Skip to main content

Domain membership and SecureAuth IdP

Introduction

This document provides information on joining the SecureAuth IdP appliance to an Active Directory domain.

SecureAuth discourages joining the IdP appliance to an Active Directory domain unless specifically required. Group Policies (GPOs) often exist in a company's AD implementation that will disable the appliance's operation.

However, certain use cases exist in which the appliance is required to join a domain. These could include:

  • The deployment will use Integrated Windows Authentication (aka IWA or Desktop SSO). Note that Desktop SSO is different than Transparent SSO.

  • The company's enterprise security standards require all computers to be members of a domain.

Join SecureAuth IdP to a domain

IMPORTANT: If the customer and SecureAuth determine the appliance must be joined to a domain, it is crucial to discuss the details with a SecureAuth Sales Engineer before doing so.

Recommendations

SecureAuth offers the following recommendations if it is necessary to join the appliance to a company's Active Directory domain:

  1. Review every GPO that will be applied to the appliance upon joining the domain to ensure that none will disable it. Some policies to consider during the review are GPOs that will: change the behavior of the security hardening of the appliance, change or disable IIS, disable the firewall, block ports on the firewall.

  2. Review all company firewalls, including Windows Advanced Firewall and any corporate firewalls, between the domain controller and the appliance to ensure the correct ports are opened and unblocked. See Network communication requirements for SecureAuth IdP for a list of complete requirements.

  3. Create an image of the appliance before joining it to the domain so there is a backup in case problems arise.

  4. Do not join the domain until after SecureAuth IdP is installed; the setup process performs several one-time processes which may be blocked by the domain's GPOs.

  5. Put the machine account in a separate Organizational Unit (OU) so the administrator can use security filtering more efficiently.

Joining the domain

Refer to Microsoft's technical documentation for assistance with the process of joining a server to a domain:

TIP: Note that for Desktop SSO (IWA) to work properly, the workstation and the appliance must be joined to the same forest.