Copyright © 2010 to present CRYPTOCard Corporation. All Rights Reserved http://www.cryptocard.com

Active Directory Synchronization Agent for

CRYPTO-MAS1.7

Rev 2.0

CRYPTO-MAS Active Directory Synchronization Agent i

Revision History

Version Date Description Product

Rev 1 2009.04.24 Initial Publication CRYPTO-MAS v1.7

Rev 2 2009.12.21 Updated for new functionality CRYPTO-MAS v1.7

Rev 3 2010.10.20 Updated for supported characters CRYPTO-MAS v1.7

Minimum System Requirements

Item Minimum Size/Performance

Microsoft .Net Framework 2.0 SP1

Microsoft Windows XP, 2003 or 2008 server 32-bit O/S

CRYPTO-MAS Active Directory Synchronization Agent ii

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and

implementing CRYPTOCard in your network. In addition to aiding in the selection of the

appropriate authentication products, CRYPTOCard can suggest deployment procedures that

provide a smooth, simple transition from existing access control systems and a satisfying

experience for network users. We can also help you leverage your existing network

equipment and systems to maximize your return on investment.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441

North America Toll Free: 1-800-307-7042

support@cryptocard.com

For information about obtaining a support contract, see our Support Web page at

http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional

documentation and interoperability guides: http://www.cryptocard.com

Copyright

Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be

reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any

language in any form or by any means without the written permission of CRYPTOCard.

Trademarks

CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN,

CRYPTO-MAS, CRYPTO-MAS are registered trademarks or trademarks of CRYPTOCard Inc.

Microsoft Windows is a registered trademarks of Microsoft Corporation. All other trademarks,

trade names, service marks, service names, product names, and images mentioned and/or

used herein belong to their respective owners.

CRYPTO-MAS Active Directory Synchronization Agent iii

Table of Contents

Purpose......................................................................................................................................... 1

Operation...................................................................................................................................... 1

Usage Considerations ................................................................................................................... 1

User Creation and Deletion .......................................................................................................... 2

Security Features .......................................................................................................................... 3

Limitations .................................................................................................................................... 3

Configuration................................................................................................................................ 3

Company Setup in CRYPTO-MAP.............................................................................................. 4

Token Allocation....................................................................................................................... 4

Activation Code and CRYPTO-MAS URL ................................................................................... 4

Synchronization Agent Installation (Customer Site) .................................................................... 4

Active Directory Tab ................................................................................................................. 5

Services Tab .............................................................................................................................. 7

Notification Tab ........................................................................................................................ 8

Template Tab............................................................................................................................ 9

Troubleshooting ......................................................................................................................... 10

CRYPTO-MAS Active Directory Synchronization Agent 1

Purpose

The Active Directory Synchronization Agent has been developed to simplify the task of user

creation in CRYPTO-MAS. Without the agent, the administrator must manually input user

information including logon ID via the CRYPTO-MAP interface. Once installed, the agent

monitors a specified Active Directory group for membership changes and updates user

information in CRYPTO-MAS to reflect these changes.

Operation

The agent is a Windows® application that must be installed and configured at the customer site.

When enabled, the agent monitors user membership to a specified Active Directory group.

Users that are added or removed from the group are correspondingly added or removed from

CRYPTO-MAS. In addition, if a user’s Active Directory account becomes locked or suspended,

the Agent will cause the token assigned to the user to be suspended at the next synchronization

interval. Likewise, a suspended account will be reactivated during synchronization if the

account is no longer locked or suspended in Active Directory. If a user is removed from the

monitored group, the user will be removed from CRYPTO-MAS at the next synchronization

interval and the assigned token will be returned to the pool.

Usage Considerations

• This Agent can only be used with Active Directory. All other LDAP servers are not

supported.

• This Agent replaces any other form of User creation. If enabled, all users in CRYPTO-MAP

must be created by the Agent. Any pre-existing UserIDs or any created manually through

the CRYPTO-MAP interface will be removed at the next synchronization interval.

CRYPTO-MAS Active Directory Synchronization Agent 2

• The Agent does not monitor the entire Directory. It only monitors for changes in

membership to a specified group. This allows the Agent to differentiate between users that

should and should not be synchronized.

