Copyright © 2010 to present CRYPTOCard Corporation. All Rights Reserved http://www.cryptocard.com
Active Directory Synchronization Agent for
CRYPTO-MAS1.7
Rev 2.0
CRYPTO-MAS Active Directory Synchronization Agent i
Revision History
Version Date Description Product
Rev 1 2009.04.24 Initial Publication CRYPTO-MAS v1.7
Rev 2 2009.12.21 Updated for new functionality CRYPTO-MAS v1.7
Rev 3 2010.10.20 Updated for supported characters CRYPTO-MAS v1.7
Minimum System Requirements
Item Minimum Size/Performance
Microsoft .Net Framework 2.0 SP1
Microsoft Windows XP, 2003 or 2008 server 32-bit O/S
CRYPTO-MAS Active Directory Synchronization Agent ii
Additional Information, Assistance, or Comments
CRYPTOCard’s technical support specialists can provide assistance when planning and
implementing CRYPTOCard in your network. In addition to aiding in the selection of the
appropriate authentication products, CRYPTOCard can suggest deployment procedures that
provide a smooth, simple transition from existing access control systems and a satisfying
experience for network users. We can also help you leverage your existing network
equipment and systems to maximize your return on investment.
To contact CRYPTOCard directly:
International Voice: +1-613-599-2441
North America Toll Free: 1-800-307-7042
For information about obtaining a support contract, see our Support Web page at
http://www.cryptocard.com.
Related Documentation
Refer to the Support & Downloads section of the CRYPTOCard website for additional
documentation and interoperability guides: http://www.cryptocard.com
Copyright
Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission of CRYPTOCard.
Trademarks
CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN,
CRYPTO-MAS, CRYPTO-MAS are registered trademarks or trademarks of CRYPTOCard Inc.
Microsoft Windows is a registered trademarks of Microsoft Corporation. All other trademarks,
trade names, service marks, service names, product names, and images mentioned and/or
used herein belong to their respective owners.
CRYPTO-MAS Active Directory Synchronization Agent iii
Table of Contents
Purpose......................................................................................................................................... 1
Operation...................................................................................................................................... 1
Usage Considerations ................................................................................................................... 1
User Creation and Deletion .......................................................................................................... 2
Security Features .......................................................................................................................... 3
Limitations .................................................................................................................................... 3
Configuration................................................................................................................................ 3
Company Setup in CRYPTO-MAP.............................................................................................. 4
Token Allocation....................................................................................................................... 4
Activation Code and CRYPTO-MAS URL ................................................................................... 4
Synchronization Agent Installation (Customer Site) .................................................................... 4
Active Directory Tab ................................................................................................................. 5
Services Tab .............................................................................................................................. 7
Notification Tab ........................................................................................................................ 8
Template Tab............................................................................................................................ 9
Troubleshooting ......................................................................................................................... 10
CRYPTO-MAS Active Directory Synchronization Agent 1
Purpose
The Active Directory Synchronization Agent has been developed to simplify the task of user
creation in CRYPTO-MAS. Without the agent, the administrator must manually input user
information including logon ID via the CRYPTO-MAP interface. Once installed, the agent
monitors a specified Active Directory group for membership changes and updates user
information in CRYPTO-MAS to reflect these changes.
Operation
The agent is a Windows® application that must be installed and configured at the customer site.
When enabled, the agent monitors user membership to a specified Active Directory group.
Users that are added or removed from the group are correspondingly added or removed from
CRYPTO-MAS. In addition, if a user’s Active Directory account becomes locked or suspended,
the Agent will cause the token assigned to the user to be suspended at the next synchronization
interval. Likewise, a suspended account will be reactivated during synchronization if the
account is no longer locked or suspended in Active Directory. If a user is removed from the
monitored group, the user will be removed from CRYPTO-MAS at the next synchronization
interval and the assigned token will be returned to the pool.
Usage Considerations
• This Agent can only be used with Active Directory. All other LDAP servers are not
supported.
• This Agent replaces any other form of User creation. If enabled, all users in CRYPTO-MAP
must be created by the Agent. Any pre-existing UserIDs or any created manually through
the CRYPTO-MAP interface will be removed at the next synchronization interval.
