Follow

Active Directory integration

Pronestor Planner supports Active Directory integration, so you can import your users directly from Active Directory instead of creating them inside Pronestor. This allows your IT administrators to maintain Pronestor users through Active Directory groups, simplifying their jobs.

This guide covers Active Directory integration for on-premise customers and cloud customers.

Table of contents

 

Requirements

To fulfil this guide you need:

  • Administration rights to your active directory for preparing your active directory.
  • Know which users needs which access in Pronestor (though it can be changed later, all imported users will get accesses as part of this guide).
  • The users in Active Directory needs to have:
    • Firstname
    • Lastname
    • Initial  
    • email
    • Mobile phone (only if you use sms notifications with Visitor)
  • Administration rights in your Pronestor.

For Cloud you need:

  • Access to setup an FTP transfer task.

 

Service accounts

If your Pronestor server is hosted by Pronestor

If your Pronestor server is on-premise

 

 

If your Pronestor server is hosted by Pronestor

Create a Service Account with permissions to read from the Active Directory and run a scheduled task. It is important that the password is set to never expire.

 

If your Pronestor server is on-premise

Pronestor uses a Service Account in the Active Directory import. Set the Service Account’s password to never expire.

  • Using Windows authenticated database connection:

Create a Service Account with permissions to read from the Active Directory, write to the Pronestor SQL database, and run a scheduled task.
Please note: We recommend to use the same Service Account as when creating the Pronestor database.

  • Using SQL authenticated database connection:

Create a Service Account with permissions to read from the Active Directory and run a scheduled task.
Please note: We recommend to use the Pronestor SQL user account for the Pronestor database. 

 

Setting up active directory

Groups

Every access that can be given in Pronestor Planner can also be linked to Active Directory groups.

It is possible to use whichever Organizational Unit and Active Directory group structure you prefer. This guide describes best practice for setting up your active directory.  You can add additional departments and VIP groups as needed. There is a simplified setup for those who have one location, and a setup for those with multiple locations. 

Both setups require you to create a Organizational Unit (referred to here in the guide as PronestorOU) in your Active Directory. Please note down the path of your PronestorOU for later reference.

Next step is to create a group per role in Pronestor. The groups should be placed in the PronestorOU. A role represents a permission in Pronestor for each of the following roles: secretary, facility manager, catering manager or booker, as well as departments, secretary departments and VIP groups.

Groups in AD can be either user or security groups.

The naming of each group is not fixed - we do however recommend a naming convention that makes it easy to read and understand the groups maintained in Active Directory.

 

One location only - if Pronestor is configured to manage resources on one location only:

Create in Active Directory the following groups within the PronestorOU: 

  • Local_secretary

  • Local_facility_manager

  • Local_catering_manager

  • Local_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a normal user might need Local_booker, Department_A and VIP_B.

Every user needs a department, since departments grant Billing account and meeting type, which are required to complete a booking.

If you book on behalf of shared calendars, please remember to import them as if they were a regular user.

Once your users have been connected to the new groups, your Active directory is ready to be imported.

 

 

Multiple locations - if Pronestor is configured to manage resource at multiple locations:

Create in Active Directory a set of groups for each role per location and groups for departments and VIP groups as needed.

Ex. If Pronestor is configured with resources on three locations - London, Stockholm, and Copenhagen - then the following groups must be created within the PronestorOU:

  • Administrator

  • Global_secretary

  • Global_facility_manager

  • Global_catering_manger

  • Global_booker

  • London_secretary

  • London_facility_manager

  • London_catering_manager

  • London_booker

  • Stockholm_secretary

  • Stockholm_facility_manager

  • Stockholm_catering_manager

  • Stockholm_booker

  • Copenhagen_secretary

  • Copenhagen_facility_manager

  • Copenhagen_catering_manager

  • Copenhagen_booker

  • Department_A

  • Department_A_secretary

  • Department_B

  • Department_B_secretary

  • VIP_A

  • VIP_B

Your users will need more than one Active Directory group to get the necessary rights. A user is only created when they have a local booker group. The other groups add additional connections to the user. For example, a user from Copenhagen might need Copenhagen_booker, Department_A and VIP_B. This user will only be allowed to book meetings on the Copenhagen location.

Another user needs to book on both Copenhagen and Stockholm. This user could get Stockholm_booker, Global_Booker and Department_A. This user can now book on every location. It is not possible for a user to get Stockholm_booker and Copenhagen_booker. If they need to book on more than one location, they need the Global_Booker group.