• No schema changes are required and nothing is written to Active Directory.

• A user account and password must be available for use by the Agent to allow connection to

the directory.

• Connections between the Agent and Active Directory can be over SSL. Data passed between

the Agent and CRYPTO-MAS is limited to the UserID, First Name, Last Name, Address,

Telephone / Mobile numbers and the Active Directory GUID for each account.

• The GUID is a unique number generated by the directory and maintain for the user

regardless of changes to the user account, including changes to the UserID. CRYPTO-MAS

utilises the GUID to maintain account synchronization and the association of tokens to users

instead of the UserID. This means that UserID’s can change in Active Directory without

breaking the relationship between the User and tokens in CRYPTO-MAP.

• TCP Port 443 must be open to allow the Agent to transmit to CRYPTO-MAS.

User Creation and Deletion

• The number of tokens allocated to the CRYPTO-MAS account determines the maximum

number of users that can be imported by the agent. For example, if the organization has an

allocation of 10 tokens and 100 users in the monitored Active Directory group, only 10 users

will be imported into CRYPTO-MAS.

• Users within the Microsoft group must have the First Name, Last Name, Username and

Email address defined or they will not be created in CRYPTO-MAS.

• The Agent does not support the characters “&”, “<” and “>” in the First Name, Last Name,

Username or Email address of a user account. If found, the synchronization process will be

deferred until the user account has been removed or corrected.

• CRYPTO-MAS admin users (operators) will not be deleted if they are removed from the

Microsoft Group until their CRYPTO-MAS admin privilege has been revoked.

• If the Microsoft Group can no longer be found, the Active Directory Synchronization Agent

will defer user synchronization until the Microsoft Group reappears or a new Microsoft

Group is selected.

CRYPTO-MAS Active Directory Synchronization Agent 3

• If a user is removed from the monitored group, the user will be removed and the token

returned to the pool at the next synchronization interval.

• If a user account in the Microsoft group is suspended, the account in CRYPTO-MAS will

become suspended at the next synchronization interval. The token will remain assigned to

the user.

Security Features

• Connections between the Agent and Active Directory can be configured to use SSL.

• The data passed between the Agent and CRYPTO-MAS is limited to the UserID, First Name,

Last Name, Address, Telephone / Mobile numbers and the Active Directory GUID for each

account.

• All data transmitted between the Agent and CRYPTO-MAS is encrypted using AES256 then

sent over SSL (default) or http (optional). The encryption key is generated in the CRYPTO-

MAP interface (Activation Key) and is unique for every client.

• The Agent configuration file which contains the account and password and other

configuration information used by the Agent to connect to Active Directory and CRYPTO-

MAS is encrypted. It can only be read or modified by the Agent Synchronization Manager

application.

Limitations

If the agent is used, CRYPTO-MAP cannot be used to create userID’s. This is to prevent

contradictions between manual CRYPTO-MAP user creation and the Agent. In addition, all User

accounts created by any other means will be automatically deleted during synchronization,

even if the manually created UserIDs are identical to those in Active Directory.

Configuration

The following steps must be completed in sequence for correct operation and synchronization.

Important: Any users manually created in MAP before or after the agent has been installed and

activated will automatically be removed from the system. If this agent is used, then ALL users

must be added through the monitored Active Directory group.

CRYPTO-MAS Active Directory Synchronization Agent 4

Company Setup in CRYPTO-MAP

Create a new company in MAP in the usual way. Check the Use LDAP checkbox under User

Storage to generate an Activation Code and prepare this account for Active Directory

synchronization.

Figure 1

Token Allocation

Ensure that the number of tokens allocated is equal to or greater than the number of users that

will be in the monitored Active Directory group. If the allocation is insufficient the

synchronization will fail. If the token count cannot be determined then the synchronization will

be deferred and an error reported in the log.

Activation Code and CRYPTO-MAS URL

Note the Activation Code as this will be required during configuration of the Agent.

Synchronization Agent Installation (Customer Site)

1. Download the CRYPTO-MAS LDAP Service.exe file.

2. Run the installer

CRYPTO-MAS Active Directory Synchronization Agent 5

3. The agent is configured post installation by launching the “Manager” application. The

default location is Program Files/CRYPTOCard/CRYPTO-MAS/Manager.

