HDE Access Control : HDE One Directory Sync (Office 365 with Windows Active Directory)

This guide consists of the instructions on how to correctly install the HDE One Directory Sync (Office 365 with Windows Active Directory) and ensure that it is working properly before proceeding to Single Sign-on setup. This guide contains the following parts:

1. Overview of HDE One Directory Sync (Windows Active Directory)
2. Prerequisites of setting up HDE One Directory Sync
3. Password Sync
4. Editing Configuration file (config.ini)
5. Testing the Synchronization
6. Configuring the Automation

 

(1) Overview of HDE One Directory Sync (Windows Active Directory)

HDE One Directory Sync is an account information synchronization tool which is used to relate HDE Access Control Service (HAC) and Windows Active Directory.This is One-Way Synchronization. It means that once you create, delete or change any items in the source folder this will reflect in the destination directory.

Screen_Shot_2016-02-05_at_16.21.24.png
*Note 
- Please contact Microsoft about DirSync tool.

HDE One Directory Sync and Microsoft Azure Active Directory Sync synchronize some piece of information from Active Directory. (It is One-Way synchronization from Active Directory to HDE Access Control.)

The correlation table of synced information between AD/HAC/O365 is shown as below:

Screen_Shot_2016-02-05_at_17.21.55.png

**Note:
- Items in the red box MUST be the same value.

- Office365 ID is used for the login ID of rich clients such as Outlook. HDE One is case sensitive.
- Username is used for the login ID of web browser. HDE One is case sensitive.
- After finished initial setup of Active Directory, users have to change password before their first login.

 

(2) Prerequisites of setting up HDE One Directory Sync 

(A) Windows Active Directory:

1) Set up Microsoft ID management component (unixUserPassword) for Unix
How do I set up Microsoft ID management component (unixUserPassword) for Unix?

(B) Windows machine:

1) Windows machine used for setup should be belonged to the Domain Server that is managed by Active Directory OR Active Directory Domain Controller (Windows Server 2008 R2 64bit or above)

2) Install PowerShell ver. 3.0 or above
http://www.microsoft.com/en-us/download/details.aspx?id=34595

3) Install HDE One Directory Sync

Please contact our support team to download this module -> Here 

4) Download HDE One Directory Sync modules:

Please contact our support team to download this module -> Here 

After downloaded the modules, create a folder "C:¥HDEOne" and place the following four Password Sync Modules into the folder:

- Assign-HDEOnePasswrdSyncGroup.bat
- Check-SyncUser.ps1
- Set-ADUnixAttributes.ps1
- Set-SecurityGroupMember.ps1

5) Install Active Directory Module (PowerShell ver. 3.0 Cmdlet to manage existing Active Directory)

Install Active Directory Module (for Windows Server 2012 R2) :

(i) [Server Manager] > [Manage] > [Add Roles and Features] > [Features] > Select and Install [Windows PowerShell 4.0]

(ii) To check if Active Directory Web Services are activated on Active Directory Controller:
[Start] > [Administrative Tools] > [Services] check if the status is "Running" and "Automatic".

Screen_Shot_2016-01-25_at_2.47.39_PM.png

**Note: If Active Directory Web Services was not installed, please refer to the procedures below to add and start the service.

For Windows Server 2008 or older :

[Server Manager] > [Features] > [Add Features] > [Remote Server Administration Tools] > [Role Administration Tools] > Select and install [AD DS and AD LDS Tools]

For Windows Server before 2008 :

Install Active Directory Managing Gateway Service and Patch.

 - https://www.microsoft.com/en-US/download/details.aspx?id=2852
 - https://support.microsoft.com/kb/969166

 - https://support.microsoft.com/kb/967574 

**Note: The server needs to be restarted after the installation.

 

(3) Password Sync

To synchronise password from Active Directory to HDE Access Control, you have to create a security group "HDE One Password Sync Group" and assign it to the primary group as each users' Unix attribute.

-------------------------------------------------------------

Follow this instruction:

Run the .bat file [Assign-HDEOnePasswordSyncGroup.bat] to automatically create a security group.

*To run above .bat file regularly by Windows scheduler, please refer to the settings explained in the last part of this article.

-------------------------------------------------------------

Explanation below:

The script file below will automatically assign security groups to the users. Please start PowerShell to execute these scripts NOT only for the Sync module installation, but also every time the new target user is being added.

Script File Name : Set-ADUnixAttributes.ps1

Below Command is an example of how the script works when the target user belongs to SSO targeted domain @sample.co.jp and is active on Active Directory.

ps>cd "the folder in which you created a copy of above file"
ps>Import-Module ActiveDirectory
ps>$ExecutionPolicy = Get-ExecutionPolicy
ps>Set-ExecutionPolicy Bypass
ps>.\Set-ADUnixAttributes.ps1 -LDAPFilter "'(&(userprincipalname=*@sample.com)(mail=*@sample.com)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user))'"
ps>Set-ExecutionPolicy $ExecutionPolicy

(a) Reset password on AD

1. Run PowerShell and execute the command below to record all user information including UnixUserPassword before resetting password.

