Applies To:
Venafi Versions up to 19.1
For versions 19.2 and above, the process moved to the Venafi Configuration Console:
https://support.venafi.com/hc/en-us/articles/360038544151
Summary:
Venafi Trust Protection Platform (TPP) can integrate with Active Directory (AD) through the AD identity provider. This article describes required steps to update the bind account that the AD identity provider uses.
More Info:
Updating the bind account information will require Remote Desktop access to the TPP servers. The process will require restarting of services.
NOTE: Make sure you use a valid username and password when updating the Domain Account Credentials that TPP uses to bind to Active Directory. Even though TPP will validate the account at the end of the wizard, if bad credentials are provided, an error will be thrown but the wizard changes will still save. This will break the binding to Active Directory until the wizard is updated with working credentials.
The steps to update the bind account are:
1. Stop ALL Venafi services before proceeding with the change:
- Stop Venafi Trust Protection Platform service on all servers
- Stop IIS on all servers hosting WebAdmin or Aperture
- Stop Venafi LogServer service on all applicable servers
2. Log into WinAdmin as a local master admin and go to Identity tree. This can NOT be done in WebAdmin. NOTE: When using Windows Authentication, this application will attempt to autmatically launch as the logged on user, and often will fail. Either log on as the Service account, OR execute the application as a different user and enter the Service Account
3. Select the identity provider under of Providers section. AD identity providers have the small Windows icon.
NOTE: The provider settings show the current bind account.
4. To update the bind account settings click the “Active Directory Wizard…” button.
NOTE: Do not attempt to launch the Wizard through the Wizard menu as this would result in a new identity provider at the end of the process.
5. Once the Active Directory Idenetity Provider Wizard starts, click Next.
6. On the Active Directory Authentication Credentials screen, update the bind account information. Click Next.
7. On the Active Directory Fully Qualified Domain Name screen, DO NOT check “Discard existing results and begin new discovery” option. Click Next.
8. Keep clicking Next and complete the wizard.
NOTE: If the bind account is incorrect (bad password or username), the wizard will throw an error at the end.
9. Once the wizard has closed, leave the current WinAdmin window open. So it can be used in case there is a problem logging into the console.
10. Launch a second WinAdmin console and attempt to login with an AD user to ensure the identity provider works correctly. Move on to the next step only if this step is successful.
11. Start back up the Venafi services to reinitialize the provider with new settings:
- Start Venafi LogServer service on all applicable servers
- Start IIS on all servers hosting WebAdmin or Aperture
- Start Venafi Trust Protection Platform service on all servers
NOTE: Failure to complete the required restarts may result in SMTP channels not working correctly and AD users not being able to access the system.
12. Check that AD users can login to WebAdmin and Aperture.
Comments