Venafi Trust Protection Platform (TPP) can integrate with Active Directory (AD) through the AD identity provider. This article describes required steps to reconfigure the AD identity provider uses.
Updating the AD identity provider will require Remote Desktop access to the TPP servers. The process will require restarting of services.
NOTE: Make sure you use a valid username and password when updating the Domain Account Credentials that TPP uses to bind to Active Directory. Even though TPP will validate the account at the end of the wizard, if bad credentials are provided, an error will be thrown but the wizard changes will still save. This will break the binding to Active Directory until the wizard is updated with working credentials.
NOTE: Never DELETE an existing connector when creating a new one. If you are having problems with an existing connector, always leave it, or all permissions related to that old connector will be lost. Deletion removes ALL permissions from the connector - nothing is saved, and those can not be retrieved.
The steps to update the bind account are:
1. Log into WinAdmin as a local master admin and go to Identity tree. This can NOT be done in WebAdmin.
2. Select the identity provider under of Providers section. AD identity providers have the small Windows icon.
NOTE: The provider settings show the current bind account.
3. To update the bind account settings click the “Active Directory Wizard…” button.
NOTE: Do not attempt to launch the Wizard through the Wizard menu as this would result in a new identity provider at the end of the process.
4. Once the Active Directory Identity Provider Wizard starts, click Next.
5. On the Active Directory Authentication Credentials screen, update the bind account information. Click Next.
6. On the Active Directory Fully Qualified Domain Name screen, change the Concurrency to 10 to speed up the discovery and check “Discard existing results and begin new discovery” option. Click Next.
7. Select the required Domains / Forest, domain controllers, and global catalogs as needed and complete the wizard.
NOTE: If the bind account is incorrect (bad password or username), the wizard will throw an error at the end.
8. Once the wizard has closed, leave the current WinAdmin window open. So it can be used in case there is a problem logging into the console.
9. Launch a second WinAdmin console and attempt to login with an AD user to ensure the identity provider works correctly. Move on to the next step only if this step is successful.
10. Restart services to reinitialize the provider with new settings:
- Stop Venafi Trust Protection Platform service on all servers
- Stop IIS on all servers hosting WebAdmin or Aperture
- Stop Venafi LogServer service on all applicable servers
- Start Venafi LogServer service on all applicable servers
- Start IIS on all servers hosting WebAdmin or Aperture
- Start Venafi Encryption Trust Protection Platform service on all servers
NOTE: Failure to complete the required restarts may result in SMTP channels not working correctly and AD users not being able to access the system.
11. Check that AD users can login to WebAdmin and Aperture.