Setting up a Microsoft Active Directory back-end server using LDAP
17 Jan 2025
3 Minutes to read
Share this
Share
Dark
Light
PDF
Contents
Setting up a Microsoft Active Directory back-end server using LDAP
Updated on 17 Jan 2025
3 Minutes to read
Share
Dark
Light
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Use the following instructions to configure a Microsoft Active Directory back-end server using LDAP (see Back-end server records).
Before you can configure a Microsoft Active Directory back-end server, an organizational structure must be defined via ORGANIZATION > Add Domain. The organizational structure must consist of domains and organizational units.
You need to set up and use SSL for connections between OneSpan Authentication Server and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work, unless you have a very old and specially configured version of Windows Server. OneSpan Authentication Server does not support unencrypted connections to Active Directory via LDAP!
Table: Microsoft Active Directory back-end server settings
Field name
Description
Back-End server ID
Enter a descriptive name for the Microsoft Active Directory back-end server.
Domain Name
This name should refer to the organizational structure created previously. Click Select from List to select from the available domain names.
Priority
A higher number will denote a higher priority, and will ensure that this server is referenced before other servers.
Enable SSL
Enable this check box to secure the connection to the back-end server using SSL.
Location
Enter the location of the back-end server. This can be either the fully qualified domain name (FQDN) or the host name, or the IP address of the back-end server. If the IP address is to be used, a new SPN must be created on the domain controller.
Use setspn.exe to create the new SPN:
setspn -A ldap/ip_address_of_dchostname_of_dc
If an FQDN is used, it should be resolvable from the machine on which OneSpan Authentication Server is running. To test this, run the following command on the OneSpan Authentication Server machine:
nslookup fqdn
This should produce a successful response.
If SSL is enabled, you need to provide the FQDN or the host name.
Port
Enter the UDP port on which the Microsoft Active Directory Server receives and handles authentication requests. If the SSL option has been selected, this port must be the SSL port.
Timeout
The number of seconds that OneSpan Authentication Server should wait for a response from the back-end server before either retrying or trying another server.
Search Base DN
Enter the base distinguished name from the Microsoft Active Directory domain that should be the starting point for any search. The value entered here has the potential to severely restrict the search performed on the Microsoft Active Directory data, so make sure that the users that you want to authenticate will be included in a search starting from this point.
The search base DN should be in the following format:
CN=Users, DC=domain_token_n, DC=domain_token_n+1
For example, for the domain example.com the search base DN would be the following:
CN=Administrator, CN=Users, DC=example, DC=com
Security Principal ID
The security principal ID will be used to log on to the Microsoft Active Directory domain controller specified in the Location field. Any searches or updates will be performed using this ID. The security principal ID must have search permissions on the data that is to be searched, and update permissions if password randomization is enabled. If the security principal ID does not have adequate permissions, authentication will fail.
The format of the security principal ID will be the DN. For example:
cn=Administrator,cn=Users,dc=example,dc=com
The security principal ID MUST be set either here or in the global configuration settings (via SERVERS > Global Configuration > Back-End Servers.
Security Principal Password
The password for the security principal ID. This password will be used to log on to the Microsoft Active Directory domain controller specified in the Location field, along with the security principal ID. Make sure that the security principal ID and the security principal password will allow you to log on to the Microsoft Active directory domain controller.
Confirm the security principal password in the Confirm Principal Password field.
Attribute Mapping
User Name Attribute Name
The LDAP attribute name to use as the user's display name. If user information synchronization is enabled, the user display name will be added to the user account during DUR user information synchronization.
Phone Attribute Name
The LDAP attribute name to use as the user's landline number. If user information synchronization is enabled, the user's landline number will be added to the user account during DUR user information synchronization.
Mobile Attribute Name
The LDAP attribute name to use as the user's mobile number. If user information synchronization is enabled, the user's mobile number will be added to the user account during DUR user information synchronization.
Email Attribute Name
The LDAP attribute name to use as the user's e-mail address. If user information synchronization is enabled, the user's e-mail address will be added to the user account during DUR user information synchronization.
Was this article helpful?
Thank you for your feedback! Our team will get back to you
