黑料海角91入口

Help Center Home > Active Directory > ADI: Use AD Delegated Authentication

ADI: Use AD Delegated Authentication

Extending Active Directory (AD) to the Cloud is even simpler using the delegated authentication capabilities of the 黑料海角91入口 Active Directory Integration (ADI).

What is Delegated Authentication?

Delegated Authentication uses an external source, like AD, to verify a user鈥檚 password. Delegated authentication is different from federated user authentication in 2 key ways:

  1. 黑料海角91入口 is the Identity Provider (IdP). The external source is used for password validation only. 
  2. The user is not redirected to the external source. Instead, they remain in the 黑料海角91入口 login flow and the verification is happening behind the scenes.

Why Delegate User Authentication to AD?

There are several use cases for which delegated user authentication is required or preferred:

  • Easier integration deployment - Install the import agent on a small number of member servers not on all domain controllers (DCs) while still keeping and managing passwords in AD only
  • Compliance - Keep the password behind the AD firewall and still extend AD to the cloud using 黑料海角91入口.
  • Seamless onboarding of existing users to the Cloud - End users log in to 黑料海角91入口 for the first time using their existing corporate email address and AD password.聽No need to reset passwords
  • SSO without ADFS - Allow users to use a single secure identity to access their on-premise and Cloud resources without having to use Active Directory Federation Services (ADFS)

Important Considerations

Important:

When upgrading from AD import agent v2.6.0 or lower, you must select Install New Agent from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.

  • Delegated authentication to AD is supported by 黑料海角91入口 AD import agent v3.0 and higher and is supported when the import agent is installed on all AD Domain Controllers (DCs) or on AD member server(s)
  • To use delegated authentication to AD, the primary import agent must be version聽v3.0 or higher and the status of the ADI delegated authentication setting, Delegate Password Validation, must be enabled and active

Warning:

All installed import agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.

Important:

When upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the Delegated Authority is manually set to Active Directory for those existing users.

  • User portal and SSO logins are delegated to AD when the following are true:
    • The delegated authentication setting, Delegate Password Validation, is enabled and active for the ADI configuration
    • User has access to the delegation-enabled AD domain, and their Delegated Authority is set to Active Directory on their user record

Warning:
  • Users will NOT be able to log in if their Delegated Authority is Active Directory and the status of the delegated authentication setting, Delegate Password Validation, is pending or disabled in the ADI configuration, all import agent(s) have been deleted, or the ADI integration has been deleted.
  • Users will NOT be able to log in to the 黑料海角91入口 User Portal or SSO apps if they are connected (bound) to multiple delegation-enabled AD domains.
  • Device password reset flow is delegated to AD when the following are true:
    • The device is managed by 黑料海角91入口
    • The delegated authentication setting, Delegate Password Validation, is enabled and active for the ADI configuration
    • User has access to the delegation-enabled AD domain, and their Delegated Authority is set to Active Directory on their user record
    • Self-Service Account Provisioning is enabled and Default Password Sync is disabled in Devices > Settings

Note:

On devices, with the configuration above, only the password used during the password reset flow is delegated to AD for validation. The user must set and use a local password or PIN for device logins. Their device login credentials will be managed separately.

  • Existing AD users imported from AD to 黑料海角91入口 no longer have to reset their password in AD to log in to 黑料海角91入口 managed resources when delegation is enabled for them

