Appterix
Menu
Skip to main content
How can we help?
Table of Contents
<All topics
Print

Active Directory Synchronization Service

The user import from Active Directory is divided into 3 tasks:

  1. Create an import source
  2. Installing AD Sync Service
  3. Synchronize users

Download AD Sync Service

You can download the current AD Sync Service in the Appterix administration interface in the field of Downloads under Additional component.

Create Active Directory connection

In the left menu, click Settings > Integrations.

click on Add connector in the toolbar.

  • The User Import Source dialog appears.

Select Active Directory and click Continue.

Connector details

  • in The Field Name Define the name for the connector.
  • (optional) In the field Description your notes.

    Connection settings

    • With Connection settings Enter your information in the fields. Server address the name of one of your domain controllers, as well as the desired User name and Password from your Active Directory. You have the option to establish an encrypted connection. LDAPS to activate.

    Synchronization configuration

    • If you do not want to synchronize the entire directory, specify in the Field Base DN Enter the name of an Active Directory entry from which you can start the synchronization. For multiple base DNs, start a new line.
    • Furthermore, you can User ID Determine the user by their User Principal Name (UPN) or email address. In hybrid environments using Active Directory and EntraID, it is important that the user ID is consistent.
    • Define under Timetable, how often and when to synchronize with Active Directory.

    Integration of the certification body

    • If you wish to use Appterix Enrollment to create the YubiKey PIV certificates, please enter the name of the Certification Authority according to the Certutil (Command line command) under Configuration.
    • If you have only one certification authority, it is sufficient to let it select automatically.
    • Please refer to the further steps required to create the YubiKey certificates below. Certificate-based authentication.

    authentication

    • So that Active Directory Single Sign On (SSO) To enable registration with EMPlatform and Appterix, activate this function in the last step.

    Installing the AD Sync Service

    Download the AD Sync Service from Downloads Download and install Appterix in the administration panel to transfer directory data from the local domain to the EMPlatform management system.

    1. Run the installation file.
    2. click on Install.
      • Once the preliminary setup is complete, the AD Sync Service Setup Wizard appears.
    3. click on Next.
    4. If necessary, change the target folder for the AD Sync Service installation and click on Continue.
    5. Paste the previously copied customer ID and Client Add secret credentials.
      These will be displayed after creating a connector or can be changed later under Configuration settings > Login information of the respective connector.
      NoteThe new Generate Using login credentials invalidates older login credentials.
    6. Enter in the field controller URL the https URL of the EgoMind platform.
      • For Appterix SaaS customers this is https://administration.appterix.eu
      • For a local installation according to the URL selected in the installation, e.g. https:// /administration
    7. click on Test connectionto verify your login information.
    8. click on Next.
    • The Install AD Sync Service dialog appears.
    1. click on Install.
    2. Once the installation is complete, click Complete and then schließen.

    Synchronize users

    1. Back under Administration to Settings > Integrations.
    2. Activate the Socket, in order to synchronize it according to the schedule defined within the source.
    3. Click on the Import button, to immediately start a one-time synchronization.
      • The source status changes to synchronization. Once the synchronization ends successfully, the source status changes to Synchronized.

    All imported users appear under users with the imported status and the AD AD brand. You can now invite the imported users.

    FAQ about AD synchronization

    Q1: When do I need to generate new credentials for the AD synchronization service?

    A: The default credentials are only valid if the AD Sync service was installed using the Appterix installation wizard—this method installs the service on the same server as Appterix and EM Platform Server and automatically connects it to the default import source under the root organization.
    If the AD Synchronization Service has been manually installed on a separate server or is to be used in a non-root organization, new credentials must be generated for the corresponding import source and the AD Synchronization Service reconfigured .

