You are here: Web User Interface > Using the Interface > Security > Active Directory > Creating an Active Directory Server Connection

Creating an Active Directory Server Connection

  1. On the Active Directory page, click Add. The Create New Server Connection page opens. Complete the fields:
  2. Name: Provide a name for the connection.

    Host: The host name of the Active Directory server.

    Note: If Authentication Method (below) is SASL, and Host is an IP address, you must also specify a Realm.

    Port: The port that is used to communicate with the Active Directory server. Most common Windows domain configurations use port 389 or 636.

    Domain Search User: The distinguished name of the Active Directory account, in the format DOMAIN\USERNAME.

    Domain Search Password: The password of the Active Directory account.

    Search Bases: (Optional) Specify the distinguished name of a section (sub-tree) of the Active Directory that is accessible to the connection. Any sections not specified are not accessible. If not specified, the entire directory is accessible.

    Synchronization Enabled: When checked, relationships between users and groups in FME Server are synchronized with the Active Directory at specified intervals. For example, consider User_1 who belongs to Group_1 in FME Server because of a corresponding relationship in Active Directory. If that relationship is subsequently broken in Active Directory, the relationship between User_1 and Group_1 will break in FME Server after the next synchronization interval.

    • Synchronization Interval: Specify the desired frequency of synchronization.

    Encryption Method: The encryption method to use when authenticating with Active Directory.

    Authentication Method: Specify the method of authenticating with Active Directory:

    • Basic: SASL authentication is not enabled.
    • SASL: Enables simple authentication and security level (SASL).
      • SASL Mechanism:
        • GSSAPI: Kerberos V5 authentication
        • GSS-SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism
        • EXTERNAL: Context-implicit authentication
        • DIGEST-MD5: MD5 message digest
      • Use Single Sign-On: If checked, allows users imported from this connection to auto-connect to FME Server with their Windows credentials.
      • Note: To use Single Sign-On, you must also update your Windows domain and web browser configurations. For more information, see Configuring Integrated Windows Authentication.

        • SSO Username: The name of the Windows Service Account to configure for single sign on, in the format USERNAME (do not specify DOMAIN).
        • SSO Password: The Windows service account password.
      • Key Distribution Center: (Optional) If SASL Mechanism is GSSAPI, specify the host name or IP address of the Kerberos key distribution centre (KDC). If not specified, the KDC is assumed to be located on the same server as the Active Directory domain controller.
      • Realm: If SASL Mechanism is GSSAPI or DIGEST-MD5, specify the authentication realm for Kerberos V5 or MD5 message digest authentication. In terms of Active Directory, the authentication realm is the domain name. Specify the capitalized version of the domain name, in its fully-qualified domain name (FQDN) form. For example, if the FQDN is domain.net, use DOMAIN.NET. If not specified, the authentication realm is assumed to be the domain name of the Active Directory Domain Controller.
      • Note: If Host is an IP address, you must specify a Realm.

    Username Attribute: (Optional) The Active Directory attribute to use for the names of the FME Server users who are imported from this connection. If not specified, the sAMAccountName attribute is used.

    Full Name Attribute: (Optional) The Active Directory attribute to use for the full names of the FME Server users who are imported from this connection. If not specified, the displayName attribute is used.

    Group Attribute: (Optional) The Active Directory group attribute to use for the names of the FME Server roles that are imported from this connection. If not specified, the sAMAccountName attribute is used.

    Email Attribute: (Optional) The Active Directory attribute to use for the e-mail addresses of the FME Server users who are imported from this connection. If not specified, the mail attribute is used.

  3. When finished, click OK.