Use the User management tool to define credentials for Active Directory groups that will have console access. These credentials only need to let Endpoint Manager enumerate the directory. You'll need to provide credentials for each Active Directory containing users you want to have console access. The authentications you provide determine which user groups you can select from to assign console group permissions.
Console authentication is based on Windows local or Active Directory group membership. When an Ivanti administrator assigns group permissions to a local or Active Directory group, users who are members of that group can log into the Windows or Web consoles and share the permissions assigned to that group.
You should be aware of the following issues when managing Active Directories for use with Endpoint Manager:
Active Directory is fully integrated with DNS and TCP/IP (DNS) is required. To be fully functional, the DNS server must support SRV resource records or service records.
Using Active Directory to add a user to a group being used in the console will not enable the user to log in to the console even though the user has Endpoint Manager permissions assigned. In order to log in to the console, a user must belong to the core server's local LANDESK groups. For more information, see Adding Endpoint Manager console users.
In order for Active Directories to work properly with role-based administration, you need to configure the COM+ server credentials on the core server. This enables the core server to use an account in one of the core server's local LANDESK groups that has the necessary permissions to enumerate Windows domain members, such as the administrator account. For instructions on how to perform the configuration, see Configuring COM+ server credentials.
If the account password for an authentication changes, you will have to log into the console and change the password in the authentication dialog box to the new password. You can do this by logging in as a local group. Users are authenticated when they log in, so any existing session will continue to work. Users in the domain that has had the password changed won't be allowed to log in until the password change has been corrected in the Users tool.
The following rules apply to when using Active Directory with RBA:
- If a user is a member of an Active Directory group, the user inherits the RBA rights for that group.
- If a user is a member of an Active Directory group, which is a member of a higher level group, the user inherits the RBA rights of the upper level group.
- Groups can be nested and inherit the appropriate rights according to the usual Active Directory rules.
- In the User management tool (Tools > Administration > User management), right-click Users and groups and click New Active Directory source.
- In the Active Directory source dialog box, enter credentials that give access to the Active Directory.
- Click OK.
A utility called Resolveusergroups.exe runs periodically (every 20 minutes) to refresh the list of Ivanti® Endpoint Manager console users.
Once the user list is resolved, it is placed in cache and used until Resolveusergroups.exe runs again. In some Active Directory environments, if the TTL values are too small, some of the resolved user accounts may have crossed the TTL threshold before all of the accounts are resolved. This causes the cache to be refreshed again and again, and the console loads very slowly.
If this happens in your environment, change the default TTL settings for Resolveusergroups.exe. You can run Resolveusergroups.exe /? to see its usage. The TTL values are in seconds. This is a specific example that sets the TTL values to the maximum:
Resolveusergroups.exe /verbose /TTL 600 /LDTTL 60
Any changes to the TTL values are written to the KeyValue table in the database (GroupResolutionTTL and LocalLDGroupResolutionTTL), so they are persistent.