Connecting your Active Directory

2020-03-09 5 minutes to read
Tutorial Index

Conveniently manage your users and user authentication

If you are storing your user information in an Active Directory you have the option to connect your Active Directory with the SecSign ID server to simplify rollout, user management and user assistance.

Are you currently using an Active Directory to manage your users but you want more? SecSign ID offers a comprehensive IdM solution for user management, assistance and protection. More information

This article describes how to set up your Active Directory users for the integration with your setup.
Your users are stored in the Active Directory.

Integrate your AD with 2FA

How to access your AD information for 2FA

Your Active Directory already contains all user information you need for onboarding, password authentication, management and more. To use these data you need to connect the AD to your SecSign ID on-premise Server and make them accessible to the respective plugins protecting your logins (for example Jira, Windows Remote Desktop, Radius and others).

How to connect your SecSign ID on-premise server with your AD

Your AD can conveniently be connected to the Server via the administrative dashboard of your on-premise setup.

The administrator can choose the details and settings for connecting your AD, for example to use it only for the onboarding of your users for 2FA.

How to connect the 2FA plugins with your AD

The plugins can access the information in the AD either via a SAML or ADFS connection, or via a direct LDAP protocol.

Connecting the 2FA plugins via ADFS or SAML

The users login via a custom 2FA login landing page, either provided by us or integrated into your current authentication workflow by us. The user provides his user credentials (like he is used to), the SecSign ID server verifies the credentials against your AD and the server automatically prompts the user with a 2FA challenge. The administrator can define if the user has to provide only his user name to start the authentication request (two-factor authentication, 2FA), or if he needs to authenticate with his AD-password in order to do so (two-step-authentication, 2SA).

Connecting the 2FA plugins via the LDAP protocol

Recommended to be used for setups that only require one service to use two-factor authentication (for example Jira, Windows Remote Desktop, Radius or similar). With this option the user will have to perform a two-step authentication (2SA with a username and password followed by a challenge) in order to authenticate. The AD authentication is implemented unchanged just like it is without the 2FA setup. Once authenticated with user name and password, the user is prompted with a 2FA challenge from the SecSign ID server.

Editing your Active Directory

Making changes to your Active Directory to activate 2FA

In order to onboard your users for 2FA their AD user names have to be associated with a SecSign ID. This can be realized wither with or without an AD Schema Extension, depending on your preferences.

User onboarding without AD schema extension

Your users are managed in the Active Directory and can be divided in security groups, for example “2FA required” for administrators. The Active Directory has the information that the user requires an additional authentication by an external Identity Provider (IdP) after a successful password and user name authentication.
This Identity Provider is the SecSign ID two-factor authentication server, that can be either run on-premise or in a managed Cloud.
The request is here similar to a SAML-authentication, all required information (user name, group,…) is transmitted to the IdP. The SecSign ID IdP can then start the Authentication with the received information.

Please contact us if you prefer to set up the 2FA without a schema extension.

MORE INFORMATION

User onboarding with AD schema extension

The Active Directory can be edited using mmc.exe which is part of Windows Server 2012. The Snap-in „Active Directory Schema“ is initially not available in mmc.exe, but can be added by running regsvr32 schmmgmt.dll in a console with administrator rights:

Then, mmc.exe should be started. The search function integrated into Windows Server 2012 will find it. The entry Add/Remove Snap-in in the File menu of mmc.exe opens a dialog containing the entry Active Directory Schema. This entry should be selected and added to the Console Root on the right, followed by a click on OK:

Selecting the Attributes node and choosing Create Attribute… from its context menu will display the following dialog.

Here, a „SecSign ID“ attribute has to be created with:

  • Common Name: SecSign ID
  • LDAP Display Name: secSignID
  • Unique X500 Object ID: 1.3.6.1.4.1.15027.4.1
  • Description: SecSign ID user name
  • Syntax: Unicode String
  • Minimum: 4

Then, the Properties entry in the context menu of the user entry below the Classes node will display this dialog.

