18.03 Configuring Active Directory Authentication in UNItekTIME

18.03 Configuring Active Directory Authentication in UNItekTIME

You can configure UNItekTIME to authenticate the requester login with the active directory (AD). This provides you an advantage of not having to remember too many passwords. For this, you should configure AD authentication, then any password change that is made in the AD will also reflect in UNItekTIME. So the requesters can login using the login name and password of the system.

UNItekTIME Active Directory integration concepts:

UNItekTIME supports two types of active directory authentication.
  1. First option is automated way through which user will be automatically added as an employee in UNItekTIME if that particular user is the member of the corresponding mapped group in Active Directory.
    1. Using role management in admin options, you can configure UNItekTIME role mapping with Active Directory group. A user will automatically be assigned to that role in UNItekTIME if he is the member of the corresponding group member in active directory.
    2. For example, if an employee is a member of the UNItekTIME User group in [Active Directory], he will be automatically added as an employee in UNItekTIME on the first login with [User] role in UNItekTIME.
    3. By default, UNItekTIME comes with two UNItekTIME roles with their active directory corresponding roles mapping. You can define your AD Group in UNItekTIME Roles management page.
      1. AD Group [UNItekTIMEAdministrator] —> map to UNItekTIME [Administrator] role.
      2. AD Group [UNItekTIMEUser] —> map to UNItekTIME [User] role.
  2. Second way is to add all your employee manually in UNItekTIME. The administrator can define active directory username of employees during new employee creation. After adding an employee with their active directory username, they can login in UNItekTIME using their active directory username and password.

Step by step: Active Directory integration:

UNItekTIME active directory integration required setup on two places. One is in active directory and second is defining server parameters in system configuration pages.

Step1: Changes required in Active Directory:

Here are the steps which are required to be done on active directory side.
  1. IT Administrator should decide first, exactly which Active Directory username will work as UNItekTIME Administrator. In this help section, we have assumed one AD user with username [LivetecsIT]
  2. Create a new [UNItekTIME Service User]. UNItekTIME APIs will use this username and password to communicate to Active Directory. Create a service user with name “UNItekTIMEserviceuser”.

  3. Define some password for “UNItekTIME Service User” and make sure that [Password never expires] should be checked and [User must change password at next login] should be unchecked.

  4. Create a new security group [UNItekTIMEAdministrator] in Active Directory.

  5. Now assign your user which you want to work as UNItekTIME Administrator, in [UNItekTIMEAdministrator] group. This user will become [Administrator] in UNItekTIME. Make sure that this user should have [First Name], [Last Name] and [EmailAddress] information are filled in Active Directory.

Step 2: Changes required in UNItekTIME:

  1. On first-time execution, after database setup, UNItekTIME first open [Account Add] page where a user can enter their organization and administrator user information. Do not fill this form if you are going to setup on [Active Directory] integration.
  2. Open [System Configuration] page (http://UNItekTIMEurl/home/systemsetting.aspx), where you can define system level parameters like active directory integration, database connection string and SMTP server.
[More about system setting page]
  1. Select [Active Directory Authentication] checkbox to select your authentication mode as Active Directory.
  2. Enter “LDAP://YourServerName” in [Active Directory Connection String]. Yourservername should be replaced with physical server name where the Active Directory is installed. Please see below screenshots to get an exact idea of which value will appear where.

  3. Enter domain name in [Active Directory Domain Name] field. The domain name should be pre-windows 2000 server name instead of actual domain name.
  4. Enter your [UNItekTIME Service User] username in [Active Directory Username] field. Username should be in an exact same case which is in Active Directory. Make sure that your (pre-windows 2000) username and your actual username are same.
  5. Enter [UNItekTIME Service User] user’s password in [Active Directory Password] field.
  6. Click on [Update] to update these changes.
  7. After update, UNItekTIME will open new account add page.

  8. Enter your organization information in the top portion.
  9. Enter [UNItekTIME Administrator username] which you earlier assigned in [UNItekTIMEAdministrator] group in Active Directory. UNItekTIME will automatically populate FirstName, LastName and email address from Active Directory.
  10. Enter Active Directory password and verify password of [UNItekTIME Administrator user]. This should be active directory password of the UNItekTIME administrator user.
  11. Enter First Name, Middle Name, and Last Name.
  12. Click on [Sign up] to complete Active directory integration steps.
  13. This administrator can now sign-in in UNItekTIME using his [UNItekTIME Admin] (LivetecsIT in above case) active directory username and password.
  14. Now administrator can add other employees using [Administration] —> [Employees] option by specifying AD username in [User name] field.
  15. New employee will be automatically added if they are member AD Group whose mapping is defined with UNItekTIME roles.

Note: Migrating from standard authentication to Active Directory authentication:

  1. In case, if Active Directory is being set up for switching from already setup standard authentication to Active Directory authentication, system will redirect to login page directly instead of account add page. An administrator can log in with UNItekTIME admin user created using instructions mentioned above.
  2. Just make sure that email address of UNItekTIMEAdministrator user should not be already defined to some other user.
  3. This administrator can now login in UNItekTIME using his [UNItekTIME Admin] (LivetecsIT in above case) active directory username and password.
  4. After login, the administrator should edit every employee which are already defined in UNItekTIME and change value of “username” field from their email address to Active Directory login id.
  5. After having Active Directory login id in username field in employee form, the employee then will be able to log in using their Active Directory username and Active Directory password with their data, which they already have in UNItekTIME.