Follow

Active Directory integration

Table of contents

Introduction

Requirements

Service accounts

Setting up active directory

Configuration of the Active Directory import tool for on-premise customers

Configuration of the Active Directory import tool for cloud customers

Configuration of Azure Active Directory import tool

Adding a sql script to your active directory import

First import

Group linking

Sceduled task

 

Introduction

Pronestor Planner supports Active Directory integration, so you can import your users directly from Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Active Directory, simplifying their jobs.

This guide covers Active Directory integration for on-premise customers and Azure Active Directory integration. If you are a cloud customer and need active directory integration, please contact helpdesk@pronestor.com for guidense.

 

Requirements

To fulfil this guide you need:

Administration rights to your active directory for preparing your active directory.

Know which users needs which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide).

Administration rights in your Pronestor.

The service accounts described here.

For Azure Active Directory

If you are running version 8.1.15 or earlier, you need to ask Pronestor to enable the feature in your solution. Please contact helpdesk@pronestor.com and ask us to enable this feature toggle.

For on-premise installation you need:

Access to the server where you want to install Pronestor.

Access to setup the SQL database on the server where your Pronestor is installed.

 

Service accounts

If your Pronestor server is hosted by Pronestor and you are using Active Directory

If your Pronestor server is on-premise

If you are using Azure Active Directory

 

If your Pronestor server is hosted by Pronestor and you are using Active Directory

Create a Service Account with permissions to read from the Active Directory and run a scheduled task. It is important that the password is set to never expire.

 

If your Pronestor server is on-premise

Pronestor uses this Service Account in the Active Directory import. Set the Service Account’s password to never expire.

  • Using Windows authenticated database connection:

Create a Service Account with permissions to read from the Active Directory, write to the Pronestor SQL database, and run a scheduled task.
Please note: We recommend to use the same Service Account as when creating the Pronestor database.

  • Using SQL authenticated database connection:

Create a Service Account with permissions to read from the Active Directory and run a scheduled task.
Please note: We recommend to use the Pronestor SQL user account for the Pronestor database.

 

If you are using Azure Active Directory

Go to https://apps.dev.microsoft.com and login as administrator for the Azure Active Directory.
Create a new app.
Copy the "Application ID" [needed for later configuration]
Click "Generate New Password" copy the Password [needed for later configuration]
Click "Add Platform" and choose “Web”
Enable "Allow Implicit Flow"
Enter redirect URLs
https://yoursite.pronestor.com
(where yoursite is your Pronestor Site)

https://yoursite.pronestor.com/Admin/UserImport.mvc/GrantPermissions
(Ignore Logout URL)

Add the following permissions;
Delegated permissions: User.Read
Application Permissions: Directory.Read.All, Group.Read.All, User.Read.All
Click “Save”
Go to https://portal.azure.com, choose
Click "Azure AD" and then "Properties"
Copy the "Directory ID" [need for later configuration]

 

Now we need the permissions to reference the appl created from your Pronestor solution. (for further elaboration see section 3 in https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service)

An URL to be clicked should be constructed - following this format.

https://login.microsoftonline.com/{0}/adminconsent?client_id={1}&redirect_uri={2}

{0} - should be the Directory ID retrieved from above
{1} - should be the Application ID retrieved from above
{2} - should be the redirect URL - ex. https://yoursite.pronestor.com/Admin/UserImport.mvc/GrantPermissions

Open that link to confirm 

It is important that you are currently logged in as a Pronestor administrator and that it is an Azure AD administrator who logs into the link.

If you experience login issues, try resetting the apps password here:

 

Setting up active directory

Groups

Every access that can be given in Pronestor Planner can also be linked to Active Directory groups.

 

It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your active directory.  You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations. 

Both setups require you to create a Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.

Next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles: secretary, facility manager, catering manager or booker, as well as departments, secretary departments and VIP groups.

Groups in AD can be either user or security groups.

The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.

 

One location only - if Pronestor is configured to manage resources on one location only:

Create in Active Directory the following groups within the PronestorOU: 

  • Local_secretary

  • Local_facility_manager

  • Local_catering_manager

  • Local_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

Every user that you want to import has to have the group Local_booker

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active directory is ready to be imported.

 

 

Multiple locations - if Pronestor is configured to manage resource at multiple locations:

Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.

Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:

  • Administrator

  • Global_secretary

  • Global_facility_manager

  • Global_catering_manger

  • Global_booker

  • London_secretary

  • London_facility_manager

  • London_catering_manager

  • London_booker

  • Stockholm_secretary

  • Stockholm_facility_manager

  • Stockholm_catering_manager

  • Stockholm_booker

  • Copenhagen_secretary

  • Copenhagen_facility_manager

  • Copenhagen_catering_manager

  • Copenhagen_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

It's important that every user has one local booker group, and only one. So if a user only needs more than one location, give them one of the local groups and the global group. Fx London_booker and Global_booker

If you have three or more locations and a user needs access to two of them, you have to give the user access to all locations. Pronestor cannot handle it if a user is given both London_booker and Stockholm_booker and Pronestor cannot handle if they don't have a local booker group.