CRYPTO-MAS Active Directory Synchronization Agent 2
• The Agent does not monitor the entire Directory. It only monitors for changes in
membership to a specified group. This allows the Agent to differentiate between users that
should and should not be synchronized.
• No schema changes are required and nothing is written to Active Directory.
• A user account and password must be available for use by the Agent to allow connection to
the directory.
• Connections between the Agent and Active Directory can be over SSL. Data passed between
the Agent and CRYPTO-MAS is limited to the UserID, First Name, Last Name, Address,
Telephone / Mobile numbers and the Active Directory GUID for each account.
• The GUID is a unique number generated by the directory and maintain for the user
regardless of changes to the user account, including changes to the UserID. CRYPTO-MAS
utilises the GUID to maintain account synchronization and the association of tokens to users
instead of the UserID. This means that UserID’s can change in Active Directory without
breaking the relationship between the User and tokens in CRYPTO-MAP.
• TCP Port 443 must be open to allow the Agent to transmit to CRYPTO-MAS.
User Creation and Deletion
• The number of tokens allocated to the CRYPTO-MAS account determines the maximum
number of users that can be imported by the agent. For example, if the organization has an
allocation of 10 tokens and 100 users in the monitored Active Directory group, only 10 users
will be imported into CRYPTO-MAS.
• Users within the Microsoft group must have the First Name, Last Name, Username and
Email address defined or they will not be created in CRYPTO-MAS.
• The Agent does not support the characters “&”, “<” and “>” in the First Name, Last Name,
Username or Email address of a user account. If found, the synchronization process will be
deferred until the user account has been removed or corrected.
• CRYPTO-MAS admin users (operators) will not be deleted if they are removed from the
Microsoft Group until their CRYPTO-MAS admin privilege has been revoked.
• If the Microsoft Group can no longer be found, the Active Directory Synchronization Agent
will defer user synchronization until the Microsoft Group reappears or a new Microsoft
Group is selected.
CRYPTO-MAS Active Directory Synchronization Agent 3
• If a user is removed from the monitored group, the user will be removed and the token
returned to the pool at the next synchronization interval.
• If a user account in the Microsoft group is suspended, the account in CRYPTO-MAS will
become suspended at the next synchronization interval. The token will remain assigned to
the user.
Security Features
• Connections between the Agent and Active Directory can be configured to use SSL.
• The data passed between the Agent and CRYPTO-MAS is limited to the UserID, First Name,
Last Name, Address, Telephone / Mobile numbers and the Active Directory GUID for each
account.
• All data transmitted between the Agent and CRYPTO-MAS is encrypted using AES256 then
sent over SSL (default) or http (optional). The encryption key is generated in the CRYPTO-
MAP interface (Activation Key) and is unique for every client.
• The Agent configuration file which contains the account and password and other
configuration information used by the Agent to connect to Active Directory and CRYPTO-
MAS is encrypted. It can only be read or modified by the Agent Synchronization Manager
application.
Limitations
If the agent is used, CRYPTO-MAP cannot be used to create userID’s. This is to prevent
contradictions between manual CRYPTO-MAP user creation and the Agent. In addition, all User
accounts created by any other means will be automatically deleted during synchronization,
even if the manually created UserIDs are identical to those in Active Directory.
Configuration
The following steps must be completed in sequence for correct operation and synchronization.
Important: Any users manually created in MAP before or after the agent has been installed and
activated will automatically be removed from the system. If this agent is used, then ALL users
must be added through the monitored Active Directory group.
CRYPTO-MAS Active Directory Synchronization Agent 4
Company Setup in CRYPTO-MAP
Create a new company in MAP in the usual way. Check the Use LDAP checkbox under User
Storage to generate an Activation Code and prepare this account for Active Directory
synchronization.
Figure 1
Token Allocation
Ensure that the number of tokens allocated is equal to or greater than the number of users that
will be in the monitored Active Directory group. If the allocation is insufficient the
synchronization will fail. If the token count cannot be determined then the synchronization will
be deferred and an error reported in the log.
Activation Code and CRYPTO-MAS URL
Note the Activation Code as this will be required during configuration of the Agent.
Synchronization Agent Installation (Customer Site)
1. Download the CRYPTO-MAS LDAP Service.exe file.
2. Run the installer
CRYPTO-MAS Active Directory Synchronization Agent 5
3. The agent is configured post installation by launching the “Manager” application. The
default location is Program Files/CRYPTOCard/CRYPTO-MAS/Manager.
