Active Directory user account

Active Directory must authorize an account allowing the SN SSO Agent to gain access to the event viewer of the directory and to obtain permissions to open a session as a service. This account has to be configured before the installation of the SSO agent.

To do so, you can either create a “privileged account” dedicated to the SSO agent, or grant privileges to an existing user. You are however advised against using the Administrator account of the AD domain in order to avoid potential security issues.

NOTE

If several AD controllers manage the domain, the account that the SSO agent uses has to be a dedicated account belonging to the domain, as the privileges described hereafter must apply to all controllers, so that all events occurring on the domain (generated logs that report access being denied to reading events) can be relayed.

If you wish to use the registry database disconnection detection method (see section Detecting disconnections), this account has to belong to the group Administrator of the Active Directory server or be definedas the local administrator on monitored workstations. On the other hand, this method requires the configuration of the opposite zone of the domain on the DNS server in order to detect changes in IP addresses (in the event of a DHCP address renewal, for example). For further information, please refer to the section Specific cases, Changing an IP address.