This guide consists of the instructions on how to correctly install the HENNGE One Directory Sync (Microsoft 365 with Windows Active Directory) and ensure that it is working properly before proceeding to Single Sign-on setup. This guide contains the following parts:
1. Overview of HENNGE One Directory Sync (Windows Active Directory)
2. Prerequisites of setting up HENNGE One Directory Sync
3. Password Sync
4. Editing Configuration file (config.ini)
5. Testing the Synchronization
6. Configuring the Automation
(1) Overview of HENNGE One Directory Sync (Windows Active Directory)
HENNGE One Directory Sync is an account information synchronization tool which is used to relate HENNGE Access Control Service (HAC) and Windows Active Directory.This is One-Way Synchronization. It means that once you create, delete or change any items in the source folder this will reflect in the destination directory.
*Note - Please contact Microsoft about DirSync tool.
HENNGE One Directory Sync and Microsoft Azure Active Directory Sync synchronize some piece of information from Active Directory. (It is One-Way synchronization from Active Directory to HENNGE Access Control.)
The correlation table of synced information between AD/HAC/Microsoft 365 is shown as below:
**Note:
- Items in the red box MUST be the same value.
- Microsoft 365 ID is used for the login ID of rich clients such as Outlook. HENNGE One is case sensitive.
- Username is used for the login ID of web browser. HENNGE One is case sensitive.
- After finished initial setup of Active Directory, users have to change password before their first login.
(2) Prerequisites of setting up HENNGE One Directory Sync
(A) Windows Active Directory:
1) Set up Microsoft ID management component (unixUserPassword) for Unix
How do I set up Microsoft ID management component (unixUserPassword) for Unix?
(B) Windows machine:
1) Windows machine used for setup should be belonged to the Domain Server that is managed by Active Directory OR Active Directory Domain Controller (Windows Server 2008 R2 64bit or above)
2) Install PowerShell ver. 3.0 or above
http://www.microsoft.com/en-us/download/details.aspx?id=34595
3) Install .NET Framework 4 or above
Note: Only Windows Server 2008 R2 is required to install
https://www.microsoft.com/en-US/download/details.aspx?id=17851
4) Install HENNGE One Directory Sync
Please contact our support team to download this module -> Here
5) Download HENNGE One Directory Sync modules:
Please contact our support team to download this module -> Here
After downloaded the modules, create a folder "C:¥HDEOne" and place the following four Password Sync Modules into the folder:
- Assign-HENNGEOnePasswrdSyncGroup.bat
- Check-SyncUser.ps1
- Set-ADUnixAttributes.ps1
- Set-SecurityGroupMember.ps1
5) Install Active Directory Module
You will need to use cmdlet from this module on PowerShell
Install Active Directory Module (for Windows Server 2012 R2) :
(i) [Server Manager] > [Manage] > [Add Roles and Features] > Click next until [Features] > Select [Windows PowerShell 4.0] to Add Feature and Install
(ii) To check if Active Directory Web Services are activated on Active Directory Controller:
[Start] > [Administrative Tools] > [Services] check if the status is "Running" and "Automatic".
**Note: If Active Directory Web Services was not installed, please refer to the procedures below to add and start the service.
For Windows Server 2008 or older :
[Server Manager] > [Features] > [Add Features] > [Remote Server Administration Tools] > [Role Administration Tools] > Select and install [AD DS and AD LDS Tools]
For Windows Server before 2008 :
Install Active Directory Managing Gateway Service and Patch.
- https://www.microsoft.com/en-US/download/details.aspx?id=2852
- https://support.microsoft.com/kb/969166
- https://support.microsoft.com/kb/967574
**Note: The server needs to be restarted after the installation.
(3) Password Sync
To synchronise password from Active Directory to HENNGE Access Control, you have to create a security group "HENNGE One Password Sync Group" and assign it to the primary group as each users' Unix attribute.
-------------------------------------------------------------
Follow this instruction:
Run the .bat file [Assign-HDEOnePasswordSyncGroup.bat] to automatically create a security group.
*To run above .bat file regularly by Windows scheduler, please refer to the settings explained in the last part of this article.
-------------------------------------------------------------
Explanation below:
The script file below will automatically assign security groups to the users. Please start PowerShell to execute these scripts NOT only for the Sync module installation, but also every time the new target user is being added.