If you have a user with Global_booker, department_B and VIP_A the user won't be created. This is because the user doesn't have a local booker group, such as Copenhagen_booker, Stockholm_booker and London_booker.

If you have auser who needs to be catering manager on location London, then they need to have London_booker, London_catering_manager and Department_A.

If you give the user Copenhagen_booker, Global_booker, London_catering_manager and Department_A the user won't get the catering manager access. This is because the users "Home" location is Copenhagen, and you can't get a local right on a location that isn't your home location. If you want the user to have Catering manager access on London, then give them London_booker, Global_booker, London_catering_manager and Department_A instead.

If you book on behalf of shared calendars, please remember to import them as if they were a regular user.

Once your users have been connected to the new groups, your Active directory is ready to be imported. 

 

Configuration of the Active Directory import tool for on-premise customers

When running an on-premises solution the Active directory integration is an integrated part of the Administration Module in Pronestor Planner. It just needs to be configured.

First create the Active Directory import in Pronestor.

  • Click administration
  • Click Settings
  • Click import users
  • Click New import job

Then you get the new window you can fill out. In this example I named it Active directory.

mceclip0.png

  • Fill out the fields and save. 

Relative path can just be *

  • Open the import.
  • Choose the "General" tab
  • Enable automatisk scheduling

Your import will now run daily at your chosen time.

Please note, if the import runs at the same time as any application pool recycling on the server, the import will fail. You can avoid this by moving the daily run time of the ad import.

 

 

Configuration of the Active Directory import tool for cloud customers

Go to http://help.pronestor.com/download/ and download ADIntegration.zip.

Unzip the ADIntegration.zip. Place the folder on a server that can run a scheduled task.

The folder contains a file named ADIntegration.exe.config

Edit it with a text editor like notepad. Edit this part:

<appSettings>

    <add key="ADAdminUser" value="springfield\kasperh"/>

    <add key="ADAdminPassword" value="Pro,Kasper"/>

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

    <!--<add key="ProNestorOULocation" value="OU=small_pronestor,DC=springfield"/>-->

    <!--<add key="ProNestorOULocation" value="OU=proNestorOU,DC=contoso,DC=com"/>-->

    <add key="ADGroupSpecific" value="(cn=*)"/>

 

Usually the service running the scheduled task has read rights to the Active Directory, which allows us to leave the user and password blank. That means they should look like this:

    <add key="ADAdminUser" value=""/>

    <add key="ADAdminPassword" value=""/>

If the service doesn't have read rights to Active directory, you have to insert login and password instead.

The config file needs to know the path to the domain controller. It can be an IP address, a DNS name or similar. Please insert it here:

    <add key="ADFullPath" value="LDAP://10.0.53.3"/>

This part here needs the path to the OU where you created the Active Directory groups

    <add key="ProNestorOULocation" value="OU=pronestor,DC=springfield"/>

Lastly you can limit the groups that are read. This can be handy if you placed the Active Directory groups with other groups in your Active Directory. You do that here, by entering the prefix of the group. If you used our recommendations, that would be Pronestor

    <add key="ADGroupSpecific" value="(cn=Pronestor*)"/>

Save and close the notepad. The Active Directory import is now configured, but it needs to be setup as a scheduled task and FTP'ed to our server.

How to create the scheduled task:

Open the Task Scheduler on the server, and create a new scheduled task

We are only interested in the first 3 tabs. Here is an example of how it could be set up. The task needs to call the ADIntegration.exe file in the folder you unzipped.

The general tab is where you name and describe the task. Please choose "Run whether user id logged on or not" since we want it to run on a schedule.

The next tab is Triggers. Please press "New"

In this example the task will run at 2am every night.

Then we go to the tab Actions and choose "New".

In "Program/script" please find the path for the ADIntegration.exe file and choose it. Then fill it out like this and press "OK".

Press "OK" again and the task is set up. This task will create an ADdump.txt file in the same folder as the ADIntegration.exe file. The ADdump.txt file contains the Active Directory information that Pronestor needs to import the users.

