Configuring support for Active Directory

Before you configure support for AD in HCP, you need to prepare AD for access by HCP.

To enable and configure support for AD in HCP:

  1. Log in to the HCP System Management Console with a user account that has the Security role.
  2. Navigate to the Security Active Directory page.
  3. Select one of these options:
    • Active Directory with SSL

      Enables both support for AD and secure communication with the AD

    • Active Directory without SSL

      Enables support for AD without enabling secure communication with the AD

      With either of these options selected, the Active Directory page displays a Status section. This section contains alerts that report the status of various elements of HCP support for Active Directory.

  4. If you selected Active Directory with SSL:
    1. In the Certificates panel, click Browse. Then select the file containing the AD SSL certificate.
    2. Click Upload Certificate.

      The Certificates section shows the uploaded certificate.

      You can download or delete the uploaded certificate if needed. To download the certificate, click the download control for it (Download control icon). To delete the certificate, click the delete control (Delete control icon) for it.

  5. In the Configuration Settings section, select Enable Active Directory. Then:
    • In the Domain field, type the fully qualified name of the AD domain in the AD forest that is to be used for HCP user authentication. All letters in this domain name must be uppercase.
    • In the Domain User field, type the username of an existing AD user account in the applicable AD domain. Make sure the user account belongs to one or more groups that have the applicable permissions, as described earlier in this section.

      If the username that you specify is not all lowercase, HCP converts it to all lowercase before passing it to AD.

    • In the Password field, type the password that goes with the specified username. Passwords are case-sensitive.

      HCP uses the password that you type only to authenticate the username with the AD server. To help maintain AD security, HCP discards both the username and password after you submit the page. If you’re modifying the AD configuration, you need to specify the password again.

  6. Optionally, to specify an organization unit and computer account other than the defaults and to use NTLMv2 instead of NTLM, click Advanced Configuration. Then:
    • In the Organizational Unit field, type the distinguished name of the existing organizational unit in which you want the HCP computer accounts to be created. This is the distinguished name relative to the AD domain (for example, OU=HCP, OU=Storage). Do not include the domain name elements.
    • In the HCP Computer Account field, type the name of the computer account that HCP will use when querying AD for groups. This can be the name of an existing account in the specified organizational unit or the name of a new account to be created automatically in that organizational unit.

      For a new computer account, the name must be from one through 64 characters long, can contain only alphanumeric characters and hyphens (-), and cannot consist only of digits.

      If a computer account with the specified name already exists in a different organizational unit in the same Active Directory domain, the request to configure Active Directory support will fail.

    • Optionally, to specify how the HCP user account obtains permissions, do either of these:
      • If you created an AD group, select Add HCP Computer Account to groups of Domain User. This allows the HCP Computer account from inherit permissions associated with the specified domain user.
      • If you did not create an AD group, deselect Add HCP Computer Account to groups of Domain User. This prevents the HCP Computer account from inheriting the permissions associated with the specified domain user. If this checkbox is deselected, appropriate permissions need to be manually assigned to the HCP Computer account.
    • Optionally, select Non-Hierarchical Realm Configuration if you have multiple trees in your AD forest. This permits authentication from any domain in the forest, and is necessary if they have different domain names.
    • Optionally, select Enable Authenticated CIFS Support if you want to require authentication for data access via CIFS in your namespaces. Authenticated CIFS support is disabled by default for new AD joins.
    • If you selected Enable Authenticated CIFS Support, the Use NTLMv2 authentication option appears. Optionally, deselect Use NTLMv2 authentication to use NTLM for secure communication with AD when configuring the computer accounts for the HCP nodes. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.
    • Optionally, select Use reverse DNS if you want to join AD without requiring PTR records for domain controllers.
    • Select the Single Sign-On Support to determine how much control you want HCP to have over generating Service Principal Names (SPNs) for tenants and namespaces. The possible values are:
      • None

        HCP does not generate SPNs for new tenants namespaces and does not warn if SPNs are missing.

      • Warning

        HCP does not generate SPNs for new tenants and namespaces but does warn if SPNs are missing.

      • Full

        HCP generates SPNs for new tenants and namespaces and warns if SPNs are missing.

        SPNs are used for single sign-on. If you're not using single sign-on, you do not need to have HCP generate SPNs.

    • In the Trusted Forests field, type a comma-separated list of root domains of all trusted forests. This lets the HCP Computer Account authenticate with multiple forests.
  7. Click Update Settings.

    This update may take a few minutes to finish.

    TipYou can verify that AD support has been enabled by logging out of the System Management Console and checking that the Log In page now has a Domain field below the Password field.
  8. Optionally, in the Domain Filtering panel, click Add New Domain. Then:
    • In the Domain Name field, type the name of the domain.
    • In the Domain Controllers field, type the name of the domain controller or controllers.
    • Click Add Domain.
    • Optionally, to associate another domain controller with a domain:
      1. Select an existing domain from the table in the Domain Filtering panel.
      2. In the Domain Controllers field, type the name of the domain controller or comma-separated list of controllers.
      3. Click Add New Domain Controllers.

        Domain controller filters are always added as a pairing of a domain and a domain controller or controllers. Each time you add one of these filters to the domain controller filter list, a one-time validation occurs. If a domain or domain controller fails the validation process, the filter is not added to the domain controller filter list. You can also manually invoke validation on the domain controller filter's entries by clicking the Validate button.

  9. Click Update Settings.

    This update may take few minutes to finish.