Product Documentation

Configuring and Synchronizing with Active Directory

Jul 19, 2013

App Controller uses Active Directory groups and users. You configure Active Directory when you log on to the App Controller management console for the first time. With Active Directory, you can:

  • Create roles in App Controller that map to one or more Active Directory groups.
  • Create and remove user application accounts based on their Active Directory group membership by using applications assigned to roles.
  • Create workflows for manager approval of user accounts for applications.
Important: When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. Also, when you configure Active Directory settings in App Controller, in Service account, enter an administrator email that is configured in Active Directory. If the administrator email does is not in the Active Directory path that you enter as the base DN, then first time use of App Controller will fail.

When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App Controller or if you manually synchronize with Active Directory, the length of time it takes synchronize depends on the size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active Directory, the synchronization occurs more quickly. For example, you enter cn=Users,dc=servername,dc=net, where cn=users is the group base DN and servername is the name of the Active Directory server. When the initial synchronization is finished, App Controller logs off from the management console and returns to the management console logon page.

App Controller supports three types of Active Directory synchronization:

  • Initial synchronization. When you log on to the management console for the first time, you configure Active Directory settings in the initial wizard along with network and email settings. When you save the settings, App Controller synchronizes with Active Directory.
  • Periodic synchronization. App Controller contacts Active Directory every five minutes to determine if there are any changes in Active Directory. App Controller looks for users added, removed, and modified in Active Directory. App Controller also looks for group membership changes and new and removed groups.
  • Manual synchronization. You can synchronize with Active Directory at any time by using the Refresh from Active Directory link on the Settings tab in the App Controller management console. When you synchronize, App Controller updates all users from Active Directory and determines any changes to the user records. This synchronization can take as long as the initial synchronization and depends on the size of Active Directory. This synchronization also returns changes to users and groups, including group membership.

You can change the Active Directory domain name in App Controller by using either the initial wizard or by using the Active Directory link on the Settings tab. If you change the domain name, App Controller synchronizes with Active Directory in the new domain, which can take some time depending on the size of Active Directory.

To manually synchronize with Active Directory

  1. In the App Controller management console, click Settings at the top of the page.
  2. In the left pane, under Quick Links, click Refresh from Active Directory.

    A message appears when synchronization is complete.