Getting Ready with Active Directory (AD) Integration
LogMeOnce AD integration is based on locally installed agent in your environment to provide better security while maintaining a "zero knowledge" technology architecture. The communication between Agent and LogMeOnce server is a secure communication over Https protocol. LogMeOnce does not require any firewall changes by your administrator.
- AD agent - AD Agent is installed on a Windows system which links your LogMeOnce main account with your Active Directory. For High Availability (HA), you can install multiple AD agents in your environment as need.
Prior to installing the AD Agent, please review the required account section and ensure all accounts prerequisites are met.
Supported Operating system
- Windows 10 (For POC). Windows server 2012 R2, Windows Server 2016, or Windows Server 2019
- .NET 4.5 or later.
Required prerequisites accounts
- Windows account - This account is used to install the AD agent. During installation, it creates a new LogMeOnce Service Account or use your existing dedicated LogMeOnce service account. It is recommended that this windows account to be a member of the domain admins group and have local administrator privileges.
- LogMeOnce service account - The service account is an AD domain service account which is used to run the service. This service account can be created by installer automatically, or by administrator manually. If it is created automatically by the installer, it is called LogmeOnceService and is member of the domain user group. If you create it manually, it should be member of the domain user group with "password set as never expires" and grant logon as a service to the domain user. If you get issues during installation due to service privileges', please check whether you have appropriate permissions, and if username and password are entered correctly.
- LogMeOnce account - This is your LogMeOnce administrator or owner account that was used to create your LogMeOnce account. For audit trail, it is recommended to create a separate account for the agent integration for example adagent@YourCompany.com. This will help to segregate all agent operations separately and to effectively meet compliance requirements.
||This account is used to install the AD agent.|
|LogMeOnce service account||
||This account is used to run AD Agent Service.|
||This account is used to authenticate the LogMeOnce AD Agent with your LogMeOnce account.|
Assigning a user account Logon as Service Rights
If you need to assign a user account Logon as Service rights, follow these steps:
- Open Windows control panel. Open Administrative Tools.
- Open Local Security Policy.
- In the left pane, click Security Settings -> Local Policies -> User Rights Assignments.
- In the right-hand pane, find the policy Log on as a service.
- Right-click Logon as a service, and then click Properties.
- In the Properties box, add the domain/serviceuser, and then click OK.
Active Directory Provisioning Groups
- Create a Group in AD called "LogMeOnce". This group can be used to add users who need to be provisioned to LogMeOnce from AD.
Download AD Agent
- Login to the LogMeOnce Account mentioned under required account and from "Smart Menu" go to "Directories". This will show a lot of all your directories installed, their status, number groups and users imported in real time. This is a Unified Directory solution, hence you can add as many directory services as you wish.
- Click on Add Directory (above image)
- Click on Download LogMeOnce Active Directory Agent (below image)
- Start the AD Agent setup agent_2.0.4.exe installation and Click on Next to start installation.
- To proceed, you would need to agree with terms and click on Next
- You have the option to allow LogMeOnce to create the service account used by AD Agent or use your existing service account. Please select and follow required privileges shown above at " Required prerequisites accounts" section, and then click on Next.
- Enter LogMeOnce account information and click on Next.
- Click on Next to continue. If you receive any error messages during the installation, please enter appropriate permission that is given for the required accounts.
- After installation is completed. Click on Finish.
- After installation is completed, please validate that LogMeOnce AD Agent is running.
Validate Agent is communicating with your LogMeOnce account. As shown the AD agent is installed and it is communicating the server, however it should be configured.
This completes your Active Directory installation task.