x Want to participate? Join the group to interact
Sage CRM
Related
Recommended

Active Directory Provisioning

6 minute read time.

In this article I want to consider how we can set up and use the import of users from an Active Directory server using LDAP.

This is a very useful feature for larger implementations which may have many users to add to the system and there is a need to automate the process as much as possible.

It will involve connecting to an Active Directory server and using the LDAP protocol to load the user details into Sage CRM.

It works best where some thought has gone into setting up user templates before hand and creating the email templates than can send those users a standardise 'welcome email'.

It can also be used in the context of IIS Auto login so that an users who has logged into Windows will automatically be able to access Sage CRM without having to enter their logon credentials into another system.

This can also simplify the process of setting up Exchange Integration by ensuring that users details are common between Sage CRM and MS Exchange.

It may help to answer some basic questions first before I discuss the actual usage of the Active Directory provisioning features.

The basic questions are?

  • What is LDAP?
  • What is Active Directory?
  • How does the import work?

and then we can consider other ideas

  • How does this relate to IIS Auto Login?
  • What does this mean for Exchange Integration?


What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It is an open standard that provides a common way of describing how users and resources can be addressed over a network. So if many systems are connected to the network and they all validate their user information from the LDAP server then if a users logs on to one system those credentials can be used to prove their identity to another system by cross referencing against the LDAP server. This is the basis of Single Sign On (SSO).

What is Active Directory?

Active Directory is Microsoft's network directory service for Windows. An Active Directory domain controller provides the means to authenticate all users and devices in a Windows domain. The network directory services provided by Active Directory is used by the Sage CRM IIS Auto Login feature.

It can be used to enforce security policies for all computers and how software can be installed or updated. An example of how Active Directory policies are used can be seen in this technical article "Deploying the Outlook Plug-in for Exchange Integration via GPO".

Active Directory itself uses LDAP to allow for the addressing of resources.

How does the import work?

Although LDAP is a standard protocol nevertheless this is a complex area. Much about LDAP is very vendor specific (MS vs. Oracle vs. Novell vs. Sun) and deals with how individual implementations would be done. The key would be for anyone thinking about LDAP to get their heads around binding and Domain Networks and how the data is structured.

In Sage CRM only importing users from Active Directory via LDAP is supported.

This process is manual rather than automatic so it should be understood as a import of users rather than a continuous synchronization. If new users are added in Active Directory they would have to be added in Sage CRM into as subsequent import.

The import needs to be broken down into an number of actions

  • Preparing for Import
    • Setting up User Template
    • Setting up Email Template
    • Setting up IIS Auto Login [Optional]
  • Carrying out the Import
  • Configuring Exchange Integration [Optional]

Preparing for Import

During the importation of the user details from the Active Directory server you are given the option of linking the users to a user template. An imported user will inherit their team, their security profile and other preset information from the user template and so considerably reduce the hassle of the set up of large numbers of users.

Email Templates should also be set up in advanced. This is discussed in a separate blog article. "Creating the welcome e-mail for users imported via the Import Users wizard".

How does this relate to IIS Auto Login?

I mentioned IIS Auto Login when I discussed system security in the article "An Overview of System Security". When a user logs into a computer that is part of a Windows domain, Active Directory will check that the submitted password is valid. That allows Sage CRM to use the windows logon to authorise its users.

Within Sage CRM is enabled for users by setting the flag "Use IIS Auto login:" within

Administration -> Users -> User Configuration

If the flag is set to "Yes" then CRM uses windows NT Authentication in IIS to validate the user. Once the user is authenticated with IIS using their Windows password, that user is looked up in the Sage CRM user table. The user password in CRM is ignored since the user has already authenticated with Windows using their Windows password. If the authenticated user is not found in the CRM user table an access denied error message is returned to the browser.

But that is not really about Active Directory provisioning except that if you are importing users, then you will need to consider how these users then login and what password is used.

The import starts by selecting 'Import Users' from the menu

Administration -> Users

The first step in the import is establishing the connection to the Active Directory server using LDAP. You need to provide the address of the LDAP server and provide the administrator credentials that you need to access the directory trees.

Once the connection is made you can then navigate through the nodes of the directory tree to find the user list you want to import.

You can search for users making use of the % symbol as the 'wildcard'. Any values you enter are consider to be 'starts with searches' so the wildcard is automatically applied.

You need to be aware of the number of users in your system and what is the maximum allowed by your license.

In the Licensing section there is a message about the number of seats available and the maximum number of new users that can be imported into the CRM system.

Please note that these screens only allow for the importation of active users, resource users would have to be manually added.

The third step allows for you decide on the password to be used. Of course if you will be using the Sage CRM IIS Auto Login feature then this is academic as I mentioned earlier in this article.

You can also link the imported users to the User Template and the optional automatic Welcome Email

The Welcome Email can be automatically generated to all imported users that gives them their username and password and a link to logon to the system.

The Template is controlled in

Administration -> E-mail and Documents -> E-mail Templates

Please see the link given above for a more complete discussion of Welcome Email Templates.

The import of users from Active Directory is useful within an environment which uses Exchange and where integration with Exchange is needed for Sage CRM.

Consider the image below.

The use of Active Directory Provisioning within Sage CRM can simplify matters considerably by allowing the importation of Exchange Users shared and administered by the Active Directory server.

Generic Content
Generic Content

*Community Hub is the new name for Sage City