Domain Membership and SecureAuth IdP
Introduction
Use this guide to understand the implications of joining the SecureAuth IdP appliance to an Active Directory domain.
Summary
SecureAuth discourages joining the IdP appliance to an Active Directory domain unless specifically required. Group Policies (GPOs) often exist in a company's AD implementation that will disable the appliance's operation.
There are, however, certain use cases where the appliance is required to join a domain. These could include:
The deployment will use Integrated Windows Authentication (aka IWA or Desktop SSO)
Note that Desktop SSO is different than Transparent SSO
The company's enterprise security standards require all computers to be members of a domain
Joining SecureAuth IdP to a Domain
Warning
If the customer and SecureAuth determine that the appliance must be joined to a domain, it is crucial to discuss the details with a SecureAuth Sales Engineer before doing so.
Recommendations
SecureAuth offers the following recommendations if it is necessary to join the appliance to a company's Active Directory domain:
Review every GPO that will be applied to the appliance upon joining the domain to ensure that none will disable it
Some policies to look for during the review are GPOs that will: change the behavior of the security hardening of the appliance, change or disable IIS, disable the firewall, block ports on the firewall
Review all company firewalls, including Windows Advanced Firewall and any corporate firewalls, between the domain controller and the appliance to ensure the correct ports are opened and unblocked
See Network Communication Requirements for SecureAuth IdP 9.1 - 9.2 for a list of complete requirements
Create an image of the appliance before joining it to the domain so there is a backup in case problems arise
Do not join the domain until after SecureAuth IdP is installed; the setup process performs several one-time processes which may be blocked by the domain's GPOs
Put the machine account in a separate Organizational Unit (OU) so the administrator can use security filtering more efficiently
Joining the Domain
Refer to Microsoft's technical documentation for assistance with the process of joining a server to a domain:
Windows Server 2008 R2: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)?redirectedfrom=MSDN#BKMK_c1
Windows Server 2012 R2: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)?redirectedfrom=MSDN#BKMK_c1
Tip
Note that for Desktop SSO (IWA) to work properly, the workstation and the appliance must be joined to the same forest