Departments » Marketing » Marketing Collateral » eBooks & One Sheets

Active Directory layman definition

Intended use: Vision internal

About Active Directory

Active Directory (AD) is a Microsoft product that manages user accounts on a network. The account you login to your computer every day is an Active Directory account. The server running AD is called a Domain Controller. To communicate with an AD we use the LDAP protocol. The directory is made up of, among other things, Organizational Units (OU) and Groups (i.e. Security Group/SG). In Active Directory an OU can have multiple SG's with user accounts assigned to one more multiple groups.

Integration

AD integration with a client's website will make them able to use the same username and password for the website as they do on their work computers. Our integration supports the following CMS account types:

  1. CMS users [backend]
  2. CMS super users [backend]
  3. Extranet (Member) users [frontend]

Each of the account types need their own groups in AD i.e. vCMS_users, vCMS_superusers, vCMS_extranetusers.

Extranet/Member account types support multiple AD groups. Each AD group can only contain 1500 users (AD limitation for LDAP) so if a client has more than 1500 users one or more groups will have to be created i.e. vCMS_extranet1, vCMS_extranet2. These groups will also be created as Membership Groups in the CMS. Previous Membership Groups are replaced and become unavailable/not used.

Account information and Permissions

The AD web service will daily send user account information (synchronization) to the CMS. The information stored are:

  1. Username
  2. First name
  3. Last name
  4. Email

Manual synchronization of user accounts can be made by someone with CMS sysadmin privileges.

Each night/early morning the AD service will automatically sync accounts to the CMS. This means that if a new AD account is created at noon, it will be available to log in with the next day.

Subsites

Types of subsites:

  1. Extranet
  2. Intranet
  3. Additional Website

You cannot have both local accounts and AD accounts active on the same CMS instance. You must either choose to use local accounts or AD accounts and this is for both main site and all subsites.

What benefits are there for our clients to integrate AD?

  • There is no need to keep/manage (usernames, passwords etc) a separate account for the website users
  • Users will not have to keep track of multiple accounts; desktop and website

Requirements

We have a Vision AD web service that is placed on the client's network that connects their AD with their website. IT personnel will generally need to be involved for the initial install but needs no continuous oversight.

Windows Server 2012 or later with IIS with MVC.NET and .NET framework 4.7 installed. This is to host/serve the Vision AD web service.

CMS access to AD web service server via URL and SSL i.e. https://visionad.clientdomain.gov.

Additional Modules

Active Directory Federation Services

If the client is already using Active Directory Federation Services (ADFS) on their network, this module can be added to the AD integration. ADFS allows the client to automatically log in (also referred to as single-sign-on) to the Extranet/Intranet using Member Accounts. ADFS is not currently available for CMS Users and Super Users. There is some additional information required to install ADFS successfully and usually takes additional time for client/Vision IT staff.