Note:
  • If the import agent is installed on DCs, the password is stored in 黑料海角91入口 after the initial log in. The stored password continues to be synced from AD to 黑料海角91入口 and from 黑料海角91入口 to other resources. The password can be used to log in to resources that don鈥檛 support delegated authentication to AD, such as Cloud RADIUS, Cloud LDAP, and devices.
  • If the import agent is installed on AD member servers, the password is never stored in 黑料海角91入口.
  • Cloud RADIUS and Cloud LDAP resource log ins cannot be delegated to AD.聽A user must have a password in 黑料海角91入口 to be able to access these resources
  • The delegated authentication setting, Delegated Password Validation, is enabled by default for the Manage users and passwords in Active Directory ADI configuration and cannot be disabled
  • The delegated authentication setting, Delegated Password Validation, is disabled by default but can be enabled for the Manage users and passwords in 黑料海角91入口, AD or both configuration
  • When the 黑料海角91入口 AD import agent is installed on DCs, the AD passwords sync to 黑料海角91入口. This means that the password will be saved in both AD and 黑料海角91入口.聽This applies to both ADI configurations: Manage users and passwords in Active Directory and Manage users and passwords in 黑料海角91入口, AD or both
  • When the 黑料海角91入口 AD import agent is installed on member servers, the AD password does not sync to 黑料海角91入口. 
    • In the Manage users and passwords in Active Directory configuration, this means the password will only be in AD. In this configuration, the user's Password Authority should also be set to Active Directory to prevent a password from being entered in 黑料海角91入口 by either a 黑料海角91入口 Admin or the end user
    • In the Manage users and passwords in 黑料海角91入口, AD or both configuration, this means users imported from AD will not have their AD password stored on their initial login to 黑料海角91入口 nor will the password sync from AD to 黑料海角91入口. Any user connected to a delegation-enabled AD domain, ones created in AD and ones created in 黑料海角91入口, with their Password Authority set to None (黑料海角91入口) can have a password set and managed in 黑料海角91入口, and their password will be synced from 黑料海角91入口 to AD. This configuration is used when user passwords are managed in 黑料海角91入口
  • Avoid users not being able to log in to 黑料海角91入口 managed resources when changing the delegated authentication settings

Important:

Do the following before disabling the ADI delegated authentication setting, Delegate Password Validation, or disconnecting a user from a delegation-enabled AD domain in the 黑料海角91入口 Admin Portal:

  • Verify the user's Password Authority is set to None (黑料海角91入口)
  • Either send the user an activation email or set a password for the user from the user record in admin portal
  • A warning modal is shown with options to either automatically update the Delegated Authority for every connected (bound) user or not when the following actions are taken:
    • on save after delegated authentication is enabled or disabled in the ADI configuration
    • an ADI AD domain is deleted
    • a user is directly connected to (bound) or disconnected from (unbound) a delegation-enabled AD domain
    • a user is connected to (bound) or disconnected from (unbound) a user group connected (bound) to a delegation-enabled AD domain
    • when a user group is connected (bound) or disconnected (unbound) from a delegation-enabled AD domain.
  • The Delegated Authority can be updated for multiple users at once from the Users page
  • A user login to the User Portal and for SSO is always delegated to AD, even if they have a password in 黑料海角91入口, as long as all of following criterion are true:
    • their Delegated Authority is set to Active Directory
    • they are connected to a delegation-enabled AD domain
    • the status of the ADI delegated authentication setting, Delegate Password Validation, in enabled and active for the AD domain
  • Delegated authentication can be enabled or disabled on a per user basis from the user details page even if they are not connected to a delegation-enabled AD domain
  • If an import agent is paused, delegated authentication will still occur. Only the import from AD to JC will be paused

Configuration Steps Overview

To configure delegated authentication to AD, the main steps you will take are outlined below:

  1. Select your ADI deployment configuration:
  2. If not already selected, check the option for Delegated Password Validation.
  3. Download and install the latest 黑料海角91入口 AD Import Agent from the 黑料海角91入口 Admin Portal.
  4. Give users access to ADI.

Enable Delegated Authentication for a New AD Domain

Tip:

The setting for delegated authentication on the ADI configuration is labeled Delegated Password Validation

To enable delegated authentication for the Manage users and passwords in Active Directory configuration

  • No action is required.
    • Delegated Password Validation is enabled by default for this configuration and cannot be disabled

Note:

All new users imported from AD to 黑料海角91入口 will automatically have their Delegated Authority set to Active Directory.

Important:

Users imported prior to the release of Import Agent v3.0 will continue to use the password stored in 黑料海角91入口, unless the Delegated Authority is manually set to Active Directory. If the import agent is installed on a DC, the password will continue to sync to 黑料海角91入口.

