Follow

Active Directory integration

Table of contents

Introduction

Requirements

Service accounts

Setting up active directory

Configuration of the Active Directory import tool for on-premise customers

Configuration of the Active Directory import tool for cloud customers

First import

Group linking

Sceduled task

 

Introduction

Pronestor Planner supports Active Directory integration, so you can import your users directly from Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Active Directory, simplifying their jobs.

This guide covers Active Directory integration for on-premise customers and cloud customers.

 

Requirements

To fulfil this guide you need:

Administration rights to your active directory for preparing your active directory.

Know which users needs which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide).

The users in Active Directory needs to have Firstname, Lastname, Initial and email filled out.

Administration rights in your Pronestor.

The service accounts described here.

For on-premise installation you need:

Access to the server where you want to install Pronestor.

Access to setup the SQL database on the server where your Pronestor is installed.

For Cloud you need:

Admin access to your Pronestor Planner and some FTP access.

 

Service accounts

If your Pronestor server is hosted by Pronestor and you are using Active Directory

If your Pronestor server is on-premise

 

 

If your Pronestor server is hosted by Pronestor and you are using Active Directory

Create a Service Account with permissions to read from the Active Directory and run a scheduled task. It is important that the password is set to never expire.

 

If your Pronestor server is on-premise

Pronestor uses this Service Account in the Active Directory import. Set the Service Account’s password to never expire.

  • Using Windows authenticated database connection:

Create a Service Account with permissions to read from the Active Directory, write to the Pronestor SQL database, and run a scheduled task.
Please note: We recommend to use the same Service Account as when creating the Pronestor database.

  • Using SQL authenticated database connection:

Create a Service Account with permissions to read from the Active Directory and run a scheduled task.
Please note: We recommend to use the Pronestor SQL user account for the Pronestor database.

 

 

 

Setting up active directory

Groups

Every access that can be given in Pronestor Planner can also be linked to Active Directory groups.

It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your active directory.  You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations. 

Both setups require you to create a Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.

Next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles: secretary, facility manager, catering manager or booker, as well as departments, secretary departments and VIP groups.

Groups in AD can be either user or security groups.

The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.

 

One location only - if Pronestor is configured to manage resources on one location only:

Create in Active Directory the following groups within the PronestorOU: 

  • Local_secretary

  • Local_facility_manager

  • Local_catering_manager

  • Local_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

Every user that you want to import has to have the group Local_booker

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active directory is ready to be imported.

 

 

Multiple locations - if Pronestor is configured to manage resource at multiple locations:

Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.

Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:

  • Administrator

  • Global_secretary

  • Global_facility_manager

  • Global_catering_manger

  • Global_booker

  • London_secretary

  • London_facility_manager

  • London_catering_manager

  • London_booker

  • Stockholm_secretary

  • Stockholm_facility_manager

  • Stockholm_catering_manager

  • Stockholm_booker

  • Copenhagen_secretary

  • Copenhagen_facility_manager

  • Copenhagen_catering_manager

  • Copenhagen_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

It's important that every user has one local booker group, and only one. So if a user only needs more than one location, give them one of the local groups and the global group. Fx London_booker and Global_booker

If you have three or more locations and a user needs access to two of them, you have to give the user access to all locations. Pronestor cannot handle it if a user is given both London_booker and Stockholm_booker and Pronestor cannot handle if they don't have a local booker group.

The department groups and VIP groups can be given in the combination you prefer, or not at all.

Once your users have been connected to the new groups, your Active directory is ready to be imported. 

 

Configuration of the Active Directory import tool for on-premise customers

When running an on-premises solution the Active directory integration is an integrated part of the Administration Module in Pronestor Planner. No additional software is to be installed, but it does need to be configured.

First create the Active Directory import in Pronestor. This is done in the administration module as shown below by pressing "New import job". Then you get the new window you can fill out. In this example I named it Active directory.

Leave Pronestor and open a file explorer.

Go to the path where you installed Pronestor, and find this file [sitefolder]\App_Data\Import\Active Directory\ActiveDirectory.config

Please note that if you named your import something else, the folders will reflect that.

Open the ActiveDirectory.config file with a text editor like notepad. We will edit this part:

<appSettings>

<add key="ADAdminUser" value="springfield\kasperh"/>

<add key="ADAdminPassword" value="Pro,Kasper"/>

<add key="ADFullPath" value="LDAP://10.0.53.3"/>

<add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

<!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->

<!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->

<add key="ADGroupSpecific" value="(cn=*)"/>

 

Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:

<add key="ADAdminUser" value=""/>

<add key="ADAdminPassword" value=""/>

If the service doesn't have read rights to Active directory, you have to insert login and password instead.

The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:

<add key="ADFullPath" value="LDAP://10.0.53.3"/> 

Save file and close Notepad.

 

Configuration of the Active Directory import tool for cloud customers

Go to http://help.pronestor.com/download/ and download ADIntegration.zip.

Unzip the ADIntegration.zip. Place the folder on a server that can run a sceduled task.

The folder contains a file named ADIntegration.exe.config

Edit it with a text editor like notepad. We edit this part:

<appSettings>

    <add key="ADAdminUser" value="springfield\kasperh"/>

    <add key="ADAdminPassword" value="Pro,Kasper"/>

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

    <!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->

    <!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->

    <add key="ADGroupSpecific" value="(cn=*)"/>

 

Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:

    <add key="ADAdminUser" value=""/>

    <add key="ADAdminPassword" value=""/>

If the service doesn't have read rights to Active directory, you have to insert login and password instead.