The optional attribute secSignID created in the step before has to be added here.
Now the Active Directory schema is ready and the Windows administrator may add the actual SecSign ID user name to each user. The following Power Shell command assigns the SecSign ID user name paulsmith to the Windows user paul:

set-aduser paul -add @{secsignid="paulsmith"}

To query the user’s SecSign ID:

get-aduser paul -Properties secSignID

To delete the SecSign ID:

set-aduser paul -clear secSignID

In larger installations there may be tool allowing the users to edit this value in the Active Directory themselves.

Advantages of connecting your AD

Advantages of connecting your AD

Connecting your Active Directory to the SecSign ID on-premise server simplifies user management, authentication management and administrative workload.

Are you currently using an Active Directory to manage your users but you want more? SecSign ID offers a comprehensive IdM solution for user management, assistance and protection. More information

Quick and convenient user onboarding

When connecting the AD, user onboarding can be as simple and as secure as required. Users may for example need to provide their user name and password in order to create an ID in the system.

You have several options to enroll your users for 2FA with SecSign. Most commonly, the 2FA ID should be identical to the Windows user name (for example sAMAccountName or userPrincipalName), and only successfully authenticated (user name and password) users should be able to create a 2FA account.
With SecSign enrollment of your users is quick and convenient for both the user and the administrator. If required, the administrator can pre-define the SecSign ID to be used, for example sAMAccountName or UPN of the respective user.
By connecting the AD the administrator can also implement a batch onboarding procedure, for example providing all users in the AD, or all users in a specific AD group, with an activation link.

To enroll your users for 2FA based off your Active Directory you have two options: With Schema Extension to add a 2FA attribute to the user in the Active Directory, or without Schema Extension and read-only access from the SecSign ID Server.

For both options the enrollment procedure can either proceed via the Custom ID App or a custom landing page for the users to enroll.

Enrolling your users for 2FA with a custom app


To enroll your users for 2FA with a custom app you will be provided with an enrollment and authentication app by our developers. The users provide their Windows user name and password in the app, which are encrypted and sent to the SecSign ID server. The server verifies the data with your AD and creates the user ID if the credentials are correct. This automatically connects the AD user with the ID, the ID is automatically created in the app for the user and the user can start authenticating right away. The custom app can also be used for regular user authentication in your company design. More information about the customization options for the company 2FA app are available here.

For setups with schema extension the administrator may also add IDs manually directly in the AD, for example for small setups or test purposes.

Enrolling your users for 2FA with a custom landing page

To enroll your users for 2FA with a custom landing page you will be provided with a custom page by our developers available via the on-premise server. The users provide their Windows user name and password on the landing page, which are encrypted and sent to the SecSign ID server. The server verifies the data with your AD and creates the user ID if the credentials are correct. The user is presented with a QR code that he has to scan with his app in order to activate his ID in his app. For Desktop apps the user can follow a link to activate the ID in his app.

For setups with schema extension the administrator may also add IDs manually directly in the AD, for example for small setups or test purposes.

Advanced Security with two-step authentication

If you need an additional layer of protection and want to offer your users a two-step authentication (2SA) with additional password prompt. By connecting your AD you can request the AD password from your users in order to start the authentication process. This adds another layer of protection to your setup. This 2SA step can be realized via a login landing page, for example with a SAML setup that offers SSO options for the users.

User management options


By connecting your AD you can simplify 2FA user management options, for example providing your users with a backup code if they loose their device via their Email associated with their AD account. This can be realized both administrator based and user self-managed.
The administrator has comprehensive user management tools available at the administrative backend, including device management, user statistics, SAML and SSO setup, REST API links and more.

Secure Windows

Securing all Windows access points with SecSign ID 2FA

For more information about the individual Windows Plugins select your user case below.



AD/LDAPView Tutorial


Windows User Login View Tutorial


Office 365 View Tutorial


Remote Desktop View Tutorial


RD Gateway View Tutorial


VPN/Radius Proxy View Tutorial

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

SecSign ID Server passed FIDO Certification

We are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...

Mehr Lesen

Two-Factor Authentication with Fido2 / WebAuth

The FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...

Mehr Lesen

Protecting the Home Office VPN with 2FA

In the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...

Mehr Lesen
SecSign 2FA