Enabling Active Directory Security Mode
GENESIS Security can synchronize its user accounts with Active Directory, so users can log into GENESIS with their Active Directory username and password. Permissions for users and groups are defined in the GENESIS Security database.
-
Active Directory passwords are not stored in the GENESIS configuration database.
-
For synchronizing with Entra ID, see Enabling Entra ID Security Mode.
To synchronize security with Active Directory:
-
(Optional) Set the security to testing mode to help keep you from getting locked out if something is configured incorrectly later.
Learn how
Do not make this change on a production system.
-
Open Workbench and in Project Explorer, expand your project > Security and double-click Global Settings to open the configuration dialog.
-
On the General tab, set Security active to Testing.
-
Apply the changes.
-
-
Open Workbench and in Project Explorer, expand your project > Security > Global Settings . On the General Settings tab, set Security Mode to Active Directory . Additional settings for the Active Directory mode are displayed.
-
Complete the Active Directory Settings section according to your domain settings.
-
In Initial administrator account, enter the Service Principal Name of the account that will be granted full permissions in the following form:
-
In AD synchronization period, specify how often Security checks the Azure AD for changes. If any changes are detected, Security re-downloads all users and group information from Azure AD into memory.
To download the Azure AD structure immediately, click Synchronize now.
-
In User authentication methods, select one of the following options:
-
Active Directory : Authenticates users by calling the Active Directory.
-
Active Directory (User-Principal-Name being translated to SAM-Account-Name) : When users are mapped from User-Principal-Name, Security tries to translate them into SAM-Account-Names by querying the Active Directory.
-
Active Directory (SAM-Account-Name being translated to User-Principal-Name) : When users are mapped from SAM-Account-Name, Security tries to translate them into User-Principal-Names by querying the Active Directory.
-
Local Logon: Calls the LogonUser function locally on the server, which allows the user to log in later, even when the Active Directory is not available.
Learn more
Instead of connecting directly to the Active Directory, this method connects through the local system function called LogonUser and caches the user's credentials, which allows the user to log in later, even when the Active Directory is not available.
The Active Directory must be available during the FrameWorX Server startup, so that its structure can be cached.
Using this method has the following limitations:
-
The server machine must be connected to the Active Directory domain.
-
The user must be allowed to log in to the server.
-
The Domain name field in Active Directory Settings must not contain the name of an actual domain controller. It must be the domain name only.
-
Caching does not seem to work when the user names are in the User-Principal-Name form (user@domain.com).
-
-
-
-
(Optional) Enable automatic login and Windows integrated authentication.
Learn how
-
In the Automatic Login section, select Enabled.
-
On the Tools ribbon, select FrameWorX Server Location, and in the dialog that opens, set Client Authentication to Integrated Windows Authentication.
Alternatively, check that you have configured client certificates for authentication that map to the Active Directory.
-
-
(Optional) To restrict login access to users in a specific group, go to the Only Users from a Specific Group section, select Enabled, and enter the Group Name.
-
In the Domain Connection Authentication section, enter the User Name and Password for the account used to authenticate access to the Active Directory.
-
Click Apply , and then try to log in as an Active Directory user.
-
If all tests succeeded, set the security back to active mode.
Learn how
-
In Workbench, go to Security > Global Settings > General tab.
-
Set Security active to Active.
-
Apply the changes.
-