Kaseya Community

User credentials from AD

  • Hello community,

    Goal: Use the login credentials from the AD for the VSA and KLC. When the AD account is disabled, the user cant login anymore.

    Problem: How to do this? 

    Tried: I haven't tried this yet, since I don't have a AD in my testlab. I read the documentation about the Domain probe, but this is more to install agents to business networks, correct? Also, the probe activation needs a domain admin account (which is against policy)? Is there no LDAP sync?

    I have so many questions on how it works. What rights (in the AD) does this domain account need to have to inherit the AD users. Are the passwords also the same? And what about SSO (as in, using the user login information from the windows session)?

    Anybody can point me towards the right documentation or can share their experience in doing these actions?

    Thanks!

  • Maurice,

    I have recently worked with this while setting up user accounts in AD for vendors and then creating them, and  imported them into Kaseya and giving them access to the Servers they needed to update.

    Discovery -> Domains -> Domain Watch

    Select the Domain in question and add a probe to one of the computers in the domain

    Click on Policies -> Users ->

    Since this would be a new setup all users should say under Policy "Do Not Include User" Click on that link for the user you want to set up, and from the drop down select create VSA user.

    Make sure the users in AD have an email setup, because if it is blank they will not import as a VSA user. I learned this the hard way.

    Here is an example of what the setup looks like

    helpdesk.kaseya.com/.../229036688-Adding-VSA-users-from-Active-Directory

    helpdesk.kaseya.com/.../229036748-VSA-users-using-AD-login-configured-from-discovery-are-unable-to-login

    help.kaseya.com/.../EN_kdisguide_R94.pdf

  • We do exactly what you are trying to achieve. Works generally fine. The only caveat is that you can't connect to the API using AD logins.

    The domain probe (Domain Watch) is also used for AD integration for VSA login. You install the probe on a target DC (we install one on each supported customer domain) and you can then enable individual users (or security groups) for VSA login.

    The probe will need a valid domain account to be able to run. The permissions it needs are much more related to deploying agents as it will modify group policy to do this, but it won't install without the right permissions in the first place. You can do it properly and delegate required permissions to an account, or you can fudge it with Domain Admin Zip it!. The permissions required are listed here.

    When you enable users from the interface you can specify what scope/role they have. 

    The first time they login, VSA will hash the password the user provided, and the probe will run a script against the AD domain to validate that hash. If it's successful VSA will also cache that hash for a period of time to speed up future logins.

    When you disable an AD account in AD, the next time a sync runs (every 1hr I think) it will pick this up and disable the related VSA account.

    There is some documentation on the Kaseya site http://help.kaseya.com/webhelp/EN/kdis/9050000/#10750.htm - but it is quite verbose and doesn't necessarily tell the whole story

    Hope that helps