4. Populate the Primary Active Directory information in the Active Directory tab and then click

Apply. Do not start the agent until the Services tab is also populated.

Active Directory Tab

Use the Active Directory tab to configure the agent connection to Active Directory

Figure 2

Where:

• Hostname: is the IP address or FQDN of Active Directory

• Port Number: is the connection port number. Default: 389

• BaseDN: is the point in Active Directory from where the agent will scan for users / group

membership changes

CRYPTO-MAS Active Directory Synchronization Agent 6

• UserDN: is the account that will be used by the agent to connect to Active Directory. The

entry should be entered in an email format

Example: The BaseDN in figure 2 is dc=ts, DC=cryptocard, DC=com. So the user “ccldap”

could be defined in UserDN as ccldap@ts.cryptocard.com.

• GroupDN: is the group to which the member must belong for synchronization with CRYPTO-

MAS. As shown in Figure 3, only the members of the CRYPTOMAS group will be

synchronized with CRYPTO-MAS.

An example of the CRYPTOCard Microsoft group entry would be CN=CRYPTOCard,

CN=Users, DC=ts, DC=cryptocard, DC=com.

• Test Group: allows the GroupDN entry to be tested for erroneous characters. Results of the

test are shown as an OK or Failed message.

• Password: is the password corresponding to the User DN account to be used by the Agent

to connect to Active Directory.

Figure 3

CRYPTO-MAS Active Directory Synchronization Agent 7

Services Tab

The services tab is used to configure the agent connection to CRYPTO-MAS.

Figure 4

Where:

• CRYPTO-MAS AuthID: is the AuthID assigned to the CRYPTO-MAS subscriber organization

and displayed in the Home Tab within CRYPTO-MAP. The Auth ID was selected during the

signup process.

• Activation Code: is a unique code generated and displayed in CRYPTO-MAP-MAS for this

organization.

• Primary URL: this is the primary location to which the agent will attempt to synchronize

with CRYPTO-MAS.

• Secondary URL: this is the secondary location to which the agent will attempt to

synchronize with CRYPTO-MAS if a connection to the primary location fails.

• Execute Active Directory Search: specifies the synchronization frequency. This setting

should reflect the frequency of change expected in Active Directory.

CRYPTO-MAS Active Directory Synchronization Agent 8

Notification Tab

The notification tab is used to configure the agent to send an email notification in the event

that the connection between the Agent and Active Directory fails.

Figure 5

Where:

• SMTP Server/Host: is the SMTP server where all notification will be sent.

• User: is the username required to send email through the SMTP Server (optional).

• Password: is the password required to send email through the SMTP Server (optional).

• Send Active Directory down: will notify if there are connection issues with Active Directory.

• Send Resync group not found: will notify if the Microsoft Group can no longer be found.

• Added user to list: will notify when a user has been added to CRYPTO-MAS.

• Updated user list: will notify when a user has been updated in Active Directory.

CRYPTO-MAS Active Directory Synchronization Agent 9

• Removed user and deassigned token list: will notify when a user has been removed from

CRYPTO-MAS along with which token was deassigned (if applicable).

Template Tab

The template tab allows you to customize each notification email alert.that was selected in the

Notification Tab.

Figure 6

Where:

• Notification name: allows for the customization of the particular notification.

• From: enter the email address of the recipient who is sending the message. This field will

only accept a single email address.

• To: enter the email address of the recipient(s) into this field. If multiple entries are

required, a semi-colon must be used.

• CC: enter the email address of the recipient(s) into this field. If multiple entries are

required, a semi-colon must be used.

CRYPTO-MAS Active Directory Synchronization Agent 10

• BCC: enter the email address of the recipient(s) into this field. If multiple entries are

required, a semi-colon must be used.

• Subject: enter the subject of the current notification.

• Message: a default message that will provide an explanation of the current notification.

The content can be edited but the <LIST/> argument cannot be removed from the message.

Troubleshooting

To troubleshoot any issues with the Agent detailed logging is done to the file:

C:\Program Files\CRYPTOCard\CRYPTO-MAS\ADAgent\log\CRYPTO-MAS-Service-DATE.log