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active directory is ready to be imported. 

 

Configuration of the Active Directory import tool for on-premise customers

When running an on-premises solution the Active directory integration is an integrated part of the Administration Module in Pronestor Planner. No additional software is to be installed, but it does need to be configured.

First create the Active Directory import in Pronestor. This is done in the administration module as shown below by pressing "New import job". Then you get the new window you can fill out. In this example I named it Active directory.

Leave Pronestor and open a file explorer.

Go to the path where you installed Pronestor, and find this file [sitefolder]\App_Data\Import\Active Directory\ActiveDirectory.config

Please note that if you named your import something else, the folders will reflect that.

Open the ActiveDirectory.config file with a text editor like notepad. We will edit this part:

<appSettings>

<add key="ADAdminUser" value="springfield\kasperh"/>

<add key="ADAdminPassword" value="Pro,Kasper"/>

<add key="ADFullPath" value="LDAP://10.0.53.3"/>

<add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

<!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->

<!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->

<add key="ADGroupSpecific" value="(cn=*)"/>

 

Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:

<add key="ADAdminUser" value=""/>

<add key="ADAdminPassword" value=""/>

If the service doesn't have read rights to Active directory, you have to insert login and password instead.

The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:

<add key="ADFullPath" value="LDAP://10.0.53.3"/> 

Save file and close Notepad.

 

Configuration of the Active Directory import tool for cloud customers

Unzip the ADIntegration.zip that you got from Pronestor. Place the folder on a server that can run a sceduled task.

The folder contains a file named ADIntegration.exe.config

Edit it with a text editor like notepad. We edit this part:

<appSettings>

    <add key="ADAdminUser" value="springfield\kasperh"/>

    <add key="ADAdminPassword" value="Pro,Kasper"/>

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

    <!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->

    <!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->

    <add key="ADGroupSpecific" value="(cn=*)"/>

 

Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:

    <add key="ADAdminUser" value=""/>

    <add key="ADAdminPassword" value=""/>

If the service doesn't have read rights to Active directory, you have to insert login and password instead.

The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

This part here needs the path to the OU where you created the Active Directory groups

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

Lastly you can limit the groups that are read. This can be handy if you placed the Active Directory groups with other groups in your Active Directory. You do that here, by entering the prefix of the group. If you used our recommendations, that would be Pronestor

    <add key="ADGroupSpecific" value="(cn=Pronestor*)"/>

Save and close the notepad. The Active Directory import is now configured, but it needs to be setup as a sceduled task and FTP'ed to our server.

How to create the scheduled task:

Open the Task Scheduler on the server, and create a new scheduled task

We are only interested in the first 3 tabs. Here is an example of how it could be set up. The task needs to call the ADIntegration.exe file in the folder you unzipped.

The general tab is where you name and describe the task. Please choose "Run whether user id logged on or not" since we want it to run on a schedule.

The next tab is Triggers. Please press "New"

In this example the task will run at 2am every night.

Then we go to the tab Actions and choose "New".

In "Program/script" please find the path for the ADIntegration.exe file and choose it. Then fill it out like this and press "OK".

Press "OK" again and the task is set up. This task will create an ADdump.txt file in the same folder as the ADIntegration.exe file. The ADdump.txt file contains the Active Directory information that Pronestor needs to import the users.

Setting up the FTP

Please contact Helpdesk@Pronestor.com and ask us to create a FTP user for you. We will need your external IP address to open up for you.We ave an internal guide that tells us how to do this. Its located here (you can't see the link)

Pronestor will also need to setup a scheduled task on our server to import the addump.txt file into your solution. Please remind of of this, and tell us when you have set your scheduled task to run. That way we can set ours to run shortly after yours, instead of shortly before yours. Our internal guide for that is located here

 

IMPORTANT: This part of the guide describes how one can use some well known FTP clients to connect to Pronestor's FTP. Setup can be infrastructure dependent, and as such Pronestor can't ensure full troubleshooting beyond the description of this guide.

 

Security:

Pronestor will create an FTP account for each customer – with a unique username and password.

The account will require a public IP to be reported to Pronestor for safety/validation purpose – meaning that only that specific IP can access the FTP service.

Pronestor will by default allow FTP traffic using port 21. If required – FTPS can be added as an extra security layer to ensure encrypted data transfer. Note – SFTP is not supported.

 

Configuration:

Below you’ll find a description on how to setup a connection to Pronestor FTP.

We recommend using FileZilla for the simple and easy transfer of files – and the same FTP client is good for trouble shooting as well.

