Skip to main content

Domain Membership and SecureAuth IdP

Introduction

Use this guide to understand the implications of joining the SecureAuth IdP appliance to an Active Directory domain.

Summary

SecureAuth discourages joining the IdP appliance to an Active Directory domain unless specifically required. Group Policies (GPOs) often exist in a company's AD implementation that will disable the appliance's operation.

There are, however, certain use cases where the appliance is required to join a domain. These could include:

  1. The deployment will use Integrated Windows Authentication (aka IWA or Desktop SSO)

    • Note that Desktop SSO is different than Transparent SSO

  2. The company's enterprise security standards require all computers to be members of a domain

Joining SecureAuth IdP to a Domain

Warning

If the customer and SecureAuth determine that the appliance must be joined to a domain, it is crucial to discuss the details with a SecureAuth Sales Engineer before doing so.

Recommendations

SecureAuth offers the following recommendations if it is necessary to join the appliance to a company's Active Directory domain:

  1. Review every GPO that will be applied to the appliance upon joining the domain to ensure that none will disable it

    1. Some policies to look for during the review are GPOs that will: change the behavior of the security hardening of the appliance, change or disable IIS, disable the firewall, block ports on the firewall

  2. Review all company firewalls, including Windows Advanced Firewall and any corporate firewalls, between the domain controller and the appliance to ensure the correct ports are opened and unblocked

    1. See Network Communication Requirements for SecureAuth IdP 9.1 - 9.2 for a list of complete requirements

  3. Create an image of the appliance before joining it to the domain so there is a backup in case problems arise

  4. Do not join the domain until after SecureAuth IdP is installed; the setup process performs several one-time processes which may be blocked by the domain's GPOs

  5. Put the machine account in a separate Organizational Unit (OU) so the administrator can use security filtering more efficiently

Joining the Domain

Refer to Microsoft's technical documentation for assistance with the process of joining a server to a domain:

Tip

Note that for Desktop SSO (IWA) to work properly, the workstation and the appliance must be joined to the same forest