This article provides the steps for setting up SDO Authentication to work with your External or On-Premise Active Directory.  Once configured, your users will be able to log into the local Active Directory by authenticating the connection through the SDO app on their mobile devices instead of entering a traditional password.


Before you Begin


Setting up SDO Authentication for External AD in the Control Panel will change the directory that SDO uses to populate users in the Control Panel.  As a result of this, any users that are already listed in the Control Panel, as well as any SDO services they have enabled, will be removed immediately once the Control Panel has been linked to your External AD.


If you plan on enabling SDO Authentication for External Active Directory, we highly recommend you configure it first before setting up SDO for any other services in the Control Panel. This will prevent complications from having two separate directories associated with your services in SDO.

Prerequisites

Prior to enabling and configuring the SDO External AD Service, you will need to collect some information from the external Active Directory environment.  You will also need to enable LDAP over SSL (LDAPS) on your domain controller, and install a certificate to secure the SSL connection.


Setting up LDAP over SSL


Enabling a secure LDAP connection to import your users for Authentication requires the installation of an SSL Certificate.  This can be done using either a Self-Signed certificate, or with the use of a certificate from a third-party Certificate Authority.  The following article provides guidance for each option:


Setting up Secure LDAP for External AD Authentication


Firewall Settings


If your LDAPS host is protected behind a firewall, the following IP Address should be whitelisted on port 636 in the firewall to allow connections from SDO to LDAP for authentication:


64.151.95.177 using TCP on port 636


Required Directory Information

The following information will need to be collected from the external AD environment:


  • User DN: The Distinguished Name of the administrative user account that will allow access to import content from the external directory. The User DN can be obtained by running a dsquery user search in an administrative command prompt or powershell session on the domain.  An example User DN could appear as follows.
CN=ExternalAdmin,CN=Users,DC=ForeignAD01,DC=Com


  • User DN Password: The password for the administrative user account.


  • NETBIOS Domain Name: The NetBIOS name of the domain. This can typically be within the Active Directory Users and Computers configuration tool by right-clicking the domain and selecting Properties. The NetBIOS name will be listed in the "Pre-Windows 2000" field. An example NetBIOS name could appear as follows:
ExternalDC01


  • Base DN: The Distinguished Name of the directory containing the users who will authenticate via SDO.  If only a specific set of users will be configured to authenticate via SDO, they should be placed into a specific OU and the DN of that OU should be provided here. An example Base DN could appear as follows:
OU=SDOAuthOU,CD=ForeignAD01,DC=Com


  • Host Name/URL: The URL of the public LDAPS directory server.  This would be the Fully Qualified Domain Name (FQDN) of the Domain Controller, which should also match the Subject Name of the certificate installed on the LDAPS server. An example Host Name/URL could appear as follows:
ExternalDC01.ForeignAD01.Com


  • Base-64 Encoded Certificate: The LDAPS certificate that was either Self-Signed via the Certification Authority installed on your domain, or that was provided by your third-party Certificate Authority. The certificate should be saved locally as either a .cer or .pem file.

Enabling SDO Authentication for External AD


  1. In the Control Panel, click on My Services from the left-hand menu.
  2. Click on the Secret Double Octopus vendor band to expand it.
  3. Click the Active External Active Directory cloud icon.
  4. Enter the User DN, User DN Password, NETBIOS Domain Name, Base DN, and Host Name/URL information as described in the previous section.
  5. Drag-and-drop the LDAPS certificate from your computer to the designated box, or click on the box to browse your computer for the certificate.
  6. Click the Confirm button.
  7. The User Licenses tab will clear as the Control Panel switches directories to your External AD. Wait a few minutes, and the click the Refresh User Data button to populate the User Licenses tab with the users from your External directory. Please note that you may need to click the Refresh User Data button a few times for it to finish populating.