To enable delegated authentication for the Manage users and passwords in 黑料海角91入口, AD or both configuration

  1. When creating a new AD domain in the :
    • Check Delegated Password Validation checkbox in the Configuration Summary section of the Setup step
    • Download and install the Import and Sync agents
    • Click Configure ADI
  2. When updating the configuration for an existing AD domain in the :
    • Go to Directory Integrations > Active Directory
    • Click the domain to which you want to enable delegated password validation
    • Check Delegated Password Validation checkbox in the Integration Details section
    • Make other configuration changes, if needed
    • Click Save
    • Review the confirmation message:
  3. Select the update option.
  4. Click Continue.
  5. When using the 黑料海角91入口 v2 API:

curl --request POST \
  --url https://console.jumpcloud.com/api/v2/activedirectories \
  --header 'content-type: application/json' \
  --header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
  --data '{"delegationState":"ENABLED","domain":"string","groupsEnabled":true,"useCase":"TWOWAYSYNC"}'

  1. When using the 黑料海角91入口 v2 API:

Warning:

Users may not be able to log in after this change is made. Changing the delegated authentication setting via the API does not automatically update the Delegated Authority for users connected to the ADI AD domain. You must update that setting manually for each connected (bound) user.

Tip:

Replace {id} with the ID of your ADI instance.

curl --request PATCH \
  --url https://console.jumpcloud.com/api/v2/activedirectories/{id} \
  --header 'content-type: application/json' \
  --header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \

  --data '{"delegationState":"ENABLED","domain":"string","groupsEnabled":true,"useCase":"TWOWAYSYNC"}'

Enabling delegated authentication for users

These steps are intended for users who are already connected (bound) to a delegation-enabled AD domain but do not have their Delegated Authority set to Active Directory.

Warning:

Users will NOT be able to log in to the 黑料海角91入口 User Portal or SSO apps if any of the following are true when their Delegation Authority is set to Active Directory:

  • they are connected (bound) to multiple delegation-enabled AD domains.
  • the status of the ADI delegated authentication setting, Delegated Password Validation, is NOT enabled and active.
  • they are NOT connected to a delegation-enabled AD domain.
  • all import agents that support delegation have been deleted.

Considerations

  • Users must manage their passwords in AD once delegated authentication has been enabled

Prerequisites

  • Verify ADI delegated authentication setting, Delegated Password Validation, is enabled and active on the AD domain to which you will be connecting (binding) the user or to which the user is already connected (bound).
  • Verify users are not already connected (bound) to a delegation-enabled AD domain.
  • Verify users do not need access to 黑料海角91入口 LDAP integrations and 黑料海角91入口 Cloud RADIUS WiFi Networks.
  • Remind users they will need to log in with their AD login credentials.

To enable delegated authentication for a single user in Admin Portal

  1. Log in to .
  2. Go to the USER MANAGEMENT> Users.
  3. Click the user for whom you want to delegate password validation.
  4. Verify the user is connected to a delegation-enabled domain:
    • Click the Directories tab and see if there is a check next to an ADI domain with the delegation enabled label (Delegation ENABLED).
    • Select the User Groups tab
    • Expand each user group of which the user is a member (bound).
    • Verify the group gives access to the delegation enabled AD domain.
  5. Select the Details tab.
  6. Expand User Security Settings and Permissions.
  7. From the Delegated Authority dropdown, select Active Directory
  8. Review the confirmation message.
  9. Click Update Setting.
  10. Click Save User.

To enable delegated authentication for multiple users in Admin Portal:

  1. Log in to the .
  2. Go to the USER MANAGEMENT> Users.
  3. Select the users for whom you want to delegate authentication to AD .
  4. Click the More Actions dropdown menu.
  5. Click Set Delegated Authority.
  6. Select Active Directory.
  7. Click Save.

To enable delegated authentication for a single user through the API:

  1. Generate an API key if you do not already have one.
  2. Example curl request:

curl --location --request PUT 'https://console.jumpcloud.com/api/systemusers/(id}' \
--header 'Content-Type: application/json' \
--header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
--data '{
   delegatedAuthority":{"name": "ActiveDirectory"}
}'

  1. Example PowerShell request:

'https://console.jumpcloud.com/api/systemusers/{id}?fullValidationDetails=SOME_STRING_VALUE' -Method PUT -Headers $headers -ContentType 'application/json' -Body '{"delegatedAuthority":{"name": "ActiveDirectory"}'

Tip:

Replace {id} with the ID of your ADI instance.

