Support Suite

User Login

Knowledgebase

Active Directory Changes after version 10.3.47+

Posted by Elizabeth Stanley on 31 January 2022 03:48 PM

Basis for the changes: Directory Search

In the existing system ADSync was performed using PagedSearch, in server version past 10.3.47, the AD Sync is performed by Directory Search which is more stable when compared to PagedSearch.

In Paged search there may be a difference in number of expected directory entries (OUs, Groups, Users) due to some of the following constraints: server time limit and page size limit. In such cases paged search returns only the number of directory entries that are collected before exceeding such limits.

Directory search is performed by retrieving directory entries (by page wise) belonging to the OU/Group.

This means you can now sync on Security Groups, and EIOBoard will automatically add and remove users as you add and remove people from the Security Group in Active Directory, so you don't have to manage the template from the EIOboard side at all once you have the Security Group synced!

Server Name

If it's not set to it already, you will have to switch the AD Server name in the EIOBoard Server settings to the Fully Qualified Domain Name.

This is because the AD Server name will now need to match the FQDN on the SSL certificate for the AD Server.

Authentication types

AD Sync uses the Auth Type value from the registry, so after upgrading EBServer, please make sure that the correct auth type is selected under

ADSync > ConnectionSettings in EIOBoard Server Settings. If not, select the required auth type (mostly it will be ‘Secure’), save the changes and click Test Connection to test the connection.

The AuthenticationTypes enumeration specifies the types of authentication used in DirectorySearch:

Delegation	Enables Active Directory Services Interface (ADSI) to delegate the user's security context, which is necessary for moving objects across domains.
FastBind	A user can use this option to boost the performance in a series of object manipulations that involve only methods of the base interfaces. However, ADSI does not verify if any of the request objects actually exist on the server. For more information, see the Fast Binding Option for Batch Write/Modify Operations article.
None	Equates to zero, which means to use basic authentication (simple bind) in the LDAP provider.

ReadonlyServer	For a WinNT provider, ADSI tries to connect to a domain controller. For Active Directory Domain Services, this flag indicates that a writable server is not required for a serverless binding.
Sealing	Encrypts data using Kerberos.
Secure	Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client.
SecureSocketsLayer	Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption.
ServerBind	If your ADsPath includes a server name, specify this flag when using the LDAP provider. Do not use this flag for paths that include a domain name or for serverless paths. Specifying a server name without also specifying this flag results in unnecessary network traffic.
Signing	Verifies data integrity to ensure that the data received is the same as the data sent.

Savance | The Company

Savance sets ourselves apart from our competition by keeping it personal. We actively request feedback, know our customers by first name, integrate their ideas into our products, and measure our success based on their happiness. The way businesses used to be run.