Note: Make sure the sAMAccountname attribute is properly configured on the AD server for the target group members. The attribute will be used as login username of the system.

1.Log in to the System Management page.

2.In the System Management page, click User Accounts > External Authentication.

3.Click the icon and select Add AD Authentication from the drop-down list. The Add AD Authentication Wizard opens to guide you through the steps to connect to the AD server and configure the tenant or domain access privileges for imported group users.

1)Enter a unique name to identify the AD server and a brief description.

2)Enter the credentials to connect to the AD server. See AD Server Settings for more details.

3)Click Show Group to find available user groups from the AD server. All matching groups are listed in the Groups pane.

4)Select one or more user groups to import, and then click Next.

Note: The users in a primary group of the AD server can be synchronized into the system but cannot log in.

Tip: Click Validate to verify whether the selected groups still exist on the AD server. Click the icon to remove an invalid group from the list.

5)Assign domain access and more privileges to the users in the selected groups.

▪Tenant Access — select one or more tenants to assign access permissions to the users in the selected groups.

Tip: The accessible tenants can be modified on the Users tab after the users are synchronized.

▪Domain Access — select one or more domains under an accessible tenant to assign the domain access permissions to the users in the selected groups.

▪Domain Privileges — click Assign Privileges to assign more domain privileges to the users by role. See Share Policy for more details.

Tip: If all the built-in cannot satisfy your needs, click Add Role to create one. See Adding a role for more details.

6)To apply the privilege settings to all existing users in the selected group, click Apply this setting to existing users. Click Yes in the Confirmation dialog box.

Tip: The privilege settings will also take effect on new users created under this group.

Tip: If a user belongs to multiple groups simultaneously, privilege changes on the current group will immediately take effect on the user, even though the privileges are kept in other groups that the user belongs to.

7)Click Save to commit the settings.

8)In the pop-up dialog, enter the username and password of a user under the specified server address or user root and click Verify to authenticate the connection.

9)Click OK in the pop-up dialog box.

10) By default, the authentication configuration is enabled. To disable it, clear the Enable check box on the External Authentication tab.

4.Navigate to the Users tab and click Synchronize With LDAP/AD Server to immediately load the user accounts imported from the AD server. Alternately, the user accounts can also be automatically synchronized after the first-time login.

Note: The synchronization will only carry out on the enabled authentications.

Tip: If you add a new user to the selected group on the AD server after the synchronization, the user can immediately log in to the specified domains with the assigned roles and privileges.

Note: If you delete any user accounts from the AD server, the changes will not be synchronized with the system automatically. You have to manually remove them from the system.

Using SSL on AD Server

If you configured SSL on the AD server, to connect to NetworkBrain Web API Server by using the Secure(SSL) connect type, complete the following configurations:

1.On NetworkBrain Web API Server, complete the following steps:

Note: You can skip the following step 1) and step 2) by adding NetworkBrain Web API Server into the domain of the AD server.

1)Import the CA certificate used on the AD server into the Trusted Root Certification Authority directory as follows:

2)Configure the IP address of the AD server as the preferred DNS server through Network Settings, and then restart network service.

3)Add the mapping relationship between the IP address and hostname of the AD server into the hosts file, which is located under the C:\Windows\System32\drivers\etc\ directory.

2.When configuring the connection information under the External Authentication tab, enter the FQDN of the AD server in the Server Address field.