Importing users from Microsoft Active Directory
GoTo Resolve MDM provides a connector for Microsoft Active Directory. You can use the AD connector to import users from Active Directory to GoTo Resolve MDM.
The connector does not transfer passwords or groups to GoTo Resolve MDM. This article provides instructions for setting up and using the connector.
Pre-requirements
The connector requires a computer with
- Windows 7 or Windows Server 2008 or newer.
- .NET4.6 framework.
- Connection to the domain.
- Only users with the administrator role can import users to GoTo Resolve MDM from Active Directory.
- Ensure that you have set TLS 1.2 as the default security protocol. For the older Windows version, check Microsoft's documentation
- The following TLS cipher suites must be enabled on the machine hosting the connector:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Security
- The network traffic between GoTo Resolve MDM and the connector is secured by SSL.
- By default, the connector runs using the logged-in Windows account. You may change the account if necessary.
- The logged-in Windows account is also used for authentication to the Microsoft Active Directory.
- The connector authenticates with GoTo Resolve MDM with an authentication key. GoTo Resolve MDM generates a new key for each connector. These authentication keys can be deleted from the management console ( ), similar to API keys.
How to set up and run the connector:
- Login to GoTo Resolve MDM.
- Navigate to the GoTo Resolve MDM site. page on your
- Click the button .
- On the wizard, you can configure filters for importing data. See the next section in this article for more details.
- Download the connector (EXE and configuration file).
- Run the connector on any domain-connected Windows computer that has ".NET4.6" installed. You may schedule the run in order to update your users frequently in GoTo Resolve MDM. Ensure that you have set TLS 1.2 as the default security protocol.
- You can check the result from the GoTo Resolve MDM via . It may take a few minutes before the users appear in GoTo Resolve MDM.
- If you selected the option "Import Mail for Exchange account", an account named "Imported from Active Directory" will also be created for each user. GoTo Resolve MDM uses the email address, from the Active Directory, as the user name and email address parameters for the MfE account. This account can be used in the Mail for Exchange configuration profiles by selecting it during the profile creation or later on from the profile page.
How to control which users the connector imports to GoTo Resolve MDM
By default, the connector imports all users from Microsoft Active Directory (except those without an email address).
However, when you download the connector with the Import users from Microsoft Active Directory button, you can specify more accurately which users the connector should import to GoTo Resolve MDM.
For instance, you can configure the connector to skip disabled users or to import users only from given LDAP paths. In addition, you can filter the AD import using the Additional LDAP filter for example if you have all users in one organizational unit (OU) container in Microsoft Active Directory.
Notice that the LDAP path can contain spaces, but the LDAP path cannot refer to a group. Instead, you can refer to organizational units (OU), or containers like Common Name (CN) and Domain Components (DC).
Please note that some of these fields and options are optional such as Importing users from the following LDAP path, using proxyAddresses attribute for email, and importing user tags from attributes.
To find more information about the fields and tickboxes please hover the cursor over the information (i) icon in front of the variable.
GoTo Resolve MDM saves your configurations to the configuration file (mdadconnector.exe.config). Advanced users can modify the configuration directly in order to change the import filters if necessary.
How to schedule the updates?
You can use standard Windows features to schedule the run of the connector. For instructions, see Scheduling user import from Microsoft Active Directory to GoTo Resolve MDM.
Troubleshooting
Notice that you cannot import users without an email address, because the email address is a mandatory user attribute in GoTo Resolve MDM.
The main way to troubleshoot the functionality of the connector is to investigate the output written by the connector in the Windows Command Prompt.
You can forward the output to a file by using a standard Windows Command Prompt option when running the connector mdadconnector.exe > log.txt.
After running the connector, you could also check if the "users.xml" file in the AD connector's installation directory is empty or not. In fact, this will tell you whether the connector is able to pull data from Microsoft Active Directory.
You can also try to investigate possible import issues using the Active Directory Explorer tool. One thing you could do is to go to the correct OU, copy the Object name, and check whether the string matches the one mentioned in the connector's configuration file.
The following error occurs if the machine hosting the connector is missing a required cipher suite:
ERROR: Failed to send data: The underlying connection was closed: An unexpected error occurred on a send.
A host reboot might be needed after adding cipher suites to the registry.
How to change the connector logging level
Changing the logging level may be helpful when trying to diagnose problems with the connector.
To change the connector logging level:
- Open up the OnlineConnector.exe.Config file on the connector host.
- Change the logging severity level to debug by modifying the file as follows:
<add key="LogSeverity" value="Debug" />
- Save changes.
The default logging level is Info.