NCFTP is a command line FTP client which can easily be configured to run as a scheduled Windows task

Note – this is an example, other FTP clients can be used, but support on these are not directly supported from our helpdesk since this is a configuration/setup that can vary a lot from customer to customer due to their individual infrastructural environments.

 

Example using NCFTP

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Create batch file with notepad
  • ncftpput -F -u [your_ftp_username] -p [your_ftp_password] ftp.pronestor.com ./ file
    • ncftpput -F u MyPass -p MyPassword ftp.pronestor.com ./ myfile.txt
  • Save file as yourexport.bat
  • Schedule it to run

 

Example using Filezilla

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Launch FileZilla (https://filezilla-project.org/)
  • Choose File->Site Manager
  • Click New Site
  • Give the Site a new name – ex. Pronestor

 

 

  • Within the general tab
    • Host : pronestor.com
    • Port: 21
    • Login type: Normal
    • User: [your_ftp_username]
    • Password: [your_ftp_password]

 

 

  • Click connect

Result should be that the listing of the remote site is shown:

 

Trouble shooting:

  • Validate that the account exists and password is correct
    • How – Pronestor support can try to connect from within Pronestor network using Filezilla to customer’s ftp account
  • Validate that the public IP is correct
    • How – open a web browser from the PC/Server that the customer uses to FTP from.
      Open http://www.minip.dk – send the screen dump to Pronestor support
  • If an error shows regarding “LISTING” not allowed or failed
    • please go to Site Manager
    • Choose the “pronestor” site
    • Go to tab “Transfer Mode”
      • Choose “Active”
      • Click Connect

 

Configuration of Azure Active Directory import tool

Azure Active Directory integration doesn't require any additional software to be installed at your site. Instead Azure and Pronestor needs to be configured so that the information from Auzre can enter Pronestor.

First create the Active Directory import in Pronestor. This is done in the administration module as shown below by pressing "New import job".

Then you get the new window you can fill out. In this example I named it Active directory. Remember to choose Azure Active Directory as the type. If Azure Active Directory isn't available as a type, please contact Helpdesk@pronestor.com for assistance.

Here you will need the information you saved while creating the app in Azure Active Directory. 

Enter the Azure ID which is the Directory ID.
Enter the Client ID which is the Application ID.
Enter the Client Secret which is the Password.
In Default User Password - This is the password new users in Pronestor are created with. It can be changed later.
Default User Language - choose the default language for new users
Login format - use "WindowsLogin"
Strip domain - leave in unselected

Then click save. 

 

Adding a sql script to your active directory import

Please note that we in general don't recommend making changes on the database, as you can break Pronestor if you use a bad script.

You can set a sql script to run on your sql database in connection to the Active directory import. This could be something like setting a meeting type to default.

For on-premise:

Go to the installationfolder and find the folder for your active directory import. In this example the import is named Active Directory, so the path is [sitefolder]\App_Data\Import\Active Directory\

Create a text file containing the script and rename it to script.sql

Make sure you remove any other filetype endings, such as .txt or .exe. The filetype has to be .sql

The script will now run after every Active Directory Import.

For Cloud:

Send the script to Helpdesk@Pronestor.com along with the name of your active directory import and a link to your solution. We will add it to your solution on our servers.  

 

First import

For cloud customers this will happen automatically when the FTP transfer is setup. You just have to be patient.

For Azure and on-premise customers this can be triggered manually. This can take some time, depending on the size of your Active directory. Open your import from before by pressing "Edit".

In the import, choose the tab called Sessions, then press "Perform import". This can take a long time, so just leave it to do it's thing. Please note that the users won't enter Pronestor until after the groups are linked as show in the next chapter.

 

Group linking

After the first import of your Active directory, you need to link the Active directory groups to Pronestor rights. This is handled inside Pronestor Planners administration module, by going in settings, import users and pressing "Edit" on your Active Directory import.

This opens a new window, where you want to go to "Linking". Here you can see all the accesses within Pronestor Planner and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.

To get the Active directory groups visible in the drop down, please press "Load AD structure".

Please link your Active directory groups to the accesses you want them to give, by pressing the drop down menu. I have highlighted it for the global administrator in this picture.

Link the groups as desired. Remember the rules about what accesses are needed for users to be imported as described in the chapter called Setting up active directory

When the groups have been linked, you need to do another import for the users to appear in Pronestor. You can either start it manually, or wait for the sceduled task to handle it.

 

Sceduled task

Once the active directory import is set up properly, it's time to make a sceduled task of it. If you are a cloud customer, you can skip this step as it's setup as part of the FTP transfer.

This is done here by clicking the box for "Enable automatic scheduling" and choosing a time for the import to run. Don't forget to press "Save schedule".

Now you're all done and the users will be imported daily. If you give new employees the relevant active directory groups, you won't have to edit their right or create them inside Pronestor Planner.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk