SecSign ID Plugin: Active Directory

2017-06-29 5 minutes to read
Tutorial Index

Enroll your Active Directory Users for 2FA

Use two-factor authentication for all your users without having to synch your data. The only way to really protect your company infrastructure.

This article describes the activation for your Active Directory users for the integration with your Windows system.
Your users are stored in the Active Directory. In order to activate the two-factor authentication for users and user groups you have two options.

Do you want to use the SecSign ID Server as a user management tool for all users and services? SecSign offers a comprehensive IdM solution that combines security with practicability. More information

Without Schema Extension

Activate the two-factor authentication without schema extension

Your users are managed in the Active Directory and can be divided in security groups, for example “2FA required” for administrators. The Active Directory has the information, that the user requires an additional authentication by an external Identity Provider (IdP) after a successful password and user name authentication.
This Identity Provider is the SecSign ID two-factor authentication server, that can be either run on-premise or in the SecSign ID Cloud.
The request is here similar to a SAML-authentication, all required information (user name, group,…) is transmitted to the IdP. The SecSign ID IdP can then start the Authentication with the received information.

Please contact us if you prefer to activate the 2FA without a schema extension.

MORE INFORMATION
With Schema Extension

Activate the two-factor authentication with schema extension

The Active Directory can be edited using mmc.exe which is part of Windows Server 2012. The Snap-in „Active Directory Schema“ is initially not available in mmc.exe, but can be added by running regsvr32 schmmgmt.dll in a console with administrator rights:

Then, mmc.exe should be started. The search function integrated into Windows Server 2012 will find it. The entry Add/Remove Snap-in in the File menu of mmc.exe opens a dialog containing the entry Active Directory Schema. This entry should be selected and added to the Console Root on the right, followed by a click on OK:

Selecting the Attributes node and choosing Create Attribute… from its context menu will display the following dialog.

Here, a „SecSign ID“ attribute has to be created with:

  • Common Name: SecSign ID
  • LDAP Display Name: secSignID
  • Unique X500 Object ID: 1.3.6.1.4.1.15027.4.1
  • Description: SecSign ID user name
  • Syntax: Unicode String
  • Minimum: 4

Then, the Properties entry in the context menu of the user entry below the Classes node will display this dialog.

The optional attribute secSignID created in the step before has to be added here.
Now the Active Directory schema is ready and the Windows administrator may add the actual SecSign ID user name to each user. The following Power Shell command assigns the SecSign ID user name paulsmith to the Windows user paul:

To query the user’s SecSign ID:

To delete the SecSign ID:

In larger installations there may be tool allowing the users to edit this value in the Active Directory themselves.

Your own ID-Server

On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.

Learn More
On Premise 2FA ID

Latest Blog Posts, Updates & Features

Options for secure SSO for Atlassian products

Options for securing Atlassian SSO Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move beyond your authentication ...

Mehr Lesen

Multi-Factor Authentication powered IdM/IAM

Multi-Factor Authentication powered IdM/IAM with SecSign ID Your users and passwords and services are all over the place? You want to simplify your security and authentication setup but you don’t know where to start? Move bey ...

Mehr Lesen

Atlassian JIRA and Confluence Two-Step Authentication and IP-SafeZone

With SecSign ID you can protect all your logins with a secure Two-Factor Authentication based on a challenge response. The authentication offers the highest protection for the company data while being incredibly simple to us ...

Mehr Lesen