The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

This part here needs the path to the OU where you created the Active Directory groups

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

Lastly you can limit the groups that are read. This can be handy if you placed the Active Directory groups with other groups in your Active Directory. You do that here, by entering the prefix of the group. If you used our recommendations, that would be Pronestor

    <add key="ADGroupSpecific" value="(cn=Pronestor*)"/>

Save and close the notepad. The Active Directory import is now configured, but it needs to be setup as a sceduled task and FTP'ed to our server.

How to create the scheduled task:

Open the Task Scheduler on the server, and create a new scheduled task

We are only interested in the first 3 tabs. Here is an example of how it could be set up. The task needs to call the ADIntegration.exe file in the folder you unzipped.

The general tab is where you name and describe the task. Please choose "Run whether user id logged on or not" since we want it to run on a schedule.

The next tab is Triggers. Please press "New"

In this example the task will run at 2am every night.

Then we go to the tab Actions and choose "New".

In "Program/script" please find the path for the ADIntegration.exe file and choose it. Then fill it out like this and press "OK".

Press "OK" again and the task is set up. This task will create an ADdump.txt file in the same folder as the ADIntegration.exe file. The ADdump.txt file contains the Active Directory information that Pronestor needs to import the users.

Setting up the FTP

Please contact Helpdesk@Pronestor.com and ask us to create a FTP user for you. We will need your external IP address to open up for you.We have an internal guide that tells us how to do this. Its located here (you can't see the link)

Pronestor will also need to setup a scheduled task on our server to import the addump.txt file into your solution. Please remind us of this, and tell us when you have set your scheduled task to run. That way we can set ours to run shortly after yours, instead of shortly before yours. Our internal guide for that is located here

 

IMPORTANT: This part of the guide describes how one can use some well known FTP clients to connect to Pronestor's FTP. Setup can be infrastructure dependent, and as such Pronestor can't ensure full troubleshooting beyond the description of this guide.

 

Security:

Pronestor will create an FTP account for each customer – with a unique username and password.

The account will require a public IP to be reported to Pronestor for safety/validation purpose – meaning that only that specific IP can access the FTP service.

Pronestor will by default allow FTP traffic using port 21. If required – FTPS can be added as an extra security layer to ensure encrypted data transfer. Note – SFTP is not supported.

 

Configuration:

Below you’ll find a description on how to setup a connection to Pronestor FTP.

We recommend using FileZilla for the simple and easy transfer of files – and the same FTP client is good for trouble shooting as well.

NCFTP is a command line FTP client which can easily be configured to run as a scheduled Windows task

Note – this is an example, other FTP clients can be used, but support on these are not directly supported from our helpdesk since this is a configuration/setup that can vary a lot from customer to customer due to their individual infrastructural environments.

 

Example using NCFTP

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Create batch file with notepad
  • ncftpput -F -u [your_ftp_username] -p [your_ftp_password] ftp.pronestor.com ./ file
    • ncftpput -F u MyPass -p MyPassword ftp.pronestor.com ./ myfile.txt
  • Save file as yourexport.bat
  • Schedule it to run

 

Example using Filezilla

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Launch FileZilla (https://filezilla-project.org/)
  • Choose File->Site Manager
  • Click New Site
  • Give the Site a new name – ex. Pronestor

 

 

  • Within the general tab
    • Host : pronestor.com
    • Port: 21
    • Login type: Normal
    • User: [your_ftp_username]
    • Password: [your_ftp_password]

 

 

  • Click connect

Result should be that the listing of the remote site is shown:

 

Trouble shooting:

  • Validate that the account exists and password is correct
    • How – Pronestor support can try to connect from within Pronestor network using Filezilla to customer’s ftp account
  • Validate that the public IP is correct
    • How – open a web browser from the PC/Server that the customer uses to FTP from.
      Open http://www.minip.dk – send the screen dump to Pronestor support
  • If an error shows regarding “LISTING” not allowed or failed
    • please go to Site Manager
    • Choose the “pronestor” site
    • Go to tab “Transfer Mode”
      • Choose “Active”
      • Click Connect

 

 

 

 

First import

For cloud customers this will happen automatically when the FTP transfer is setup. You just have to be patient.

For Azure and on-premise customers this can be triggered manually. This can take some time, depending on the size of your Active directory. Open your import from before by pressing "Edit".

In the import, choose the tab called Sessions, then press "Perform import". This can take a long time, so just leave it to do it's thing. Please note that the users won't enter Pronestor until after the groups are linked as show in the next chapter.

 

Group linking

After the first import of your Active directory, you need to link the Active directory groups to Pronestor rights. This is handled inside Pronestor Planners administration module, by going in settings, import users and pressing "Edit" on your Active Directory import.

This opens a new window, where you want to go to "Linking". Here you can see all the accesses within Pronestor Planner and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.

To get the Active directory groups visible in the drop down, please press "Load AD structure".

Please link your Active directory groups to the accesses you want them to give, by pressing the drop down menu. I have highlighted it for the global administrator in this picture.

Link the groups as desired. Remember the rules about what accesses are needed for users to be imported as described in the chapter called Setting up active directory

When the groups have been linked, you need to do another import for the users to appear in Pronestor. You can either start it manually, or wait for the sceduled task to handle it.

 

Sceduled task

Once the active directory import is set up properly, it's time to make a sceduled task of it. If you are a cloud customer, you can skip this step as it's setup as part of the FTP transfer.

This is done here by clicking the box for "Enable automatic scheduling" and choosing a time for the import to run. Don't forget to press "Save schedule".

Now you're all done and the users will be imported daily. If you give new employees the relevant active directory groups, you won't have to edit their right or create them inside Pronestor Planner.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk