Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

How to Create, Configure, and Delegate Permissions for the PortalGuard Service Account


Problem

You need a service account in Active Directory with the necessary permissions to allow for Self-Service Functionality via PortalGuard. 

Solution

Determine whether or not your environment is configured to communicate with Active Directory using LDAPS over Port 636 and delegate the appropriate permissions to your newly created PortalGuard service account. 

Important Note: It is highly recommended that your environment be configured in such a way that PortalGuard is able to communicate with your Active Directory DC using LDAPS.  If this is not possible, you may follow the steps in the Delegate Permissions Native Windows (Deprecated) section below, but the API for the Native Windows integration is no longer supported by Microsoft. 

Quick Navigation

Create the Service Account in Active Directory

  1. Open the Active Directory Users and Computers management interface.
  2. Find the container in which you would like to create the service account.
  3. Right-Click the container and choose 'New' -> 'User':
    • AD - Create New User
  4. Enter a first, last, and logon name.  In this case, the user's logon name is 'pgservice'.
    • AD - Create PGService
  5. Click the 'Next' button and enter a password for the user.  BE sure to enter a very complex password as this account does have more rights than normal users.  
  6. Uncheckthe 'User must change password at next logon' box.
  7. Checkthe 'Password never expires' box. 
  8. Your final results should resemble the following
    • AD - Create PGService Pword
  9. Click the 'Next' button to view a summary of the new user and then click 'Finish' to complete the user creation. 

Delegate Permissions - LDAP

Follow these steps when using LDAP to connect to Active Directory.  This is the standard/recommended method. If your environment is configured for LDAPS, follow these steps to delegate the appropriate permissions. 

  1. The new service account does NOT need to be added to any additional groups - the user should remain only in the 'Domain Users' group. 
  2. In the left-hand frame, right-click on the highest-level container containing Active Directory user accounts.  Choose 'Delegate Control...'.
    • The PortalGuard service account will be granted rights over User Objects only, however, the scope of the delegation will determine which users the account can manage.  You may choose to 'Delegate Control...' at the domain level, or at a lower level container/OU.  If you decide to 'Delegate Control...' at a lower container/OU level, be sure to do so on each container that holds users that will be using PortalGuard.
  3. In the Delegation of Control wizard that appears, click the 'Next' button the advance past the welcome screen. 
  4. On the 'Users or Groups' screen, click the 'Add...' button and enter the logon name of the newly created service account.  Click the 'Check Names' button to validate your entry:
    • AD Delegate Permissions - User Check
  5. Click the 'OK' button to return to the wizard and 'Next' to proceed to the 'Tasks to Delegate' screen.
  6. Click on the 'Create a custom task to delegate' radio button:
    • AD Delegate Permissions - Custom Task
  7. Click 'Next' to proceed to the 'Active Directory Object Type' screen.  Select the 'Only the following objects in the folder' radio button, then scroll to the very bottom of the list and check the box for 'User Objects':
    • AD Delegate Permissions - User Objects
      • If 'User Objects' is not the last entry, it will be very close to the bottom.  You may need to scroll up a few lines to locate it. 
  8. Click 'Next' to proceed to the 'Permissions' screen.  Ensure that both the 'General' and 'Property Specific' are checked. In the 'Permissions' box, scroll through and select the following permissions:
    • Reset Password
      • If you wish to enable Password Change, please be sure to check the box for the 'Password Change' permission here as well.
    • Read lockoutTime
    • Write lockoutTime
    • Read pwdLastSet
    • Write pwdLastSet
      • AD Delegate Permissions - Permissions 1
      • AD Delegate Permissions - Permissions 2
      • AD Delegate Permissions - Permissions 3
  9. Click 'Next' to display a summary screen and then click 'Finish' to commit the changes.

Delegate Permissions - Native Windows (Deprecated)

Follow these steps only when using the 'Native Windows' feature to connect to Active Directory.  This method is deprecated as of November 2015 due to authentication failures when heavier loads occur. 

Important Note:This method requires two separate service accounts in Active Directory with different permissions. The 'pgservice' account created in the previous steps will be used on the LDAP Basic tab within the PortalGuard Configuration Editor and you must create a separate 'pgadmin' account following the same steps (i.e. the password should never expire).  This account will be entered on the Native Windows tab within the PortalGuard Configuration Editor. Once you have created the 'pgadmin' account in AD, follow the steps below to apply the correct permissions. 

