Overview

The Password Boss Active Directory Connector makes it easy for companies who use Microsoft Active Directory to create and manage accounts in Password Boss.

• The Active Directory will be continuously monitored for new and updated users, and those changes will instantly create and update user accounts in Password Boss.
• The Active Directory Connector is designed with flexibility in mind. You can synchronize some or all of your users. You can also synchronize groups from Active Directory to Password Boss, avoiding having to manually create groups in Password Boss.
• The Active Directory Connector is small and lightweight, and will not add any unnecessary load to your domain controller.

System requirements

• Windows Server 2012 R2 SP1 or later.
• .NET Framework 4.6.1 or later
• RAM: 512MB
• Disk space: 100MB
• Outbound TCP Port 443 from the server running the Active Directory Connector to api.passwordboss.com

Service account

• You will need the credentials for a service account in your Active Directory (AD) that will run the Active Directory Connector. The service account will need admin privileges for the server running the Active Directory Connector.
• If the Active Directory Connector is installed on a domain controller, add your service account to the domain admins group.
• If the Active Directory Connector will be installed on a member server, add the service account to the server's local administrator group.
• You will also need to grant your service account permissions to see deleted users.
• See this article for instructions on creating a service account.
• If the Active Directory Connector is installed on a domain controller in a single domain AD, you can also use the localsystem account to run the Active Directory Connector.

Create a group in AD to sync to Password Boss.

The Active Directory Connector uses an AD Global Security Group to determine which users to synchronize to Password Boss. The best practice is to create a new security group in your AD and place all of your Password Boss users in the group. This method makes it easy to administer which users are sent to Password Boss.

User account requirements

The following attributes must be present on each user account to be synchronized to Password Boss:

• First name
• Last name
• Email address. This must be a valid, routable email address where the user can receive emails.

DMZ installation requirements

If you will be installing the Active Directory Connector in a DMZ the following ports will need to be open between the DMZ server and your domain controller:

• TCP/UDP 53 - DNS
• TCP/UDP 88 - Kerberos authentication
• TCP/UDP 289 - LDAP
• Additional port information can be found in this Microsoft article.

Enabling the Active Directory Connector

1. From the portal go to the company and select the Connectors tab.
2. Click Install on the Microsoft Active Directory Connector
3. Copy the authentication token. You will need to enter this on the server running the Active Directory connector.
4. Click Next to move to the Sync Rules tab.
5. The Sync Rules are used to configure how changes from your Active Directory are processed in Password Boss. In most cases, the default settings are recommended. More information on the sync rules can be found at the bottom of this article.
6. Click OK to save your settings.
7. Your Password Boss account is now ready to start receiving user data from your Active Directory.

Installing the Active Directory Connector on your server

1. Download the installer from the Active Directory page of the Password Boss portal.
2. Log in as an administrator on the server where the Active Directory connector will be installed.  
   Run the installer
3. Click the Install button to accept the license agreement to start the installer.
4. Change the installation folder if necessary and click Continue.

Configuring the Active Directory Connector

1. Open the Password Boss Active Directory Connector application.
2. From the Directory Setup tab enter the credentials for the service account you will be using and select which domain(s) contain your user accounts. If the list of domain is empty it means that the service account you are using does not have the correct permissions into AD.
3. On the Authentication tab enter the authentication token you received when you enabled the Active Directory Connector on the portal, and click Save.
4. From the tab click the Edit button to select the AD group that contains the user accounts you will be syncing to Password Boss. We strongly recommend making a dedicated AD group for this.  
   Users are now being synchronized to Password Boss. The following step for Group synchronization is optional.
5. On the Groups tab, you have the option to synchronize AD groups to Password Boss. See the additional information at the bottom of this article on group synchronization.

Understanding the sync process

When a user account is sent to Password Boss, the account will go through the following stages:

Creating an account - this means the user information has been received by Password Boss, and the account is in the process of being created. This process generally takes just a few seconds per account.

Active - After creating a user account, the account will show as Active in the portal. At this point, an email is sent to the user with a temporary password that they can use to log in to their account. When the user logs in the first time, they will also receive a verification code via email that they will need to enter into the application on their computer or mobile device. When the verification code is accepted, the user will then be required to change their master password.

Pending approval - This status can occur for one of 2 reasons.

• In the sync rules of the AD connector on the portal, you selected to create pending accounts in Password Boss that must be manually approved.
• You have synchronized more users to Password Boss than you have purchased. You will need to either remove some users from your Password Boss account or purchase additional licenses.

Disabled - When a user account is removed from sync, either by deleting the user in AD, or by removing the user from the group synchronizing users to Password Boss, the default action is disabling the user account in Password Boss.