Enabling Active Directory authentication from multiple forests

Contents[Hide]

1. Overview

Active Directory or Windows authentication in Dundas BI can be set up according to other configuration settings or by using a Forest Manifest. The manifest is a JSON array that defines and configures one or more Active Directory domains. 

Note
When using the Forest Manifest configuration setting, Dundas BI will ignore the other Active Directory configuration settings.

2. Forest manifest

To create the manifest, open the Admin section of Dundas BI, then select Setup and Config.

Change the Category to Authentication.Active Directory and choose the option to display advanced settings, then select and edit Forest Manifest.

Edit the Forest Manifest configuration
Edit the Forest Manifest configuration

2.1. Manifest properties

The manifest is configured in the form of a JSON array containing the following properties of any desired Active Directory forests:

  • ForestName (optional). Specifies the name of the forest. This property must be unique across all the forests in the manifest. If not specified, the name of the forest associated with the server's domain will be used. 
  • Domains. A case-insensitive list of domain names that map to the forest.
  • ServerName (optional). Specifies the name of the domain or domain controller to which Active Directory queries will be directed for this forest. If not specified, the name of the forest will be used,
  • UserName (optional). The name of the user to use when querying Active Directory. If not specified, explicit credentials will not be used when querying.
  • Password (optional). The password of the user to use when querying Active Directory. If not specified, an explicit password will not be used when querying.
  • BindOptions (optional). Specifies options that are used when binding to the Active Directory server. If not specified, the default value will be used (Negotiate, Signing, Sealing). For a full list of options, see the Microsoft ContextOptions Enumeration.
  • ContainerDN (optional). Specifies the distinguished name (DN) of the container to use when binding to Active Directory. If not specified, no container will be specified in the connection.
  • SimpleBindOverSslSupported (optional). A Boolean value indicating whether the Active Directory server supports simple bind connections using Secure Sockets Layer (SSL). If disabled, the validation of user-entered Windows credentials may cause the system to perform the additional step of translating the supplied down-level logon name to User Principal Name (UPN) format. If not specified, the default value will be used (True).
    Note
    If you are receiving an error stating The application encountered a problem trying to validate your Windows credentials with the underlying error The LDAP server is unavailable, it may be due to a connection protocol issue. You can resolve this issue by setting SimpleBindOverSslSupported to False.

2.2. Example

Paste or type the JSON array into the text field. The following example configures two forests in the most basic way, the first of which specifies the forest associated with the server's domain:

[
  {
    "ForestName": "example.com",
    "Domains": [ "example", "example.com" ],
  },
  {
    "ForestName": "rootdomain.local",
    "Domains": [ "rootdomain", "rootdomain.local", "sample.sample" ],
  }
]

Manifest example with two forests
Manifest example with two forests

3. See also

Dundas Data Visualization, Inc.
400-15 Gervais Drive
Toronto, ON, Canada
M3C 1Y8

North America: 1.800.463.1492
International: 1.416.467.5100

Dundas Support Hours:
Phone: 9am-6pm, ET, Mon-Fri
Email: 7am-6pm, ET, Mon-Fri