Integrate with Active Directory

In this topic, you will learn how to integrate Portnox™ Cloud with a local Active Directory (AD) instance using the Portnox Active Directory Broker (AD Broker).

Make sure that you have at least one Windows server (physical or virtual), which has access to the local Active Directory, and where you can install the Portnox Active Directory Broker.

Warning: If you integrate your Portnox Cloud with both Entra ID (Azure Active Directory) and Active Directory, the Entra ID integration takes precedence in case of devices that are enrolled in both directories. This means that if a device is found in Entra ID, Portnox Cloud will not even check for its existence in Active Directory. This is because in Portnox Cloud, an account representing a device can only be associated with one directory at a time.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Authentication Repositories > DIRECTORY INTEGRATION SERVICE > Directory Domains option.

  3. Under the DIRECTORY INTEGRATION SERVICE section, click on the Add new domain link.
  4. In the User repository type field, select the Active Directory option.

  5. In the Display name field, type a display name for your configuration.
  6. In the Base DN field, type the Distinguished Name (DN) of the starting point for directory server searches.

    Distinguished Names are in the X.500 Directory Services format of Domain Components (DC). To convert a domain name to Domain Components, split the domain name at the period, and create a dc= entry for each part. For example, for the domain vorlon.com, the DN would be dc=vorlon,dc=com.

  7. In the Domain names section, click on the Add new domain name link.
  8. In the Domain name field, type the domain name controlled by your local domain controller and click on the Add button.

  9. In the Domain controllers (DC) field, click on the Add new Domain Controller link.
  10. In the Host and Port fields, enter the IP address of your domain controller and the port number, and then click on the Add button.

    The typical port numbers are 389 for non-encrypted connections and 636 for SSL/TLS connections. If you want to use SSL/TLS connections to connect to your domain controllers, select the Use SSL checkbox below.

    Note: There are two standards of SSL/TLS connections with LDAP, LDAPS (LDAP over SSL) and STARTTLS (LDAP over TLS). Portnox Cloud uses the LDAPS (LDAP over SSL) standard.
  11. Click on the Save button below to save your configuration.
  12. Create credentials to access Portnox Cloud from external services.
    Note: Skip this step, if you already created the credentials for another purpose earlier.
    1. In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Create credentials to access the CLEAR cloud service from external services option.

    2. Click on the Generate Credentials link.

    3. Check your email. You will receive the credentials by email.

      Note: Preferably, check the email on the device where you will be installing the broker or copy the information from the email to a file on that device.
  13. Download, install, and configure the Portnox Active Directory Broker software.
    Note: The Portnox Active Directory Broker is available for Windows only.
    1. Switch to the device or virtual machine where you will install the broker.
    2. Log in to Portnox Cloud and go to the Settings > Authentication Repositories > DIRECTORY INTEGRATION SERVICE screen.
    3. In the DIRECTORY INTEGRATION SERVICE section, scroll down to the DOWNLOAD PORTNOX CLEAR DIRECTORY BROKER section, and click on the Download link.

    4. Run the broker installation file PortnoxADBroker.exe and click on the Next button.

    5. Paste the credentials from the email received earlier into the fields in the broker installation window and click on the Next button.

    6. Input the credentials for a domain controller user account and click on the Next button.
      Note: These are credentials for a user account that exists in your domain controller, not in Portnox Cloud. For security, we recommend that you create a separate user in your domain controller, who only has read access and is only used by the broker.

    7. Optional: Click on the Test button to test your configuration.

      Warning: The testing process may create an extra entry in your list of AD brokers in Portnox Cloud. If so, you can simply delete the extra entry. You can recognize the entry because it has no IP address listed, its state is Not updated, and its version number is 1.1.1.

    8. After the installation completes, click on the Finish button.
  14. Optional: If you want to configure your Active Directory or OpenLDAP integration or set additional options, read the following topic: Edit your AD/OpenLDAP integration.

Result: You can authenticate devices on your network using your local Active Directory.

For troubleshooting, see the following FAQ topic: How to check if the AD Broker connects to the cloud

Important: You can install any number of AD Broker instances on any number of machines. If there is more than one AD Broker configured for your domain, and there is an authentication request for that domain, Portnox Cloud sends that request to all AD Brokers that you configured for that domain. The first AD Broker that responds is the one that is used for this specific request.