Add an Active Directory Target Connector

The Active Directory connector, Windows Proxy connector, and Windows Remote connector all manage Windows accounts. Use the Active Directory connector to update the passwords of Active Directory accounts. This connector uses the LDAPS interface to Active Directory to update account passwords. If the connector communicates with a deployed Windows Proxy or a Windows Remote connector, you can use this connector to update Windows services and scheduled tasks.
capam32
The Active Directory connector, Windows Proxy connector, and Windows Remote connector all manage Windows accounts. Use the Active Directory connector to update the passwords of Active Directory accounts. This connector uses the LDAPS interface to Active Directory to update account passwords. If the connector communicates with a deployed Windows Proxy or a Windows Remote connector, you can use this connector to update Windows services and scheduled tasks.
The Active Directory target connector performs the following activities:
  • Verifies and synchronizes the password against an Active Directory database
  • Queries one or more DNS servers to find domain controllers (optional)
  • Uses LDAPS to connect to the domain controller
  • If you use a domain account for a service or for a scheduled task, one or more Windows Proxies update the credentials and restart services.
  • Uses HTTPS and AES encryption for secure communications
To add the target connector using the CLI, see Active Directory CLI Configuration.
Add the Target Application and Connector
 
Follow these steps in the UI:
 
  1. Select Credentials, Manage Targets, Applications. 
  2. Select 
    Add
    .
  3. Select or enter values for the following fields:
    • Host Name: Select the magnifying glass to pick the target server.
    • Device Name
    • Application Name: Application names must be unique for a given target server.
  4. In the 
    Application Type
     field, select Active Directory. 
  5. (Optional) Select a password composition policy.
    If you do not select a password composition policy, a default policy is used. This policy specifies a minimum length of four characters and a maximum length of 16 characters, with no character restrictions.
  6. On the Active Directory tab, configure the following fields:
    •  
      Domain Controller Lookup: 
      Specify the DNS method to use:
      • Do not use DNS (target server is domain controller)
      • Retrieve DNS list – retrieves the name of the domain controller from the DNS server that is used by the CA PAM server.
      • Use the following DNS server - enter the address of a DNS server.
    •  
      Domain Name:
       Specifies the Windows domain to which accounts managed by this application are members.
    •  
      Domain Controller Port (SSL):
       Specify the port that is used to connect to the Domain Controller. The default is 636. If the LDAPS port is the default 636, this field can be left blank. Otherwise, the port must be populated. Port 389 is used for unencrypted LDAP. Credential Manager does not synchronize AD target accounts using unencrypted LDAP
    •  
      Active Directory Site:
       This field is used only if 
      Domain Controller Lookup
       is set to 
      Retrieve DNS list
       or 
      Use following DNS server
      .
      • If a value is given, the connector uses the value to narrow the search for domain controllers.
      • If empty, the connector searches for all domain controllers in the DNS.
  7. If you enabled Account Discovery, complete the following settings:
    •  
      Groups:
       To limit the number of discovered accounts, specify one or more comma-separated Active Directory groups. Do not use the Active Directory Primary Group for Account Discovery. Account Discovery does not find users in the Primary Group
    •  
      Active Directory Connect Timeout:
       enter the timeout for connecting to the directory in milliseconds. The default is 3000.
    •  
      Active Directory Read Timeout:
       enter the timeout for reading from the directory, in milliseconds. The default is 3000.
  8. If you are using target groupings, provide descriptors for the target application.
  9. Select 
    OK
    .