Setting up the FTP

Please contact Helpdesk@Pronestor.com and ask us to create a FTP user for you. We will need your external IP address to open up for you. We have an internal guide that tells us how to do this. Its located here (you can't see the link)

Pronestor will also need to setup a scheduled task on our server to import the addump.txt file into your solution. Please remind us of this, and tell us when you have set your scheduled task to run. That way we can set ours to run shortly after yours, instead of shortly before yours. Our internal guide for that is located here

 

IMPORTANT: This part of the guide describes how one can use some well known FTP clients to connect to Pronestor's FTP. Setup can be infrastructure dependent, and as such Pronestor can't ensure full troubleshooting beyond the description of this guide.

 

Security:

Pronestor will create an FTP account for each customer – with a unique username and password.

The account will require a public IP to be reported to Pronestor for safety/validation purpose – meaning that only that specific IP can access the FTP service.

Pronestor will by default allow FTP traffic using port 21. If required – FTPS can be added as an extra security layer to ensure encrypted data transfer. Note – SFTP is not supported.

 

Configuration:

Below you’ll find a description on how to setup a connection to Pronestor FTP.

We recommend using FileZilla for the simple and easy transfer of files – and the same FTP client is good for trouble shooting as well.

NCFTP is a command line FTP client which can easily be configured to run as a scheduled Windows task

Note – this is an example, other FTP clients can be used, but support on these are not directly supported from our helpdesk since this is a configuration/setup that can vary a lot from customer to customer due to their individual infrastructural environments.

 

Example using NCFTP

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Create batch file with notepad
  • ncftpput -F -u [your_ftp_username] -p [your_ftp_password] ftp.pronestor.com ./ file
    • ncftpput -F u MyPass -p MyPassword ftp.pronestor.com ./ myfile.txt
  • Save file as yourexport.bat
  • Schedule it to run

 

Example using Filezilla

  • An account has been created and delivered from Pronestor
  • Customer has reported a public IP address to be associated with their account

 

  • Launch FileZilla (https://filezilla-project.org/)
  • Choose File->Site Manager
  • Click New Site
  • Give the Site a new name – ex. Pronestor

 

 

  • Within the general tab
    • Host : pronestor.com
    • Port: 21
    • Login type: Normal
    • User: [your_ftp_username]
    • Password: [your_ftp_password]

 

 

  • Click connect

Result should be that the listing of the remote site is shown:

 

Trouble shooting:

  • Validate that the account exists and password is correct
    • How – Pronestor support can try to connect from within Pronestor network using Filezilla to customer’s ftp account
  • Validate that the public IP is correct
    • How – open a web browser from the PC/Server that the customer uses to FTP from.
      Open http://www.minip.dk – send the screen dump to Pronestor support
  • If an error shows regarding “LISTING” not allowed or failed
    • please go to Site Manager
    • Choose the “pronestor” site
    • Go to tab “Transfer Mode”
      • Choose “Active”
      • Click Connect

 

First import

For cloud customers this will happen automatically when the FTP transfer is setup. You just have to be patient.

For on-premise customers this can be triggered manually. This can take some time, depending on the size of your Active directory. Open your import by pressing the pencil.

mceclip1.png

In the import, choose the tab called Sessions, then press "Perform import". This can take a long time, so just leave it to do it's thing. Please note that the users won't enter Pronestor until after the groups are linked as show in the next chapter.

mceclip2.png

 

Group linking

After the first import of your Active Directory, you need to link the Active Directory groups to Pronestor rights. This is handled inside Pronestor Planners administration module.

  • Click "Settings"
  • Click "Import users"
  • Find your import job
  • Click "Edit"
  • Click "Linking"

Here you can see all the accesses within Pronestor Planner and you can connect them to a group. Please note that these pictures are from a demo solution with just one location and no departments nor VIP groups, so yours might have a lot more accesses in here.

  • Click "Load AD structure"

Please link your Active Directory groups to the accesses you want them to give, by clicking the drop down menu.

 

mceclip3.png

  • Link the groups as desired. Remember the rules about what accesses are needed for users to be imported as described in the chapter called Setting up active directory
  • Do another import.

 

Scheduled task

For on-premise customers only.

Once the active directory import is set up properly, it's time to make a scheduled task of it. If you are a cloud customer, you can skip this step as it's setup as part of the FTP transfer.

This is done here by clicking the box for "Enable automatic scheduling" and choosing a time for the import to run. Don't forget to press "Save schedule".

mceclip4.png

Now you're all done and the users will be imported daily. If you give new employees the relevant active directory groups, you won't have to edit their right or create them inside Pronestor Planner.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk