Enabling Active Directory

Orchid Fusion VMS offers multiple ways to sign in. By performing some configuration work on the front end, your Orchid Fusion VMS users will be able to sign in with their existing Active Directory credentials.

*If you are using Orchid Hybrid VMS, remember that it is a managed system. IPConfigure Support staff will need to configure the system to use Active Directory authentication.

Prerequisites

To configure Orchid Fusion VMS to work with Active Directory, you will need to have an Active Directory server that:

• Is reachable from your Orchid Fusion VMS server.
• Contains at least one Active Directory user who is a member of at least one Active Directory group.

Modifying the Configuration File

There are several properties in the Orchid Fusion VMS configuration file that will need to be modified in order for Active Directory authentication to work.

*For extra help with the steps below, please refer back to the Installation section that corresponds to the operating system in which you are working.

1. Set the following properties in the Orchid Fusion VMS configuration file:

• authentication.active.directory.servers= <domain1>|ldap(s)://<domainServerAddress1>,<domain2>| ldap(s)://<domainServerAddress2>
• authentication.active.directory.admin.groups= <domain>\\<group> (Optional)
• authentication.active.directory.referral.mode=follow

Here is an example enabling the domain malibu.beach with server address 192.168.105.46, and an Active Directory group called FusionAdmins that will be given administrator access in Orchid Fusion VMS.

• authentication.active.directory.servers=malibu.beach|ldap://192.168.105.46
• authentication.active.directory.admin.groups= malibu.beach\\FusionAdmins (Optional)
• authentication.active.directory.referral.mode=follow
  

*The authentication.active.directory.admin.groups property is now optional. Instead of modifying this property in the configuration file, you may add Active Directory Admin groups using the Orchid Fusion VMS user interface. Please refer to the Add a Permission Group for Active Directory section of the Orchid Fusion VMS Administrator Guide for more details.

*<domainServerAddress> may be a DNS name or IP address and may be prefixed with either ldap:// or ldaps:// to specify the protocol.

2. After modifications to the configuration file are complete, restart the Orchid Fusion VMS service, then sign in to Orchid Fusion VMS.

Refer to the Add a Permission Group for Active Directory section of the Orchid Fusion VMS Administrator Guide for instructions on setting Active Directory groups.

Troubleshooting

If your administrator Active Directory user is unable to sign in, but you believe the mappings have been configured correctly, check the fusion.log file on the Orchid Fusion VMS server found in the following locations:

• C:\Program Files\IPConfigure\Orchid Fusion VMS\logs\fusion.log (Windows)
• /var/logs/fusion/fusion.log (Linux)

During server startup, the list of the configured Orchid Fusion VMS administrator Active Directory mappings are logged. So using the previous example, you would see a line in the file that looks like this:

14:33:46.804 [main] INFO c.i.f.i.Init03ActiveDirectoryAdminGroupsInitializer – Administrator active directory groups: malibu.beach| |FusionAdmins

Also, a failed sign in attempt will show the list of Active Directory groups of which the user is a member. So using the previous example, you would see a line in the file that looks like this:

14:32:48.888 [XNIO-1 task-21] INFO c.i.f.u.a.ActiveDirectoryAuthenticator – Active directory user: nofusionaccess@malibu.beach successfully authenticated with domain: malibu.beach server address: 192.168.105.46 but failed to authenticate with Fusion because the user is not a member of any active directory groups authorized by Fusion.

nofusionaccess@malibu.beach is a member of active directory domain:
malibu.beach groups:
malibu.beach\\Developers
malibu.beach\\Domain Users
Fusion has authorized domain: malibu.beach groups: