Venafi Trust Protection Platform (TPP) can integrate with Active Directory (AD) through the AD identity provider. This article describes required steps to update the bind account that the AD identity provider uses.
For more complete information on Venafi TPP integration with Active Directory, see the following articles contained in the documentation that came with your version of Director:
Director Administration Guide => Managing Users Directories=> Managing AD user Directories => Creating the Active Directory Connection
Director Administration Guide => Managing Users Directories=> Managing AD user Directories => Modifying the Configuration for the Active Directory Connection
Updating the bind account information will require Remote Desktop access to the Director servers. The process will require restarting of services.
NOTE: Make sure you use a valid username and password when updating the Domain Account Credentials that Director uses to bind to Active Directory. Even though Director will validate the account at the end of the wizard, if bad credentials are provided, an error will be thrown but the wizard changes will still save. This will break the binding to Active Directory until the wizard is updated with working credentials.
The steps to update the bind account are:
1. Log into WinAdmin as a local master admin and go to Identity tree. This can NOT be done in WebAdmin.
2. Select the identity provider under of Providers section. AD identity providers have the small Windows icon.
NOTE: The provider settings show the current bind account.
3. To update the bind account settings click the “Active Directory Wizard…” button.
NOTE: Do not attempt to launch the Wizard through the Wizard menu as this would result in a new identity provider at the end of the process.
4. Once the Active Directory Idenetity Provider Wizard starts, click Next.
5. On the Active Directory Authentication Credentials screen, update the bind account information. Click Next.
6. On the Active Directory Fully Qualified Domain Name screen, DO NOT check “Discard existing results and begin new discovery” option. Click Next.
7. Keep clicking Next and complete the wizard.
NOTE: If the bind account is incorrect (bad password or username), the wizard will throw an error at the end.
8. Once the wizard has closed, leave the current WinAdmin window open. So it can be used in case there is a problem logging into the console.
9. Launch a second WinAdmin console and attempt to login with an AD user to ensure the identity provider works correctly. Move on to the next step only if this step is successful.
10. Restart services to reinitialize the provider with new settings:
- Stop Venafi Encryption Director service on all servers
- Stop IIS on all servers hosting WebAdmin or Aperture
- Stop Venafi LogServer service on all applicable servers
- Start Venafi LogServer service on all applicable servers
- Start IIS on all servers hosting WebAdmin or Aperture
- Start Venafi Encryption Director service on all servers
NOTE: Failure to complete the required restarts may result in SMTP channels not working correctly and AD users not being able to access the system.
11. Check that AD users can login to WebAdmin and Aperture.