  1. The administrative user to be entered in the Native Windows tab ('pgadmin') mustbe added to the 'Account Operators' group in Active Directory. 
  2. In the left-hand frame, right-click on the highest-level container containing Active Directory user accounts.  Choose 'Delegate Control...'.
    • If you did not 'Delegate Control...' on the domain level for the 'pgservice' account as noted above, be sure to delegate the permissions for the 'pgadmin' account on the same containers. 
  3. Once in the Delegation of Control wizard, click the 'Next' button to proceed past the 'Welcome' screen to the 'Users or Groups' screen. 
  4. On the 'Users and Groups' screen, click the 'Add' button, enter the 'pgadmin' user logon name and click the 'Check Names' button to validate your entry. 
    • AD Delegate Permissions - Admin Check
  5. Once validated, click on the 'OK' button to return to the wizard and click 'Next' to proceed to the 'Tasks to Delegate' screen. 
  6. Check the boxes next to 'Create, delete, and manage user accounts' and 'Reset user passwords and force password changes at next logon':
    • AD Delegate Permissions - Admin Permissions
  7. Click the 'Next' button and then click 'Finish' to commit these changes. 

Define the Service Account within PortalGuard - LDAPS

Follow these steps to configure PortalGuard to utilize the newly created 'pgservice' account to connect to Active Directory over LDAPS using Port 636.  This is the recommended configuration. 

  1. Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
  2. Navigate to the User Repositories tab and edit the 'Active Directory' entry.
  3. On the Configuration -> LDAP Basic tab, fill out the required fields to configure the connection string. If the server is joined to the domain you wish to connect to, you can use the 'Config/DN Lookup' button to set these automatically by providing the username of the service account when prompted.  Otherwise:
    • 'Server'
      • The server hostname for connecting to the DC via LDAPS using Port 636
    • 'Port' 
      • Leave this set to '636'
    • 'Protection'
      • Leave this set to 'SSL (Encryption)'
    • 'Base DN'
      • This value sets the scope of effect for the PortalGuard service account.  This should be set to the highest AD container which contains user accounts.
    • 'Generic User'
      • The full 'distinguishedName' attribute for the user.
    • 'Generic Password'
      • The password for the user. 
  4. Click the 'Test Settings' button to validate your settings.  If you see the 'Validated settings' popup, save this configuration:
    • PortalGuard - AD - Validated Settings
  5. Click the 'Apply to PortalGuard Server' button and then click 'Sync' to commit these changes. 

Define the Service Accounts within PortalGuard (Native Windows - Deprecated)

Follow these steps to utilize the 'pgservice' and 'pgadmin' accounts to connect to Active Directory when LDAPS is not configured. This configuration is notrecommended. 

Important Note:To utilize the 'Native Windows' configuration, your PortalGuard server mustbe joined to the Active Directory Domain. 

  1. Navigate to the PortalGuard server and open the PortalGuard Configuration Editor.
  2. Navigate to the User Repositories tab and edit the 'Active Directory' entry.
  3. On the Configuration -> LDAP Basic tab, fill out the required fields to configure the connection string. You can use the 'Config/DN Lookup' button to set these automatically by providing the username of the service account when prompted.  Otherwise:
    • 'Server'
      • The server hostname for connecting to the DC via LDAPS using Port 636
    • 'Port' 
      • Set this to '389'
    • 'Protection'
      • Set this to 'None'
    • 'Base DN'
      • This value sets the scope of effect for the PortalGuard service account.  This should be set to the highest AD container which contains user accounts.
    • 'Generic User'
      • The full 'distinguishedName' attribute for the user.
    • 'Generic Password'
      • The password for the user. 
  4. Click the 'Test Settings' button to validate your settings.
  5. Once the settings are validated, navigate to the Configuration -> Native Windows tab.
  6. Check the box for 'Native Windows Authentication' to enable this feature, then proceed to fill out the required information:
    • 'AD Admin Domain'
      • The AD Domain to which you are connecting. 
    • 'AD Admin Username'
      • The username for the PortalGuard Admin Service account (i.e. 'pgadmin')
    • 'AD Admin Password'
      • The password for the 'pgadmin' account
    • 'Default AD Domain'
      • The default AD Domain to which the user logs in with a bare username. This field will likely match the 'AD Admin Domain' field. 
  7. Check the box for 'Sync Active Directory Password Expiration' if it is not already enabled and then click 'Test Settings' to validate the settings. Your final config should resemble the following:
    • PortalGuard - Native Windows Config
  8. Once the settings return 'Validated settings', save this configuration and click 'Apply to PortalGuard server' and then 'Sync' to commit these changes.
  9. Finally, on the PortalGuard Server, run 'secpol.msc' to open the Local Security Policy module.
  10. In the left hand side, expand 'Local Policies' and click on 'User Rights Assignment'. 
  11. Locate 'Allow Log on Locally' in the right-hand pane:
    • SecPol - Allow log on locally
  12. Double click 'Allow log on locally' to view the properties. 
  13. Click on the 'Add User or Group' button and add the 'Account Operators' group:
    • SEcPol - Add Account Operators
  14. Click 'OK' to save these changes.

REV. 10/2018 | PortalGuard

  • 73
  • 30-Apr-2019
  • 677 Views