Integrate Active Directory with Commander

Snow Commander can leverage an existing Active Directory (AD) server to provide multi-tenant role-based access control (RBAC) for different departments or organizations.

Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander. For information, see Add user or group accounts and assigning Commander roles.

AWS Managed Microsoft AD disallows operations by customers that would interfere with managing the directory service. Therefore, AWS restricts access to directory objects, roles, and groups that require additional permissions. As an alternative, you can connect through LDAP to the directory service.

Add Active Directory servers to Commander

Access:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

  1. Click the Authentication tab.
  2. In the Directory Services section, click Add and select AD.
  3. In the Configure Active Directory dialog, in the Name field, enter a display name of your choice to identify the AD server.
  4. In the Username field, enter a domain user account for the Active Directory server. Use the standard username@domain format.

    You can use any user account that already belongs to the domain because only read access permission is required. If you want to specifically add a service account that doesn't belong to the domain users group, that account must have List Contents, Read All Properties and Read Permissions enabled.

    To ensure that AD users can sign in, make sure that the primary and secondary Active Directory server addresses are in the same realm.

  5. In the Password field, enter the password for that domain account.
  6. Do one of the following:
    1. If you want Commander to automatically look up the domain controller, select Lookup domain controller via DNS.
    2. If you want to specify your domain controller, select Use specified domain controller and enter the FQDN of the domain controller. Don't use the IP address.
  7. To enable LDAPS to ensure security of data transmission, select Use LDAPS (SSL).
  8. To enable the use of Active Directory, select Enabled.
  9. Click OK.

Set up email notification for directory services issues

You can configure Commander to notify administrators for directory services when events occur.

Access:

Configuration > System > Notifications

Available to:

Commander Roles of Superuser and Enterprise Admin

  1. Under For Directory Services Connection Issues, click Add.
  2. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  3. Click OK.

Troubleshooting

IP address errors

If you see an error after specifying an IP address for your AD server in Commander, you must add an SPN (Service Principal Name) to your AD server by running the following command on your AD server:

setspn –S ldap/<ipaddress> <hostname>

where <ipaddress> and <hostname> are the values returned by the ipconfig and hostname commands.

Handling clock skew issues

If you're unable to sign in with a directory services account, and you see messages in the Commander identity service log similar to that below, see the Snow Globe article Resolving Clock Skew Issues .

2022-03-12 14:10:33,765 [https-bio-443-exec-7] ERROR - Kerberos error: Clock skew too great (37)
2022-03-12 14:10:33,999 [https-bio-443-exec-7] ERROR - Failed to validate user directory [[ACTIVE_DIRECTORY - Omega]]: Security .UDPrimaryValidationFailed)
2022-03-12 14:11:18,096 [https-bio-443-exec-7] ERROR - Kerberos error: Pre-authentication information was invalid
2022-03-12 14:11:18,096 [https-bio-443-exec-5] ERROR - Failed to validate user directory [[ACTIVE_DIRECTORY - Omega]]: Security.UD.PriamryValidationFailed

Remove Active Directory servers

If you remove access to a user directory, all user accounts in that directory are unable to access Commander.

Access:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

  1. Click the Authentication tab.
  2. Select the directory service, then select Delete.
  3. Confirm the deletion.