Domain Settings

This page displays the list of forests that you have configured and enables you to configure domains.

To create and set up a new domain, complete the following:

  1. Enter the Forest Name you want to configure for this domain.

  2. (Optional) Select Use gMSA as a Service Account to use group Managed Service Account (gMSA) as a Service Account and provide the Service Account in the UPN format.

    Note
    Ensure you select Strong (SASL) as the Authentication Type . IQService configuration is also mandatory to use gMSA as a Service Account. For more information, refer to Configuring IQService to use gMSA as a service account for Active Directory.

  3. Enter the Domain.

  4. Enter the Service Account with the required permissions using the following format: Domain Name\User Name.

  5. (Not required when Use gMSA as a Service Account is selected) Enter the Service Account Password.

  6. (Optional) Enter the Servers information for the domain controller servers that you want to configure using the following format: IP Address or FQDN. To configure multiple servers, enter a server and then press the Enter key. If you have configured two or more servers and the connection to the first servers fails, the source attempts to bind to the next domain controller server in the list.

    Note
    If you do not provide the IP or FQDN information, it is a server-less bind that requires the correct DNS configuration.

  7. Select the Authentication and Security from the drop-down menu.

    • Simple - The account to authenticate is identified by the DN of the entry for that account, and the proof identity comes in the form of a password. SailPoint recommends that you Use TLS with simple authentication as this encrypts data during transit.

    • Strong - Strong authentication bind is performed, which uses kerberos or NTLM depending upon whether the IdentityIQ system is in a network (of service account domain) or outside network. Strong has implicit security layer for data encryption.

      For Strong authentication to work, you must use the following format: UserName@DNSDomainName.com. For more information, refer to Required Permissions.

  8. (Not required when Use gMSA as a Service Account is selected)  By default, the Use TLS checkbox is selected.

  9. (Optional) To configure another domain, select Add and repeat the previous steps.

  10. Select Save.