Domain Settings

This page displays the list of forests that you have configured and enables you to configure domains.

Important
To manage users, groups and their memberships across different domains, ensure there is a two-way trust between those domains. Also, ensure that IQService Service Account has the necessary permissions to access them.

To create and set up a new domain, complete the following:

Select the Forest Name you want to configure for this domain from the drop-down menu.
Enter the Domain DN.
(Optional) Select Use gMSA as a Service Account to use group Managed Service Account (gMSA) as a Service Account and provide the Service Account in UPN format.

Note
Ensure you select Strong (SASL) as the Authentication Type. IQService configuration is also mandatory to use gMSA as a service account. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.
Enter the Service Account with the required permissions.
- When you are using Simple authentication, use: Domain Name\User Name.
- When you are using Strong (SASL) authentication, use: UserName@DNSDomainName.com
(Not required when Use gMSA as a Service Account is selected) Enter the Service Account Password.
(Optional) Enter the Servers information for the domain controller servers that you want to configure using the following format: IP Address or FQDN. To configure multiple servers, enter a server and then press the Enter key. If you have configured two or more servers and the connection to the first servers fails, the source attempts to bind to the next domain controller server in the list.

Note
If you do not provide the IP or FQDN information, it is a server-less bind that requires the correct DNS configuration.
(Optional) Enter the Port number.
Select the Authentication Type from the drop-down menu.
- Simple - The account to authenticate is identified by the DN of the entry for that account, and the proof identity comes in the form of a password. SailPoint recommends that you Use Transport Layer Security (TLS) with simple authentication as this encrypts data during transit.
- Strong (SASL) - Strong (SASL) authentication bind is performed, which uses kerberos or NTLM depending upon whether the Identity Security Cloud (ISC) system is in a network (of service account domain) or outside network. Strong (SASL) has implicit security layer for data encryption.
  
  For Strong (SASL) authentication to work, you must use the following format: UserName@DNSDomainName.com. For more information, refer to Required Permissions.
(Not required when Use gMSA as a Service Account is selected) By default, the Use Transport Layer Security (TLS) checkbox is selected. When selected, you must specify the TLS port in the Port field. A valid SSL certificate must be placed on the virtual appliances in the following path: /home/sailpoint/certificates/ad-resource.cer. For more information, refer to TLS Configuration on Virtual Appliances.
(Optional) To configure another domain, select Add Another and repeat the previous steps.
Select Save.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Domain Settings

Documentation Feedback