About the Active Directory Module

Information

The Active Directory Module integrates Issuetrak with Microsoft Active Directory (AD). It is compatible with Secure Socket Layer (SSL) connections and multi-server/multi-domain directory environments. Issuetrak user records are automatically created and updated by the AD Module. Basic AD user attributes, Issuetrak organization and user permissions are maintained, along with extended AD attributes, Issuetrak location and/or department. The Single Sign On option allows network users to have their credentials passed to Issuetrak with no additional login required.


How does the AD Module Work?

The AD Module connects to your AD server(s) during user authentication and import processes using specifications you define within your Issuetrak site. Within these specifications is a “connection user” the AD Module uses to login and assume proper permissions to execute these processes.

User information from AD is compared to the Issuetrak user tables. When new information is found for an existing user, the Issuetrak record is updated. If there is no Issuetrak record for a user, that user is created. When a user is deactivated in AD, during the next scheduled import, they will be deactivated within Issuetrak.

If a user is deleted from AD, the Issuetrak user will not be deleted. Additionally, if a user has been deactivated in both AD and Issuetrak, and then is reactivated in AD, it will need to be manually reactivated in Issuetrak.

What user information pulls from AD?

Basic user attributes are pulled directly from AD and mapped to the appropriate fields. These include: Login (User ID), First Name, Last Name, Email, Phone, Address, City, State, Zip and Country. Up to three additional AD attributes may be mapped through corresponding user-defined fields defined within Issuetrak.

Periods and Apostrophes (among other characters) are not allowed in the Issuetrak Login value. If contained in the Active Directory Login, Issuetrak will substitute the characters for use with our product. This will not affect the actual value in Active Directory

Additional information regarding entity membership can be pulled from specific fields or mapped to AD Groups or OUs.

Issuetrak Value AD Value
Organization Mapping to AD Group/OU
Location ID AD Office, then mapping to AD Group/OU
Department Name AD Department, then mapping to AD Group/OU

User permissions are granted to AD users through mapping of specific AD Groups/OUs to an end user template defined within Issuetrak. Agent permissions may be granted through membership in an Issuetrak group, or by AD Group/OU mapping to another template. The number of users imported is directly tied to your license key. If you map Agent permissions via a template ensure importing users will not exceed the licensed Agent count. In the event the count is exceeded, the import will stop and notify the Issuetrak System Administrator. Also, with a productivity key, licenses are based on the total number of users. Therefore the import will stop if it will exceed the maximum number of licensed end users.

It is our Best Practice to import all users with the same end user template, and then grant additional permissions and Agent designations by membership in Issuetrak groups.

Users outside of the AD structure may be created and maintained through Issuetrak. However, the “No AD Authentication” parameter must be applied to these user records manually. Other user-related fields with no relation to AD may also be created and maintained within Issuetrak.

AD user authentication processes

Authentication processes happen in a matter of seconds. AD users will experience little if any delay when accessing Issuetrak.

An AD user will need to enter their network login/user ID and password on the Login screen to access Issuetrak. In the case of multiple domains, the user will also need to select their domain. If Single Sign On is implemented, the user will not see the Login screen but instead be taken directly to their Issuetrak Home Page when navigating to Issuetrak.

If Issuetrak is hosted in the cloud, Single Sign On is not available.

The AD Module sends the user’s credentials to the AD server and asks the server to authenticate (validate) this user. The server responds stating whether or not authentication is successful. If authentication is unsuccessful, an error message will be displayed to the user. If authentication is successful and the option to update users on login is activated, the AD Module queries the server again, requesting current data related specifically to the user. This information is then compared and applied to the Issuetrak user tables as needed.

AD user import processes

To minimize retrieval of excessive and/or redundant information, import processes are based on a specific AD server and AD Group or OU.

On-demand imports may be executed from the Issuetrak interface. Scheduled imports may be defined within the interface. For scheduled imports to execute at the proper intervals, a Windows Scheduled Task must also be created on the Web server hosting Issuetrak.

The AD Module queries the AD server requesting current data related to the specified Group/OU. For users within this Group/OU, other Group/OU memberships related to Issuetrak are also translated. This information is then compared and applied to the Issuetrak user tables as needed.

AD Password Reset

Previously, the Active Directory Module offered an option that allowed active directory passwords to be reset via Issuetrak. To enhance security, the functionality of this option has been disabled and it will be phased out within the next few releases.


Applies To:

Issuetrak 9.9+