NS1 Enterprise DDI supports integration with Microsoft Active Directory (AD) allowing NS1 customers to manage user provisioning and role-based permissions for their entire organization via AD. Authentication is delegated to the domain controller defined in the AD configuration. For this reason, users cannot have 2FA enabled for their entire organization. Instead, users have the option to enable or disable 2FA on their individual accounts.
This article includes:
Note
NOTENote
The following steps can be completed only by a user with the “manage Active Directory” permissions enabled. Refer to this article for instructions on how to create or edit user settings.Note
Log into the NS1 DDI portal. Click your username in the upper-right corner, and navigate to Account Settings > Security Settings.
Use the toggle to enable the "Enable Active Directory Login" option.
Enter the following information corresponding to your Active Directory account:
-
Domain Controller Host Address
This is the domain name or IP address of the Active Directory domain controller.
-
Domain Controller Host Port (optional)This is an optional setting allowing you to define a specific port of the Active Directory domain controller.
Note
NOTENote
Ports 636 and 3269 are used for LDAP connection with TLS enabled. Port 389 does not work with TLS enabled. If TLS disabled, port 389 is used by default for the unencrypted LDAP connection. -
Active Directory Domain NameNote that DDI software version 3.2.6 or later supports a comma-delimited list, allowing you to enter alternative domains.
-
Username & passwordThis is the service (BIND) account username and password for Active Directory.
-
Base DN (optional)This optional setting specifies the distinguished name (DN) of the root for searches in Active Directory. It is useful for clients with large or complex directories. (Example: dc=ns1, dc=com)
-
Secure/TLS certificate (optional)Toggle this option to enable/disable TLS. By enabling this option, the NS1 platform connects via a secure connection to the Active Directory domain controller.
Note
NOTES-
The integration supports only base-64 encoded X.509 certificates. DER encoded binary X.509 or PKCS aka P7B are not supported.
-
If your Active Directory domain controller uses a certificate for LDAPS signed by an internal certificate authority (CA), upload the root CA certificate (PEM format).
-
The certificate key length must be 2048 bits or more.
Click Test these settings to verify connection to the AD domain controller. Ensure you see the confirmation message below.
Once complete, click Save Active Directory Settings.
Note
NOTENote
Do not delete the local administrator account associated with your organization as this will prevent you from bypassing Active Directory, if necessary.After enabling the integration and mapping NS1 teams to AD groups, you have the option to delete local user accounts that are duplicated in Active Directory. This helps ensure users cannot bypass authenticated sign-on using their local NS1 login credentials. Alternatively, you can leave all local users in the NS1 database to ensure to avoid a single point of failure if the AD domain controller goes down. Even if you delete local users, we highly recommend retaining at least one local NS1 administrator user to avoid complete lockout.
In the next step, you’ll create “teams” within the NS1 platform that correspond to your AD “groups.” This allows you to manage team-specific settings from the NS1 portal.
Follow the steps below for each AD team you wish to grant access to the NS1 portal.
-
Log into the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Users & Teams.
-
Navigate to the Teams tab, and then click Add Team.
-
Enter a team name.
Note
NOTENote
This name must match the name of the corresponding AD group exactly. If the name of the team is different from the AD group, the connection will fail. -
Enable or disable permissions for the team, as desired.
-
Click Create Team.
Note
NOTENote
Team mapping from Active Directory to NS1 will occur automatically as users log into the NS1 portal using their AD credentials. -
Provide users with your organization ID.
Note
NOTENote
Team mapping from Active Directory to NS1 will occur automatically as users log into the NS1 portal using their AD credentials.
After setting up teams that correspond to your AD groups, ask users from each team to log into the NS1 portal. To do so, they’ll need to enter their username and password corresponding to their AD account, as well as your NS1 organization ID (obtained from your organization’s operator user) to ensure successful login and permissions.
Note
NOTENote
Ensure users are using their Active Directory credentials and not the local NS1 login credentials used previously. These are now two separate accounts.Note
NOTENote
If you don’t know your organization’s NS1 operator user, contact support@ns1.com to identify this person or to obtain your organization ID (required for logging in via AD).-
Navigate to your NS1 Private DNS/Enterprise DDI portal login page.
-
Enter your username and password corresponding to your Active Directory account.
-
Enter your organization ID provided by the operator user for your NS1 account.
Note
NOTENote
If you don’t know your organization’s NS1 operator user, contact support@ns1.com to identify this person or to obtain your organization ID (required for logging in via AD). -
Click Log in.
-
In the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Users & Teams.
-
Click the Teams tab, and click the edit icon (under Manage) next to the team you would like to modify.
Note
NOTENote
The team name must correspond exactly to the group name defined in the Active Directory database. -
Make the desired changes, and click Save Team to save your changes.
-
In the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Security Settings.
-
Scroll to the Active Directory pane, and toggle the button next to Enable Active Directory Login to the left to disable the feature.