*Note: Please replace "*@sample.com" with the userprincipalname of your test users.

ps>Get-ADUser -Properties * -LDAPFilter "(userprincipalname=*@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassword, objectguid > before.txt

2. Go to "Active Directory user and computer" on AD domain controller -> reset password of all specific users

3. Run PowerShell and execute the command below to record users information including UnixUserPassword after the password is reset.

ps>Get-ADUser - Properties * -LDAPFilter "(userprincipalname=username@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassowrd, objectguid > after.txt

*Note: The output files from the commands above will be saved in the directory that the command was written in. Please open the files to confirm if UnixUserPassword has been changed successfully.

(b) Confirm password change

(i) Output file (Before.txt) : Example of user information before changing password.

userprincipalname : username@sample.com
samaccountname : username
sn : Sample Organisation
givenname : givenname
displayname : displayname
mail : username@sample.com
unixuserpassword : {}
objectguid : [long guid]

(ii) Output file (After.txt) : Example of user information after changing password.

userprincipalname : username@sample.com
samaccountname : username
sn : Sample Organisation
givenname : givenname
displayname : displayname
mail : username@sample.com
unixuserpassword : {36 49 36 66 86 117 77 75 122 122 122 36 86 109 90 122 113 117 90 54 100 100 116 100 79 97 112 122 87 114 74 98 90 47}
objectguid : [long guid]

 

(4) Editing Configuration file (config.ini)

After installing the HDE One Directory Sync, find a file named "Config.ini" in the folder where the Sync module is installed (By default, it should be located in "C:\Program Files\HDE One Directory Sync"). 

Default condition for User Extraction: 
(i) Suffix in UserPrincipalName is the target domain of Office 365
(ii) *@sample.com domain is set on 
(iii) User attribute is active on Active Directory domain controller

(a) Edit the condition to extract users from the Active Directory Controller

ldapfilter='(&(userprincipalname=*@sample.com)(mail=*@sample.com)(!(userAccountControl:12.840.113556.1.4.803:=2))(objectClass=user))'

(b) Add access information to Active Directory Controller

server=ad.sample.com <= Destination Active Directory server name of Sync module
username=admin@sample.com <= Domain Admin ID
password=1qaz2wsx <= Domain Admin Password

(c) Update config.ini in below directory

"C:\Program Files\HDE One Directory Sync" <= Directory for the setting files

(5) Testing the Synchronisation 

To make sure the configuration file is correctly and properly configured before the actual synchronisation, please perform a test run.

To perform the test run, please run the following commands:

# cd "C:\Program Files\HDE One Directory Sync"
# .\console.exe /n 

"/n" allows the application to perform a test run. If the command is executed without the "/n", actual synchronisation will be executed.

The results of the command if there is unsynchronised accounts:

##### Sync set [sync01] #####

    Active Directory ---> HDE Access Control

Add: Administrator / iUBFiuf92738bce2byJBA==
Add: Guest / bA929bus9jsdhfvua837==
Add: david / david@sample.com / JOsf2983nsnjjk12j1kj1==
Delete: bowie / bowie@sample.com / asHD839hasH891dh98d==

The results of the command if there is no account to be synchronise since last synchronisation:

##### Sync set [sync01] #####

    Active Directory ---> HDE Access Control

* No sync data *

(6) Configuring the Automation

To ensure that the HDE One Directory Sync and HDE One Password Sync runs on the Windows machine's startup, please configure the settings based on the instructions below:

(a) Configuring the Properties of HDE One Directory Sync Service :

Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HDE One Directory Sync]. Right-click on it and click into [Properties].

Screen_Shot_2016-01-26_at_11.37.20_AM.png

Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.

Screen_Shot_2016-01-26_at_11.54.40_AM.png

Step 3 - On the "Log On" tab, please input the login details of your domain account (Username and Password).

Screen_Shot_2016-01-29_at_3.08.55_PM.png

Step 4 - Finally ensure that the service is started and running.

Screen_Shot_2016-01-26_at_1.54.23_PM.png

(b) Configuring the Properties of HDE One Password Sync Service :

Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HDE One Directory Sync]. Right-click on it and click into [Properties].

Screen_Shot_2016-01-26_at_11.55.27_AM.png

Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.

Screen_Shot_2016-01-26_at_11.55.43_AM.png

Step 3 - On the "Log On" tab, please input the login details of your domain account (Username and Password).

Screen_Shot_2016-01-29_at_3.21.26_PM.png

Step 4 - Finally ensure that the service is started and running.

Screen_Shot_2016-01-26_at_1.57.06_PM.png

          
Was this article helpful?

Frequently Asked Questions (FAQs)

Powered by Zendesk