To enable delegated authentication for multiple users through the API

  1. Generate an API key if you do not already have one
  2. Example curl request:

curl --request PATCH \
  --url 'https://console.jumpcloud.com/api/v2/bulk/users?suppressEmail=SOME_BOOLEAN_VALUE' \
 --header 'content-type: application/json' \
--header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
--data '[{
    "id":{ID},
"delegatedAuthority":{"name": "ActiveDirectory"}
}]'

  1. Example PowerShell request:

'https://console.jumpcloud.com/api/systemusers/{id}?fullValidationDetails=SOME_STRING_VALUE' -Method PUT -Headers $headers -ContentType 'application/json' -Body '[{"id":{ID},"delegatedAuthority":{"name": "ActiveDirectory"}}]'

Tip:

Replace {id} with the ID of your ADI instance.

Give Users Access to Delegation-enabled AD Domains 

These steps are for giving users who are not already connected to a delegation-enabled AD domain access to that AD domain.

To give user direct access to a delegation-enabled AD domain

From the ADI configuration

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the Users tab.
  5. Select the user(s) to whom you want to give access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user details page

  1. Log in to the .
  2. Go to the USER MANAGEMENT> Users.
  3. Click the user for whom you want to enable delegated authentication.
  4. Select the Directories tab.
  5. Select the AD domain with delegation authentication enabled label (Delegation ENABLED).

Note:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won鈥檛 be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

To give user access to a delegation-enabled AD domain through a user group

Important:

For dynamic groups, users who meet the conditions set will automatically get access to the delegation-enabled AD domain. You must manually set the Delegated Authority to Active Directory for these users.
Follow the instructions in section To give user direct access to a delegation-enabled AD domain for manually enabling delegated authentication to AD for these users.

From the ADI configuration

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the User Groups tab.
  5. Select the group(s) to which you want to give access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

From the user groups detail page

  1. Log in to .
  2. Go to the USER MANAGEMENT>User Groups.
  3. Select the user group to which you want to give access to your delegation-enabled AD domain.
  4. Select the Directories tab.
  5. Select the AD domain with delegation authentication enabled label (Delegation ENABLED).

Important:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won鈥檛 be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

Remove User Access to Delegation-enabled AD Domains 

To remove access for users with a direct connection to a delegation-enabled AD domain:

From the ADI configuration

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the Users tab.
  5. Deselect the user(s) from whom you want to remove access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user details page

  1. Log in to the .
  2. Go to USER MANAGEMENT> Users
  3. Click the user for whom you want to disable delegated authentication
  4. Select the Directories tab.
  5. Deselect the AD domain with delegation authentication enabled label (Delegation ENABLED).

Note:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won鈥檛 be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

To remove access users connected to a delegation-enabled AD domain through a user group

From the User Groups tab of the User page

  1. Log in to the .
  2. Go to USER MANAGEMENT> Users
  3. Click the user for whom you want to disable delegated authentication.
  4. Select the User Groups tab.
  5. Deselect the group that is connecting the user the delegation-enabled AD domain.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Note:

If the group from which you removed the user is a dynamic group, you will be prompted to add the user to the exclude list for that group.

From the Users tab of the User Group page

  1. Log in to .
  2. Go to USER MANAGEMENT> User Groups
  3. Click the user group that is connecting the user the delegation-enabled AD domain.
  4. Select the Users tab.
  5. Deselect the user(s).
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Note:

If the group is a dynamic group and the user still meets the conditions for being a member of that group , you will need to add the user(s) to the exclude list.

To remove access for user groups connected to a delegation-enabled AD domain

Important:

For dynamic groups, users who no longer meet the conditions set on the group will automatically lose access to the delegation-enabled AD. You must manually set the Delegated Authority to None (黑料海角91入口) for these users.
Follow the instructions in section To remove access for users with direct access to a delegation-enabled AD domain for manually disabling delegated authentication to Active Directory for these users.

From the ADI configuration

  1. Log in to the .
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the User Groups tab.
  5. Deselect the group(s) from which you want to remove access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user groups detail page

  1. Log in to .
  2. Go to USER MANAGEMENT>User Groups
  3. Select the user group to which you want to give access to your delegation-enabled AD domain.
  4. Select the Directories tab.
  5. Deselect the AD domain with delegation authentication enabled label (Delegation ENABLED).
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Disabling Delegated Authentication for Users

These steps are intended for users who are already connected (bound) to a delegation-enabled AD domain and have their Delegated Authority set to Active Directory.

