Creating an Active Directory Server Connection
On the Active Directory page, click New. The Create New Server Connection page opens. Complete the fields below, then click OK.
When finished, proceed to Adding Users and Roles from an Active Directory Connection.
Create New Server Connection
Name
Provide a name for the connection.
Host
The host name of the Active Directory server.
Note: If Authentication Type (below) is SASL, and Host is an IP address, you must also specify a Realm.
From AD Explorer:
- Select File > Connect..., and click OK, leaving all values blank.
- If AD Explorer successfully connects to Active Directory, the host name is printed in square brackets.
From a domain computer:
- Open a command prompt (cmd.exe) via the Start menu.
- Type gpresult /r to display the policy information for the current user.
- The Active Directory server appears under 'Group Policy was applied from'.
Port
The port that is used to communicate with the Active Directory server. Most common Windows domain configurations use port 389 or 636.
Connection Encryption
The encryption method to use when authenticating with Active Directory.
- None: No encryption
- SSL/StartTLS: Communication with Active Directory is over secure sockets layer (SSL). If StartTLS is specified, SSL/TLS communication with Active Directory is initiated using the STARTTLS command.
Note: To use a certification authority (CA) certificate for SSL authentication, see Importing a CA Certificate for SSL Connections.
Search Account Name
A Windows Service Account to use for importing Active Directory users and groups into FME Server. This account requires read access to the domain controller.
Specify the account in any of the following formats:
Format |
Syntax |
Example |
---|---|---|
NT Login | DOMAIN\username | MYCOMPANY\User1 |
User Principal Name | username@domain.net | User1@MYCOMPANY.INTERNAL |
Distinguished Name | CN=...,OU=...,DC=... | CN=User One,OU=Service Accounts,OU=My Company,DC=company,DC=internal |
- From AD Explorer, connect to the Active Directory.
- Browse for and select the entry representing the account.
- The service account name appears under the sAMAccountName' attribute.
Search Account Password
The password of the Active Directory account.
Authentication
Authentication Type:
Specify the method of authenticating with Active Directory:
- Basic: SASL authentication is not enabled.
- SASL: Enables simple authentication and security level (SASL).
- SASL Mechanism:
- GSSAPI: Kerberos V5 authentication
- GSS-SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism
- EXTERNAL: Context-implicit authentication
- DIGEST-MD5: MD5 message digest
- SASL Mechanism:
Enable Single Sign-On
If checked, allows users imported from this connection to auto-connect to FME Server with their Windows credentials.
Note: To use Single Sign-On, you must also update your Windows domain and web browser configurations. For more information, see Configuring Integrated Windows Authentication.
- Service Account Name: The name of the Windows Service Account to configure for single sign on, in the format USERNAME (do not specify DOMAIN).
- From AD Explorer, connect to the Active Directory.
- Browse for and select the entry representing the account.
- The service account name appears under the sAMAccountName' attribute.
- Service Account Password: The Windows service account password.
Optional fields
Enable Synchronization
When checked, the connection synchronizes with the Active Directory at specified intervals. Information that synchronizes includes:
- Relationships between users and groups. For example, consider User_1 who belongs to Group_1 in FME Server because of a corresponding relationship in Active Directory. If that relationship is subsequently broken in Active Directory, the relationship between User_1 and Group_1 will break in FME Server after the next synchronization interval. Likewise, if an Active Directory user changes groups, that change will synchronize in FME Server.
- Name changes to user accounts in Active Directory.
Note: When synchronization occurs, FME Server ensures any Active Directory name change does not break the user's connection to FME Server. However, FME Server does not update the user's login name (Username) or display name (Full Name).
Note: If Enable Synchronization is not checked, you can still synchronize the connection manually after it is created. For more information, see To perform other tasks on Active Directory Connections.
- Synchronization Interval: Specify the desired frequency of synchronization.
KDC Host
If SASL Mechanism is GSSAPI, specify the host name or IP address of the Kerberos key distribution centre (KDC). If not specified, the KDC is assumed to be located on the same server as the Active Directory domain controller.
Realm
If SASL Mechanism is GSSAPI or DIGEST-MD5, specify the authentication realm for Kerberos V5 or MD5 message digest authentication. In terms of Active Directory, the authentication realm is the domain name. Specify the capitalized version of the domain name, in its fully-qualified domain name (FQDN) form. For example, if the FQDN is domain.net, use DOMAIN.NET. If not specified, the authentication realm is assumed to be the domain name of the Active Directory Domain Controller.
Note: If Host is an IP address, you must specify a Realm.
- Open a command prompt (cmd.exe) via the Start menu.
- Do either of the following:
- Type echo %USERDNSDOMAIN% to display the USERDNSDOMAIN environment variable.
- The FQDN will print.
- Type net config workstation to display the network settings for the computer.
- The FQDN appears under the 'Workstation Domain DNS Name' field.
OR:
- Open 'Active Directory Domains and Trusts' from the Start menu.
- In the console tree (left-hand column), a list of Windows domains are listed by their FQDNs.
Search Bases
Specify the distinguished name of a section (sub-tree) of the Active Directory that is accessible to the connection. Any sections not specified are not accessible. If not specified, the entire directory is accessible.
- From AD Explorer, connect to the Active Directory.
- Browse the directory to determine the location of all users and security groups to be provided access to FME Server.
- Select an entry to be used as the naming context.
- The distinguished name appears under the 'distinguishedName' attribute.
Alternate Servers
Enables FME Server to access Active Directory using alternate Host and Port combinations. This setting may be useful in either of these situations:
- Active Directory can be accessed from multiple, redundant servers. FME Server uses these servers to access Active Directory in a rotating manner, which distributes the load across them.
- If one Active Directory server is inaccessible, FME Server connects to one or more alternate servers.
To add a Host and Port combination, click +. To remove a Host and Port combination, click -.
Account Name Attribute
The Active Directory attribute to use for the names of the FME Server users who are imported from this connection. If not specified, the sAMAccountName attribute is used.
Full Name Attribute
The Active Directory attribute to use for the full names of the FME Server users who are imported from this connection. If not specified, the displayName attribute is used.
Group Name Attribute
The Active Directory group attribute to use for the names of the FME Server roles that are imported from this connection. If not specified, the sAMAccountName attribute is used.
Email Attribute
The Active Directory attribute to use for the email addresses of the FME Server users who are imported from this connection. If not specified, the mail attribute is used.
What's Next?
Proceed to Adding Users and Roles from an Active Directory Connection.