Configuring access to Active Directory

Active Directory must authorize an account that allows SN SSO Agent access to the event viewer of the directory and grants permission to open a session as a service. This account must be configured before SN SSO Agent is installed.

To do so, you can either create a “privileged account” dedicated to SN SSO Agent, or grant permissions to an existing user. You are however advised against using the Administrator account on the Active Directory domain to prevent potential security issues.

NOTE
If several domain controllers manage the same domain, the account that SN SSO Agent uses must be a dedicated account belonging to the domain. The privileges described below must apply to all domain controllers so that all events occurring on the domain (logs that report users being denied access to read events) can be relayed.

If you wish to use the registry database disconnection detection method, this account must belong to the group Administrator of the Active Directory server or be defined as the local administrator on monitored workstations.

In this method, the opposite zone of the domain must also be configured on the DNS server to detect changes in IP addresses, e.g., when a DHCP address is renewed. Refer to the section Changing an IP address in Specific cases for more information.

Installing the SSO agent on a workstation that is a member of the domain

To run the SSO agent on a workstation that is a member of the AD domain, 3 rules must be enabled in the firewall on this workstation:

  • Remote management of event logs (NP-Entry),
  • Remote management of event logs (RPC),
  • Remote management of event logs (RPC-EMAP),

This operation is described in the section Installing SN SSO Agent.