Script File Name : Set-ADUnixAttributes.ps1
Below Command is an example of how the script works when the target user belongs to SSO targeted domain @sample.co.jp and is active on Active Directory.
ps>cd "the folder in which you created a copy of above file" |
(a) Reset password on AD
1. Run PowerShell and execute the command below to record all user information including UnixUserPassword before resetting password.
*Note: Please replace "*@sample.com" with the userprincipalname of your test users.
ps>Get-ADUser -Properties * -LDAPFilter "(userprincipalname=*@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassword, objectguid > before.txt |
2. Go to "Active Directory user and computer" on AD domain controller -> reset password of all specific users
3. Run PowerShell and execute the command below to record users information including UnixUserPassword after the password is reset.
ps>Get-ADUser - Properties * -LDAPFilter "(userprincipalname=username@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassowrd, objectguid > after.txt |
*Note: The output files from the commands above will be saved in the directory that the command was written in. Please open the files to confirm if UnixUserPassword has been changed successfully.
(b) Confirm password change
(i) Output file (Before.txt) : Example of user information before changing password.
userprincipalname : username@sample.com samaccountname : username sn : Sample Organisation givenname : givenname displayname : displayname mail : username@sample.com unixuserpassword : {} objectguid : [long guid] |
(ii) Output file (After.txt) : Example of user information after changing password.
userprincipalname : username@sample.com samaccountname : username sn : Sample Organisation givenname : givenname displayname : displayname mail : username@sample.com unixuserpassword : {36 49 36 66 86 117 77 75 122 122 122 36 86 109 90 122 113 117 90 54 100 100 116 100 79 97 112 122 87 114 74 98 90 47} objectguid : [long guid] |
(4) Editing Configuration file (config.ini)
After installing the HENNGE One Directory Sync, find a file named "Config.ini" in the folder where the Sync module is installed (By default, it should be located in "C:\Program Files\HENNGE One Directory Sync").
Default condition for User Extraction:
(i) Suffix in UserPrincipalName is the target domain of Microsoft 365
(ii) *@sample.com domain is set on
(iii) User attribute is active on Active Directory domain controller
(a) Edit the condition to extract users from the Active Directory Controller
ldapfilter='(&(userprincipalname=*@sample.com)(mail=*@sample.com)(!(userAccountControl:12.840.113556.1.4.803:=2))(objectClass=user))' |
(b) Add access information to Active Directory Controller
server=ad.sample.com <= Destination Active Directory server name of Sync module username=admin@sample.com <= Domain Admin ID password=1qaz2wsx <= Domain Admin Password |
(c) Update config.ini in below directory
"C:\Program Files\HENNGE One Directory Sync" <= Directory for the setting files
(5) Testing the Synchronisation
To make sure the configuration file is correctly and properly configured before the actual synchronisation, please perform a test run.
To perform the test run, please run the following commands:
# cd "C:\Program Files\HENNGE One Directory Sync" # .\console.exe /n |
"/n" allows the application to perform a test run. If the command is executed without the "/n", actual synchronisation will be executed.
The results of the command if there is unsynchronised accounts:
##### Sync set [sync01] ##### Active Directory ---> HENNGE Access Control Add: Administrator / iUBFiuf92738bce2byJBA== |
The results of the command if there is no account to be synchronise since last synchronisation:
##### Sync set [sync01] ##### Active Directory ---> HENNGE Access Control * No sync data * |
(6) Configuring the Automation
To ensure that the HENNGE One Directory Sync and HENNGE One Password Sync runs on the Windows machine's startup, please configure the settings based on the instructions below:
(a) Configuring the Properties of HENNGE One Directory Sync Service :
Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HENNGE One Directory Sync]. Right-click on it and click into [Properties].
Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.
Step 3 - On the "Log On" tab, please input the login details of your domain account (Username and Password).
Step 4 - Finally ensure that the service is started and running.
(b) Configuring the Properties of HENNGE One Password Sync Service :
Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HENNGE One Directory Sync]. Right-click on it and click into [Properties].
Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.
Step 3 - On the "Log On" tab, please input the login details of your domain account (Username and Password).
Step 4 - Finally ensure that the service is started and running.