Prerequisites

• Create an Active Directory service account with the required permissions. A service account is a special user account that is created for the sole purpose of running a particular service or application on the Windows operating system. Services use the service accounts to log on and interact with the operating system.

• Before you start using the connector, install and register IQService on any Windows system with any of the supported Operating Systems. For more information on installing and registering IQService, see IQService as a Prerequisite.

  • If the Authentication Type is set to Strong (SASL), then the IQService host must be in the same domain or in a trusted domain.

• Secure Active Directory connector.

• Configure at least one virtual appliance cluster and successfully test the connection. For instructions, refer to the Virtual Appliance Reference Guide.

• Configure Identity Security Cloud for provisioning.

• For a source managing multiple domain trees, either from the same or different forests, there must be a two-way trust relationship between them.

• For managing Managed Service Accounts (MSA) or group Managed Service Accounts (gMSA), the following prerequisites are required:

  • For reading msDS-GroupMSAMembership and msDS-AllowedToActOnBehalfOfOtherIdentity gMSA object properties, IQService is required and Active Directory Module for Windows PowerShell must be enabled on the IQService Host.

  • For Provisioning operations of MSA and gMSA objects, IQService is required and Active Directory Module for Windows PowerShell must be enabled on the IQService Host.

• Strong (SASL) authentication internally uses kerberos authentication to authenticate the service account. To utilize Strong (SASL) authentication, ensure following requirements are fulfilled: 

  • Service account in the User Principal Name (UPN) format. For example, UserName@DNSDomainName.com

  • For domain settings, the port used must be a non TLS port, as TLS is not supported during Strong (SASL) authentication.

• To use group Managed Service Account (gMSA) for forest and domain settings, ensure you select Strong (SASL) as the authentication type.

  The permissions for gMSA accounts are similar to those of service accounts. No special permissions are needed for gMSA accounts. For more information, refer to Required Permissions.

  Important
  Configuration of IQService is mandatory to utilize gMSA as a service account for forest and domain settings in Active Directory. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.

  Refer to Using gMSA as a Service Account, for more information.