Active Directory Onboarding
Prerequisite
-
Network reachability from chosen Worker Group (Connector) to a Domain Controller.
-
LDAP TCP Por 389
-
LDAPS TCP Port 636
-
Microsoft Global Catalog TCP Port 3268
-
Microsoft Global Catalog TCP Port 3269
-
DNS resolution (UDP Port 53) for DC hostnames
-
-
Service account UPN for LDAP bind (example:
svc_entro@corp.local)- Must have read access to directory objects and attributes within all required target domains.
Complete the following:
-
Create the Service Account in Active Directory
-
Name:
svc_entro -
UPN:
svc_entro@<domain> -
Assign read-only built-in group permissions only.
-
Do not grant any elevated admin roles.
-
-
Collect Connector Network Information
Validate DNS Resolution
Ensure the Worker VM can resolve the domain controller FQDN:
Validate LDAPS Connectivity (Port 636)
If the connection succeeds, LDAPS is reachable.
-
Copy the Root CA Certificate
SailPoint Entro expects the raw certificate text, not a file upload.
If you need further assistance with retrieving the certificate please see "export public certificate" below.
Steps:
-
Open the Root CA certificate (
.cer) in a text editor such as Notepad or VS Code. -
Copy the entire certificate block, including the headers and footers:
- Paste this text directly into the Root CA (PEM) field in the SailPoint Entro Console.
The certificate field is multiline. Ensure the full block is pasted with no extra spaces or missing lines.
-
In SailPoint Entro Console
Navigate: Management → Accounts & Integrations → Add New Account → Active Directory
Fill out the following fields:
Integration Fields
-
Nickname Free-text label for identification Example:
ENTRO-PROD-AD -
Domain Controller (DC) Short hostname or IP of the primary DC Example:
DC01or10.0.0.5 -
DC Name (FQDN) Fully qualified domain controller name Example:
dc01.example.localBoth the short name/IP and the FQDN are required by the current connector version.
-
Root CA (PEM) Paste the full certificate text copied above.
-
Domain Active Directory domain Example:
example.local -
Username Service account UPN Example:
svc_entro@example.local -
Password Service account password
-
Environment Nickname Human-readable label for this deployment Example:
PROD-AD -
Environment Type
Production/Staging/Dev -
Worker Group (Connector) Select the Connector/Outpost that will run the AD scans.
Click Connect to complete onboarding.
Export Public CA Certificate
Option 1: Using OpenSSL (Linux, macOS, Windows with OpenSSL installed)
If your Root CA certificate is in an existing format (like .crt, .cer, .der, or .pfx), you can export it to a PEM file easily.
-
Locate your Root CA certificate
Find the file (for example):
-
rootCA.crt -
rootCA.cer -
or part of a PKCS#12 bundle (like
rootCA.pfx).
-
-
Convert to PEM (if not already)
Depending on the format:
If it's a DER (.der or .cer) file:
If it's a CRT (.crt) file:
If it's a PFX / PKCS#12 (.pfx) file (contains private key + certs):
You'll be asked for the import password (if the PFX is protected).
-
Verify the PEM file
Check the output:
You should see details like:
That confirms you have the root CA certificate in PEM format.
Option 2: From Windows Certificate Store
If your Root CA is stored in the Windows Certificate Manager:
-
Open the Certificate Manager
Press Win + R → type:
Press Enter.
-
Locate the Root CA
Go to:
Find your root CA certificate (look for the name in the list).
-
Export the certificate
Right-click → All Tasks → Export → follow the wizard:
-
Choose No, do not export the private key
-
Select Base-64 encoded X.509 (.CER) format
-
Save it as
root-ca.cer
-
-
Rename or convert to PEM
You can simply rename it:
Or convert it using OpenSSL (optional):
Troubleshooting: Certificate Issues
-
Ensure the certificate contains the BEGIN and END lines.
-
Do not add or remove line breaks.
-
Certificate must be Base64-encoded X.509.
-
Confirm port 636 is reachable and DNS resolves the DC correctly.
Security & Compliance Notes
-
LDAPS should always run over TLS 1.2+.
-
Do not assign write permissions to the service account.
-
Passwords should be stored in your internal secrets vault or a secure encrypted channel.