4. Populate the Primary Active Directory information in the Active Directory tab and then click
Apply. Do not start the agent until the Services tab is also populated.
Active Directory Tab
Use the Active Directory tab to configure the agent connection to Active Directory
Figure 2
Where:
• Hostname: is the IP address or FQDN of Active Directory
• Port Number: is the connection port number. Default: 389
• BaseDN: is the point in Active Directory from where the agent will scan for users / group
membership changes
CRYPTO-MAS Active Directory Synchronization Agent 6
• UserDN: is the account that will be used by the agent to connect to Active Directory. The
entry should be entered in an email format
Example: The BaseDN in figure 2 is dc=ts, DC=cryptocard, DC=com. So the user “ccldap”
could be defined in UserDN as [email protected].
• GroupDN: is the group to which the member must belong for synchronization with CRYPTO-
MAS. As shown in Figure 3, only the members of the CRYPTOMAS group will be
synchronized with CRYPTO-MAS.
An example of the CRYPTOCard Microsoft group entry would be CN=CRYPTOCard,
CN=Users, DC=ts, DC=cryptocard, DC=com.
• Test Group: allows the GroupDN entry to be tested for erroneous characters. Results of the
test are shown as an OK or Failed message.
• Password: is the password corresponding to the User DN account to be used by the Agent
to connect to Active Directory.
Figure 3
CRYPTO-MAS Active Directory Synchronization Agent 7
Services Tab
The services tab is used to configure the agent connection to CRYPTO-MAS.
Figure 4
Where:
• CRYPTO-MAS AuthID: is the AuthID assigned to the CRYPTO-MAS subscriber organization
and displayed in the Home Tab within CRYPTO-MAP. The Auth ID was selected during the
signup process.
• Activation Code: is a unique code generated and displayed in CRYPTO-MAP-MAS for this
organization.
• Primary URL: this is the primary location to which the agent will attempt to synchronize
with CRYPTO-MAS.
• Secondary URL: this is the secondary location to which the agent will attempt to
synchronize with CRYPTO-MAS if a connection to the primary location fails.
• Execute Active Directory Search: specifies the synchronization frequency. This setting
should reflect the frequency of change expected in Active Directory.
CRYPTO-MAS Active Directory Synchronization Agent 8
Notification Tab
The notification tab is used to configure the agent to send an email notification in the event
that the connection between the Agent and Active Directory fails.
Figure 5
Where:
• SMTP Server/Host: is the SMTP server where all notification will be sent.
• User: is the username required to send email through the SMTP Server (optional).
• Password: is the password required to send email through the SMTP Server (optional).
• Send Active Directory down: will notify if there are connection issues with Active Directory.
• Send Resync group not found: will notify if the Microsoft Group can no longer be found.
• Added user to list: will notify when a user has been added to CRYPTO-MAS.
• Updated user list: will notify when a user has been updated in Active Directory.
CRYPTO-MAS Active Directory Synchronization Agent 9
• Removed user and deassigned token list: will notify when a user has been removed from
CRYPTO-MAS along with which token was deassigned (if applicable).
Template Tab
The template tab allows you to customize each notification email alert.that was selected in the
Notification Tab.
Figure 6
Where:
• Notification name: allows for the customization of the particular notification.
• From: enter the email address of the recipient who is sending the message. This field will
only accept a single email address.
• To: enter the email address of the recipient(s) into this field. If multiple entries are
required, a semi-colon must be used.
• CC: enter the email address of the recipient(s) into this field. If multiple entries are
required, a semi-colon must be used.
CRYPTO-MAS Active Directory Synchronization Agent 10
• BCC: enter the email address of the recipient(s) into this field. If multiple entries are
required, a semi-colon must be used.
• Subject: enter the subject of the current notification.
• Message: a default message that will provide an explanation of the current notification.
The content can be edited but the <LIST/> argument cannot be removed from the message.
Troubleshooting
To troubleshoot any issues with the Agent detailed logging is done to the file:
C:\Program Files\CRYPTOCard\CRYPTO-MAS\ADAgent\log\CRYPTO-MAS-Service-DATE.log
Top Related