logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: How to Setup AD Credential Login with the Console

App Control: How to Setup AD Credential Login with the Console

Environment

  • App Control Console: All Supported Versions

Objective

How to setup the Console to allow users to login with Active Directory Accounts and get rights assigned to them

Resolution

  1. Verify the Carbon Black Service Account has the necessary Active Directory permissions.
  2. Verify the desired users in Active Directory are associated with the correct Groups.
  3. Log in to the App Control Console with a local admin account and navigate to: gear icon > System Configuration > General > Edit.
  4. Find the section: Active Directory / LDAP Integration and change the setting to Enabled.
  5. Use the following details:
    • AD-Based Logins: Enabled
    • AD Security Domain: If the AD Security Groups for App Control are in a domain other than login domains, enter that domain here. Otherwise, leave blank.
    • AD-Based Policy: If enabled an App Control Policy can automatically be assigned to Agents based on AD or LDAP.
    • Windows 2000 DCs: Enable if using Windows 2000 Domain Controllers. 
    • Search Level: Choose Global Catalog to search for objects in any domain in the Forsest, or choose LDAP for a restricted search.
    • Test AD Connectivity: Click to test the connectivity between the App Control Server and Active Directory.
  6. Click Update and confirm the changes. 
  7. Navigate to the gear icon > Login Accounts > User Role Mappings.
  8. Verify the current Mapping Rules are associated with the appropriate Active Directory Security Group.
AD Login Account Format:
The format for logging into the Console with an AD Account depends upon whether the account name is in the same domain as the Carbon Black App Control Server:
  • AD Accounts in a different domain must use a fully qualified version of their name. Example: DOMAIN\Username or Username@dnsDomain
  • AD Accounts in the same domain can log in either with a fully qualified username, or their username only (provided the username is not the same as a login account created directly in the Console).

Additional Notes

  • Enabling Windows 2000 DCs will deactivate the option for AD Security Domain, as it relies on cross-domain membership tests which are only available with Windows 20003 SP2 Domain Controllers and higher.
  • Beginning with Server 8.9.0 it is possible to now login using the User Principal Name. Example: User logon name and User logon name (pre-Windows 2000) are different, either can be used.
  • It is recommended to make all Console logins using the same method (AD Logins vs Local Logins) to prevent confusion during login. 
    Local Login: fred
AD Login: fred@domain
  • More information on this is available in the User Guide chapter, Managing Console Login Accounts.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
4995
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.