In the administration console, specify the information required to connect to your Active Directory and select users and groups to sync with the VMware Identity Manager directory.

The Active Directory connection options are using Active Directory over LDAP or using Active Directory Integrated Windows Authentication. Active Directory over LDAP connection supports DNS Service Location lookup by default. With Active Directory Integrated Windows Authentication, you configure the domain to join.

See Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup. In some scenarios, you may need to create this file.

Select the required default attributes and add additional attributes on the User Attributes page. See Select Attributes to Sync with Directory.

Important

If you plan to sync XenApp resources with VMware Identity Manager, you must make distinguishedName a required attribute. You must make this selection before creating a directory as attributes cannot be changed to be required attributes after a directory is created.

List of the Active Directory groups and users to sync from Active Directory.

For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password.

For Active Directory Integrated Windows Authentication, the information required includes the domain's Bind user UPN address and password.

If Active Directory is accessed over SSL, a copy of the SSL certificate is required.

For Active Directory Integrated Windows Authentication, when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.

1

In the administration console, open the Identity & Access Management tab.

2

On the Directories page, click Add Directory.

3

Enter a name for this VMware Identity Manager directory.

4

Select the type of Active Directory in your environment and configure the connection information.

Option

Description

Active Directory over LDAP

a

Select the connector from the drop-down menu that syncs with Active Directory.

b

If this Active Directory is used to authenticate users, click Yes.

If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

c

In the Search Attribute field, select the account attribute that contains username.

d

If the Active Directory does not use DNS Service Location lookup, deselect the check box and enter the Active Directory server host name and port number.

If Active Directory requires access over SSL, select the checkbox below and provide the Active Directory SSL certificate.

To configure the directory as a global catalog, see the Multi-Domain, Single Forest Active Directory Environment section in Active Directory Environments.

e

In the Base DN field, enter the DN from which to start account searches. For example, OU=myUnit,DC=myCorp,DC=com.

f

In the Bind DN field, enter the account that can search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.

g

After you enter the Bind password, click Test Connection to verify that the directory can connect to your Active Directory.

Active Directory (Integrated Windows Authentication)

a

Select the connector from the drop-down menu that syncs with Active Directory .

b

If this Active Directory is used to authenticate users, click Yes.

If a third-party identity provider is used to authenticate users, click No. After you configure the Active Directory connection to sync users and groups, go to the Identity & Access Management > Manage > Identity Providers page to add the third-party identity provider for authentication.

c

In the Directory Search Attribute field, select the account attribute that contains username.

d

Enter the name of the Active Directory domain to join. Enter that domain's admin user name and password.

e

In the Bind User UPN field, enter the User Principal Name of the user who can authenticate with the domain. For example, UserName@example.com.

f

Enter the Bind User password.

5

Click Save & Next.

The page with the list of domains appears.

6

For Active Directory over LDAP, the domains are listed with a checkmark.

For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

Note

If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

Click Next.

7

Verify that the VMware Identity Manager directory attribute names are mapped to the correct Active Directory attributes. If not, select the correct Active Directory attribute from the drop-down menu. Click Next.

8

Click + to select the groups you want to sync from Active Directory to the directory, and click Next.

Note

When you sync a group, any users that do not have Domain Users as their primary group in Active Directory are not synced.

9

Click + to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.

To exclude users, create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

Click Next.

10

Review the page to see how many users and groups are syncing to the directory and to view the sync schedule.

To make changes to users and groups, or to the sync frequency, click the Edit links.

11

Click Sync Directory to start the sync to the directory.

The connection to the Active Directory is complete and the users and groups you selected are added to the directory.

Set up authentication methods. After users and groups sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, configure that identity provider in the connector.

Review the default access policy. The default access policy is configured to allow all appliances in all network ranges to access the Web browser, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.

Apply custom branding to the administration console, user portal pages and the sign-in screen.