Product Documentation

Adding Active Directory Domains to App Controller

Mar 31, 2015

App Controller uses Active Directory groups and users. You configure Active Directory in two ways:

  • With the Configure wizard when you log on to the App Controller management console for the first time. This domain is considered the default domain.
  • On the Settings tab where you can configure multiple Active Directory domains.

With Active Directory, you can:

  • Create roles in App Controller that map to one or more Active Directory groups within multiple domains.
  • Create and remove user application accounts based on their Active Directory group membership by using applications assigned to roles.
  • Create workflows for manager approval of user accounts for applications.
Important: When you add users to Active Directory, you must enter the first name and last name in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app. The administrator account must be recognized by all corresponding Active Directory domains you configure in App Controller.

When App Controller synchronizes with Active Directory, either after the first time you configure Active Directory in App Controller or if you manually synchronize with Active Directory, the length of time it takes to synchronize depends on the size of Active Directory. If you have a large number of users and groups, this process can take a few hours. During this time, you cannot configure any other settings in Active Directory. If you enter a group DN when you first configure Active Directory, the synchronization occurs more quickly. For example, you enter cn=Users,dc=servername,dc=net, where cn=users is the group base DN and servername is the name of the Active Directory server. When the initial synchronization is finished, App Controller logs off from the management console and returns to the management console logon page.

Note: If you provide the root level base DN, such as dc=mycompany,dc=com, App Controller retrieves users in child domains. To prevent retrieval of child domain users, provide specific user base DN paths that relate to the parent domain.

Configuring Multiple Active Directory Domains

After you configure one Active Directory domain by using the Configure wizard, you can add additional Active Directory domains on the Settings > Active Directory tab in the App Controller management console.

When you configure Active Directory domains, you provide the server information including:

  • IP address
  • Port
  • Domain name
  • Service account
  • Password
  • User base DN
  • Group base DN
  • SSL support

You can configure Active Directory domains in the following ways:

  • One Active Directory instance per domain. You can specify multiple base DNs in each domain. Separate each base DN with a semi-colon (;).
  • Two domains that belong to different Windows Server trees.
  • Two domains that belong to different Windows Server forests.

For each domain, the service account you specify must be able to access the base DN for each domain. App Controller does not maintain any internal relationship between managed domains. You can manage multiple Active Directory domains as separate instances. When you configure multiple Active Directory domains, Citrix recommends that you use the User Principal Name (UPN) so you can include the domain name.

If you configure multiple domains, keep the following in mind:

  • Default domain users only can log on directly to App Controller.
  • Log on from users in other domains must be authenticated by NetScaler Gateway.
  • Domains configured in App Controller and NetScaler Gateway must match.
  • Domains configured in App Controller and StoreFront must match when StoreFront is used as the authentication server.

If StoreFront is used as the authentication server, the domain information must be included in the token validation response from StoreFront. You can use sAMAccount (domain\user name) or UPN (user@domain) for user logon.

Modifying and Deleting Active Directory Domains

You can modify and delete Active Directory domains in App Controller. App Controller retrieves users and groups when you add each domain. If you modify a domain, if you change the user or group base DN, App Controller synchronizes with Active Directory.

You can delete one domain at a time and you cannot delete the default domain. When you delete a domain, App Controller marks all of the users in the domain as terminated users. These users lose access to role-based apps. App Controller also deletes pending workflows and provisioning requests. User accounts reconciled to terminated users are processed according to the app configuration (ignore, disable, or delete).

Important: If you delete a domain, you cannot add the same domain to App Controller again.

Adding and Synchronizing Active Directory Domains

You can add multiple Active Directory domains to App Controller. After you add a domain, click the Sync icon to retrieve users and groups from the Active Directory domain.

To add Active Directory domains

  1. In the App Controller management console, click Settings at the top of the page.
  2. In the left pane, under System Configuration, click Active Directory.
  3. In the details pane, click Add.
  4. In Server and Port, enter the IP address and port number of the Active Directory server. The default port number is 389.
  5. In Domain name, add the Active Directory domain, such as mycompany.net. When you add the domain name, User Base DN and Group Base DN populate automatically.
  6. In User Base DN and Group Base DN enter any other parameters, such as cn=Users.

    A warning appears if the base DN is a top-level domain.

  7. In Service Account, add the email address of the administrator account. You can use either the sAMAccountName, in which users log on with domain\user, or the User Principal Name (UPN) in which users log on with user@mycompany.com.
    Note: All Active Directory domains that you add to App Controller must recognize this service account.
  8. Password and Confirm Password enter the password of the service account and then click Save.
When you configure settings and only configure the top-level domain, the Add Domain dialog box appears as in the following figure:

Adding an Active Directory Domain

To remove the warning message, configure a subdomain as part of the base DN. For example, enter cn=Users, dc=mycompany,dc=net.

To manually synchronize with Active Directory

App Controller supports the following three types of Active Directory synchronization:

  • Initial synchronization. When you log on to the management console for the first time, you configure Active Directory settings in the initial wizard along with network and email settings. When you save the settings, App Controller synchronizes with Active Directory.
  • Periodic synchronization. App Controller contacts Active Directory every five minutes to determine if there are any changes in Active Directory. App Controller looks for added, removed, and modified users in Active Directory. App Controller also looks for group membership changes and new and removed groups. This periodic synchronization starts for domains that have previously retrieved users and groups. The earlier synchronization must successful for the periodic synchronization to run.
  • Manual synchronization. You can synchronize with Active Directory at any time by using the synchronize icon next to the Active Directory domain in the App Controller management console. When you synchronize, App Controller updates all users from Active Directory for that domain and determines any changes to the user records. This synchronization can take as long as the initial synchronization and depends on the size of Active Directory. This synchronization also returns changes to users, including group membership. You can start synchronization for all managed domains. The App Controller synchronization process runs in the background, one domain after another. When you manually synchronize, App Controller displays a progress bar so you can track the progress.
  1. In the App Controller management console, click Settings at the top of the page.
  2. In the left pane, under System Configuration, click Active Directory.
  3. In the details pane, under Actions, click the Sync icon for the domain with which you want to synchronize.