    How to reconfigure the connection between EM Platform Server and AD Synchronization Service

    1. Navigate to the following path to open the EM AD Sync Service Control Panel:
      C:\Program Files\EgoMind\EMADSyncService\Utils
    2. Run EMADSyncService.ControlPanel.exe as administrator.
    3. Fill in Server Connect the required fields:
      • Enter in the field Server URL Enter the server name in the following format:
        • For on-premise installations: https:// /administration
        • For users of the cloud-based solution: https://administration.appterix.eu
    4. click on Apply (Apply filter) to save changes.

    Q2: Why does synchronization fail or not start?

    A: This is usually due to configuration or connection problems.

    Recommended exams:

    • Verify that the account password is correctly specified in the AD import configuration.
      Please note that after a password change in AD, it must also be updated accordingly in the AD import configuration.
    • Check if the AD domain controller is reachable and responding to ping requests.
    • Make sure that no firewall rules block communication between the AD Sync Service and the domain controller.
    • Make sure that AD Sync Service is connected to the intended import source in the correct organization.

    Q3: Why are the certificate templates missing in the CA?

    A: The missing certificate templates may be due to authorization issues or incorrect configuration.

    Recommended checks:

    1. Make sure that the correct name of the certification authority (CA Name) is specified in the AD import configuration.
      Example: WinSer2022.demo-egomind.local\demo-egomind-WinSer2022-CA
      For more information, see the section How do I find the name of the certificate authority (CA)?.
    2. Make sure that the correct Server URL specified in the AD import configuration:
      • For LDAPS: Enter the fully qualified domain name (FQDN) of the directory service you are connecting to.
        Example: WIN-FEKLLGO3TDA.demo-egomind.local
      • For LDAP: You can also use the server's IP address.
    3. Check the user account (User name) in the AD import configuration.
      When configuring AD import, it is critical to use an account with appropriate permissions to enable certificate issuance through AD CS.
      • If the use of a domain administrator account is allowed: Ensure that a domain administrator account is specified in the AD import configuration in the following format:
        \
      • If the use of a domain administrator account is restricted: Configure You the tool EM AD Sync Service Control Panelto issue certificates with a non-administrator account.

    Before configuring the EM AD Sync Service Control Panel, update the User name in the AD import configuration to enter the non-administrator account. Use the following format:
    \

    How to configure EM AD Sync Service Control Panel for non-admin users

    1. Navigate to the following path to open the EM AD Sync Service Control Panel:
      C:\Program Files\EgoMind\EMADSyncService\Utils
    2. Run EMADSyncService.ControlPanel.exe as administrator.
    3. Fill in AD CS Connect the required fields:
      1. Enter in the field user Name (User name) enter the name of any non-admin user in the following format:

        Ensure that the user name entered here matches the name specified in the AD import configuration. Note the different formats to avoid misconfigurations:
        • In the AD import configuration, use the format:
          \
        • Here you enter only the user name without the domain prefix.
      2. Enter in the field Domain Name (domain name) enter the domain name.
      3. Enter in the field CA Name (ZS name) the name of the certification authority.
        For more information, see the section How do I find the name of the certificate authority (CA)?.
    4. click on Apply (Apply filter) to save the changes.

    Q4: How do I find the name of the Certificate Authority (CA)?

    A: Specifying the correct CA name is crucial for the successful issuance of certificates.

    If only one certificate authority is used in your environment, you can use the CA name field (CA Name) blank — the system will detect it automatically.

    How to find the CA name:

    1. Öffnen Sie die command prompt as administrator on the ZS server.
    2. Run the following command:
      certutil -dump
    3. Look for the field that starts with Config This displays the CA name in the required format.
      For example: Config: WinSer2022.demo-egomind.local\demo-egomind-WinSer2022-CA

    Q5: Where can I find the AD Sync Service logs?

    AIf you encounter problems during setup or synchronization, you can view the AD synchronization service logs to diagnose the problem.

    Default log storage location:

    C:\Program Files\EgoMind\EMADSyncService\Logs

    If necessary, send the relevant log files to the support team for further error analysis and assistance.

    Within the Contacting support:

    • Attach relevant log files
    • Include detailed error messages
    • Describe the steps that led to the problem
    Published
    Updated
    FromEgoMind