Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Integrating Active Directory (AD) with Apex One as a Service

    • Updated:
    • 18 Mar 2019
    • Product/Version:
    • Apex One as a Service All.All
    • Platform:
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows Server 2012 32-Bit
    • Windows Server 2012 64-Bit
Summary

For Apex Central, users cannot add and synchronize with an on-premise Active Directory server directly like what is done in on-premise Control Manager.

There is now another way to synchronize the Active Directory information and authenticate the Active Directory accounts.

  • Use Active Directory synchronization tool to integrate your Active Directory structure.
  • Authenticate users using an Active Directory Federation Services (ADFS) server.

Here is the construction:

Integrate AD

Details
Public

To synchronize the Active Directory information and authenticate the Active Directory accounts:

  1. Log on the Apex One as a Service web console and navigate to Administration > Settings > Active Directory and Compliance Settings.

    Integrate AD

  2. Enable Active Directory synchronization.
    1. Download the Active Directory synchronization tool.

      Integrate AD

      Apex Central only receives data from one tool.

      • Apex Central and the Active Directory synchronization tool are paired.
      • Each download will generate a unique tool and Apex Central will be paired with the new one.
      • If you download the tool again, Apex Central will remove the relation with the previous one.

        Integrate AD

      Once the Active Directory synchronization tool is downloaded, the file MD5 hash value for the tool appears.

      Integrate AD

    2. Save the Apex_Central_ADSyncAgent_*.zip and extract it.
    3. Execute the synchronization tool to synchronize with the Active Directory server:
      1. Open a command prompt.
      2. Use the following command to locate the directory which contains the ADSyncAgentTool.exe file:

        cd <Apex_Central_ADSyncAgent_directory>

      3. Configure the Active Directory server settings by executing the following command:

        ADSyncAgentTool.exe -i

      4. (Optional) Configure the proxy server settings by executing the following command:

        ADSyncAgentTool.exe -p

      5. Synchronize the configured servers manually by executing the following command:

        ADSyncAgentTool.exe -s

      Users can see the result including the Server and Last synchronized time.

      Integrate AD

    4. Import AD user\group via the Administration > Account Management > User Accounts page.
  3. Enable Active Directory authentication.

    We use the Active Directory Federation Services (ADFS) server to do authentication. ADFS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.

    Integrate AD

    The requirements are:

    • The version of the AD FS server should be ADFS 2.0 or above. Apex Central integrates with AD FS through SAML 2.0 protocol.
    • You need to configure Apex Central as a trusted party of the AD FS server. Please refer to the Appendix section of the Deployment Guide below for the detailed steps.

    Please refer to the ADFS Deployment Guide for details.

    1. Get the ADFS Service Identifier:
      1. Open the ADFS management tool.
      2. Click service on the left panel.
      3. Click Edit Federation Service Properties... on the right panel.

      A property window will pop up and the service identifier will be shown on the General tab.

      Integrate AD

    2. Export the ADFS Signing Certificate:
      1. Open the ADFS management tool.
      2. Click Certificate on the left panel.
      3. Right click Token-Signing certificate entry on the main panel.
      4. Click View Certificate.

        Integrate AD

        A certificate window will pop up.

      5. Click the Details tab.
      6. Click Copy to File....
      7. Select the BASE64 encoded format.

        Integrate AD

      8. Save the certificate.
    3. Tick the "Enable Active Directory authentication" checkbox and configure the ADFS settings on the web console:
      Field Name on web consoleAttribute
      SSO service URLADFS login console URL
      Server identifierADFS Service Identifier from Step 3.a.iii.
      Server certificateADFS signing certificate from Step 3.b.iv.

      Integrate AD

    4. Save the settings.

To set up the Apex Central server as a relying party of the ADFS server:

  1. Go to the Relying Party Trusts folder and on the right sidebar, click Add Relying Party Trust.... The Add Relying Party Trust Wizard window should appear.

    Appendix

  2. Click Start.

    Appendix

  3. Choose "Enter data about the relying party manually" and click Next.

    Appendix

  4. Add the display name for this setting in the "Display name" field and the description for this setting in the Notes field, and then click Next.

    Appendix

  5. Choose "AD FS profile" and click Next.

    Appendix

  6. Click Next.

    Appendix

  7. Tick the checkbox for "Enable support for the SAML 2.0 WebSSO protocol" and add the https://<Apex Central's FQDN>/webapp/login.aspx in the "Relying party SAML 2.0 SSO service URL" field, then click Next.

    Appendix

  8. Add the https://<Apex Central's FQDN>/ in the "Relying party trust identifier" field and click Next.

    Appendix

  9. Choose "I do not want to configure multi-factor authentication settings for the relying party trust at this time" and click Next.

    Appendix

  10. Choose "Permit all users to access this relying party" and click Next.

    Appendix

  11. Click Next.

    Appendix

  12. Right-click your display name for this setting and click Edit Claim Rules.... The Edit Claim Rules for <Display Name> window should appear.

    Appendix

  13. Click Add Rule....

    Appendix

  14. Under "Claim rule template", choose "Pass Through or Filter an Incoming Claim" from the dropdown list and click Next.

    Appendix

  15. Add the claim rule display name in the "Claim rule name" field, choose "Windows account name" from the dropdown list for "Incoming claim type", choose "Pass through all claim values", and click Finish.

    Appendix

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1120919
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.