  7. In Password Boss the "Finance" group is not synchronized since the group is not selected on the Groups tab of the Active Directory Connector.

 

 

Was this article helpful?