Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Set up Active Directory authentication in LEM

Set up Active Directory authentication in LEM

Updated: September 15, 2017

Set up Active Directory authentication to allow users to log in to LEM with their Active Directory (AD) credentials.

 

Gather some required information

Before you begin, gather the following:

  • Either the IP address or fully-qualified domain name (FQDN) of the Active Directory server.
  • The domain credentials for an account that LEM can use to log in to Active Directory. SolarWinds recommends using a service account with a non-expiring password. This account does not need elevated privileges.

To get directory server details, open a Windows command prompt on a computer on the correct network and type nslookup.

Create a user in Active Directory that LEM can use to log in

  1. Log in to the domain controller and open Active Directory Users and Computers.
  2. Create a user account that LEM can use to log in to Active Directory. SolarWinds recommends using a service account with a non-expiring password. This account does not need elevated privileges (such as Domain Admin privileges).

Create custom security groups in Active Directory for LEM to use

User access in LEM is based on Active Directory group membership.
 

  • If you have at least LEM version 6.3.1 Hotfix 2, you can use your existing Active Directory groups for alerts, reports, and so on. Skip this section and go to the next section: Configure or View LDAP configuration settings in LEM.

  • If you have either LEM version 6.3.1, or LEM version 6.3.1 Hotfix 1, complete the steps in this section to create the required custom security groups in Active Directory.


To create custom security groups:

  1. Log in to the domain controller and open Active Directory Users and Computers.
  2. Create at least one security group called ROLE_LEM_ADMINISTRATORS. Group names must be identical to the names given below, otherwise users cannot log in to the LEM console. SolarWinds recommends creating LEM group names using capital letters to help you quickly identify LEM groups in Active Directory.

    You can add up to six of the following LEM custom groups:

    • ROLE_LEM_ADMINISTRATORS (Required if you are using LEM 6.3.1 Hotfix 1 or older.)
    • ROLE_LEM_ALERTS_ONLY
    • ROLE_LEM_AUDITOR
    • ROLE_LEM_GUESTS
    • ROLE_LEM_CONTACTS
    • ROLE_LEM_REPORTS
       

The ROLE_LEM_CONTACTS group is only used for email notification in rules. Users added to this group do not have login rights.

Configure or view Active Directory authentication settings in LEM

 

Your LDAP configuration settings are now complete.

To test the settings, log in with a user name and the fully-qualified domain name (FQDN). The user name and fully-qualified domain should be formatted as follows: user@example.com or example.com\user.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    You can also configure LDAP configuration settings from a command line by entering admin at the cmc> prompt.

  2. Click LDAP Configuration in the Authentication menu.
     

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0290-Set_up_Active_Directory_authentication_in_LEM/lem-ug-single-signon-authentication-menu-new_397x195.png

    The LDAP Configuration Management screen opens.

  3. Choose from the following:
    • To configure a new Active Directory LDAP integration profile, click Add New Configuration.

      The Create LDAP Configuration page opens.

    • To view or edit settings for an existing Active Directory integration profile, click Edit.

      The LDAP Configuration page opens.

    • To disable an Active Directory integration profile, click the green check mark to make the gray x visible.

    • To enable a disabled Active Directory integration profile, click the gray x to make the green check mark visible.

    • To delete an Active Directory integration profile, click Delete.

  4. To create or edit the LDAP configuration, complete the form, and then click Save. Or click Cancel after you review your previously saved LDAP connection settings.

    Starting with LEM 6.3.1 Hotfix 2 you can configure LEM to use existing groups for alerts, audit, reports, and so on. Expand the "Advanced Settings" section to specify custom group names when creating or editing the LDAP configuration settings.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/0290-Set_up_Active_Directory_authentication_in_LEM/lem-ug-single-signon-create-ldap-configuration-only_533x445.png

     

    Field Description
    LDAP Configuration Name Enter a friendly name of your choosing for the LDAP configuration.
    IP Address or Hostname Enter the IP address or host name of your LDAP server.
    Domain (LEM 6.3.1 Hotfix 2 and newer only) Enter the fully-qualified domain name for the account store.
    Directory Service Server User Name

    Use the format account_name@example.com.

    SolarWinds recommends using a Directory Service account to prevent integration issues if the software license expires. The user name does not require special privileges (such as Domain Admin) to be a Directory Service user.

    Directory Service Server Password Enter the password for the user account.
    Use SSL Encryption (Optional) Select to use the transport layer security protocol (LDAPS) for a secure connection. This option directs traffic from the LEM VM to a designated server (usually a domain controller) for use with the Directory Service tool.
    LDAP Port If this field is left empty, LEM uses the default LDAP port (port 389). Otherwise, enter the port number used by your domain controller. The default LDAP port with SSL encryption (LDAPS) is 636.
    Advanced Settings (LEM 6.3.1 Hotfix 2 and newer only)
    • Domain Aliases (Optional)
    Specify any Domain Alias names that should be authenticated using this LDAP configuration. (The role/group names configured on this page will also apply.)
    • NetBIOS Names (Optional)
    Specify any NetBIOS names that should be authenticated using this LDAP configuration. (The role/group names configured on this page will also apply.)
    • Admin Group (Optional)
    Specify the DS group in Active Directory to use for the LEM administrator role. If you do not specify a name, the default ROLE_LEM_ADMINISTRATORS group is used.
    • Alerts Only Group (Optional)
    Specify the DS group in Active Directory to use for the LEM alerts role. If you do not specify a name, the default ROLE_LEM_ALERTS_ONLY group is used.
    • Audit Group (Optional)
    Specify the DS group in Active Directory to use for the LEM auditor role. If you do not specify a name, the default ROLE_LEM_AUDITOR group is used.
    • Guest Group (Optional)
    Specify the DS group in Active Directory to use for the LEM guest role. If you do not specify a name, the default ROLE_LEM_GUESTS group is used.
    • Notify Only Group (Optional)
    Specify the DS group in Active Directory to use for the LEM notifications role. If you do not specify a name, the default ROLE_LEM_CONTACTS group is used.
    • Reports Group (Optional)
    Specify the DS group in Active Directory to use for the LEM reports role. If you do not specify a name, the default ROLE_LEM_REPORTS group is used.

Add an Active Directory user to LEM

To grant a user access to LEM, add the user to the appropriate role (security group) in Active Directory.

  1. Open Active Directory Users and Computers.
  2. Add the user to the appropriate role (security group) in Active Directory. Users added to the ROLE_LEM_CONTACTS group do not have sufficient privileges to log in to LEM.

When configuring user accounts, make sure the user's Primary group is not assigned to a custom group, otherwise the user cannot log in to LEM. The user will see an "Invalid username and password" message instead, and a message similar to the following will be logged:

[LemSpringSecurityAuthManager] {http-nio-8080-exec-1:349} Authentication failed: User is not member of any required role group!

Last modified

Tags

Classifications

Public