Considerations

  • Users won鈥檛 be able to log in until a password has been set in 黑料海角91入口
    • If the import agent is installed on a DC, the users will have a password in 黑料海角91入口. The AD password is synced in this configuration
    • If the import agent is installed on an AD member server, the users will not have a password in 黑料海角91入口. Passwords are not synced from AD to 黑料海角91入口 in this configuration

Prerequisites

  • Notify users they will be getting a welcome email with a link to set their password in 黑料海角91入口

To disable delegated authentication for a single user

  1. Log in to .
  2. Go to USER MANAGEMENT>Users.
  3. Click the users for whom you want to disable delegated authentication to AD.
  4. Select to None from the Delegated Authority dropdown menu.
  5. Review the confirmation message.
  6. Click Update Setting
  7. Click Save

To disable delegated authentication for a multiple users

  1. Log in to .
  2. Go to USER MANAGEMENT>Users.
  3. Select the users for whom you want to disable delegated authentication to AD.
  4. Click the More Actions dropdown menu.
  5. Click Set Delegated Authority.
  6. Select None.
  7. Click Save.

Disable Delegated Authentication for a Domain

Tip:

The setting for delegated authentication on the ADI configuration is labeled Delegated Password Validation

Considerations

  • Users won鈥檛 be able to log in until a password has been set in 黑料海角91入口
    • If the import agent is installed on a DC, the users will have a password in 黑料海角91入口. The AD password is synced in this configuration
    • If the import agent is installed on an AD member server, the users will not have a password in 黑料海角91入口. Passwords are not synced from AD to 黑料海角91入口 in this configuration

Prerequisites

  • Notify users they will be getting a welcome email with a link to set their password in 黑料海角91入口

To disable delegated authentication for the Manage users and passwords in Active Directory configuration

Delegated Password Validation cannot be disabled for this configuration.

To disable delegated authentication for the Manage users and passwords in 黑料海角91入口, AD or both configuration

  1. Log in to .
  2. Go to Directory Integrations > Active Directory.
  3. Click the domain to which you want to enable delegated password validation.
  4. Uncheck Delegated Password Validation checkbox in the Integration Details section.
  5. Make other configuration changes, if needed.
  6. Click Save.
  7. Review the confirmation message and select the appropriate update option.
  8. Click Continue.

Auditing and Troubleshooting

Use Directory Insights to audit and troubleshoot changes and actions related to delegated authentication. See Troubleshoot: Active Directory Integration (ADI) for detailed troubleshooting guidance.

Event Description Delegated Authentication Specific Information
user_login_attempt Logs every time a user tries to log in to a 黑料海角91入口 managed resources JSON includes a new field 鈥減assword_delegated_authority鈥 in the auth_context when the user鈥檚 login is delegated to AD for authentication

"auth_context": {

    "auth_methods": {

      "password": {

        "success": true

      }

    },

    "password_delegated_authority": "ActiveDirectory"

 

 },
association_change Logs every time two resources are associated (bound) or disassociated (unbound). Logged when a user is associated (bound) or disassociated (unbound) to a delegation-enabled AD domain.
Logged when a user group is associated (bound) or disassociated (unbound) to a delegation-enabled AD domain.
user_delegated_authority_update Logs when a change is made to the Delegated Authority setting on the User record. This event is specific to the delegated authentication functionality.
activedirectory_domain_delegated_password_change Logs when the delegated authentication setting Delegated Password Validation in the ADI configuration is changed This event is specific to the delegated authentication functionality.

Next Steps

Haven’t installed the import agent yet?

Check out the step-by-step configuration guides

Ready to use ADI?

Read the Using and Managing the ADI article next.

Want additional assistance from 黑料海角91入口? 

If you鈥檙e having issues with getting 黑料海角91入口鈥檚 ADI working, try the Troubleshooting Guide. 黑料海角91入口 now offers myriad professional services offerings to assist customers with implementing and configuring 黑料海角91入口. If you鈥檙e looking for assistance with Migrating from AD, or to integrate AD with 黑料海角91入口, we recommend you reach out to 黑料海角91入口鈥檚 Professional Services team on the following page: Professional Services - 黑料海角91入口.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case