Environment
- App Control Console: All Supported Versions
Objective
How to setup the Console to allow users to login with Active Directory Accounts and get rights assigned to them
Resolution
- Verify the Carbon Black Service Account has the necessary Active Directory permissions.
- Verify the desired users in Active Directory are associated with the correct Groups.
- Log in to the App Control Console with a local admin account and navigate to: gear icon > System Configuration > General > Edit.
- Find the section: Active Directory / LDAP Integration and change the setting to Enabled.
- Use the following details:
- AD-Based Logins: Enabled
- AD Security Domain: If the AD Security Groups for App Control are in a domain other than login domains, enter that domain here. Otherwise, leave blank.
- AD-Based Policy: If enabled an App Control Policy can automatically be assigned to Agents based on AD or LDAP.
- Windows 2000 DCs: Enable if using Windows 2000 Domain Controllers.
- Search Level: Choose Global Catalog to search for objects in any domain in the Forsest, or choose LDAP for a restricted search.
- Test AD Connectivity: Click to test the connectivity between the App Control Server and Active Directory.
- Click Update and confirm the changes.
- Navigate to the gear icon > Login Accounts > User Role Mappings.
- Verify the current Mapping Rules are associated with the appropriate Active Directory Security Group.
AD Login Account Format:The format for logging into the Console with an AD Account depends upon whether the account name is in the same domain as the Carbon Black App Control Server:
- AD Accounts in a different domain must use a fully qualified version of their name. Example: DOMAIN\Username or Username@dnsDomain
- AD Accounts in the same domain can log in either with a fully qualified username, or their username only (provided the username is not the same as a login account created directly in the Console).
Additional Notes
Related Content