PowerCAMPUS Portal and Active Directory

Full text

(1)

SUNGARD SUMMIT 2007 | sungardsummit.com 1

A Community of Learning

PowerCAMPUS Portal

and Active Directory

Presented by: Chad Sexton PowerCAMPUS Portal Development

March 21, 2007 Course ID 1240

(2)

2 Course ID 1240

Overview

• SunGard Higher Education’s vision for higher

education is to help every institution create the

Unified Digital Campus (UDC), an environment in

which systems, individuals, and communities

interact seamlessly for learning, teaching,

administration, and achievement.

• A Portal serves as a very important piece of the

UDC because it provides institutions with the

ability to unify and manage their core academic,

administrative and community web applications in

a common platform that ultimately provides a

(3)

3 Course ID 1240

Overview

• The portal solution chosen by the PowerCAMPUS line of

business is Microsoft Sharepoint Portal Server 2003 (for Portal 1.1) and Microsoft Office SharePoint Server 2007 (for PowerCAMPUS Portal 2007). With SPS 2003, all

non-anonymous access to SharePoint Portal Server sites and areas requires that the user possess an Active Directory account.

• An important part of the value added to the Sharepoint

Server solutions the PowerCAMPUS line of business will offer is the automatic provisioning of Active Directory

accounts based on pre-existing IQ.Web accounts as well as newly created IQ.Web accounts.

• The current design has moved from a user-driven method

(4)

4 Course ID 1240

What’s Included

• Important Active Directory Object Attributes

• Microsoft Management Console (MMC) - ADSI Edit • PowerCAMPUS message sources to Portal/Active

Directory messages within the system.

• IQ.Web Administrative pages related to Active Directory • Portal Settings page in IQ.Web to access Portal/Active

(5)

5 Course ID 1240

What’s Included

Portal Account Maintenance page in IQ.Web titled ‘Portal – Unlock Accounts’ has been added that allows IQ.Web administrators to unlock accounts that have been denied access to enter Active Directory credentials due to failed Active Directory/Network login attempts within IQ.Web.

A new Windows Application to access/configure Portal/Active Directory settings. The new application will allow administrators to setup default Domains, Organizational Units, Groups in regards to Active Directory. Other setups include our proprietary

ADConnect process, general settings, and logon and full name formats.

A new Windows Service which handles the account provisioning of Active Directory/IQ.Web accounts.

(6)

6 Course ID 1240

Managing the guest/applicant/student lifecycle

SharePoint Server PowerCAMPUS Database Server Self-Service Server AD Connect Active Directory Domain Controller ADWatcher User

1. User goes to anonymous site

2. User submits application in Self-Service 3. Applicant record created

4. ADWatcher executes applicant view 5. ADWatcher creates portal account

6. Self-Service emails user id and password 7. User enters authenticated Portal site

(7)

7 Course ID 1240

Managing IQ users who already have AD accounts

SharePoint Server PowerCAMPUS Database Server Self-Service Server AD Connect User 1. User logs in to IQ

2. User is prompted for AD credentials 3. AD.Connect validates credentials

4. Portal Account is mapped to IQ Account 5. User logs in to Portal

6. Personal data shows in Web Parts and SSO to IQ is successful

1. User logs in to IQ

Active Directory Domain Controller

(8)

8 Course ID 1240

Domains

• What is a Domain?

• A domain is logically an organizational grouping of resources

allowing central management of those resources.

• Physically, it is a database containing information about those

resources.

• Domains act as the building block for an Active Directory tree

(9)

9 Course ID 1240

Active Directory and Domains • Root Domain

• The first domain created in Active Directory becomes the root domain. The root domain acts as the top of the structure and determines the beginning of the Active Directory namespace. • The name of the first domain must match the top level of your

desired namespace.

• After the first domain is created, each subsequent domain is added to the tree somewhere beneath it. So additional domains are

always considered children.

• So if our root domain is PowerCAMPUS then all subsequent domains will follow the naming pattern of “<new

name>.PowerCAMPUS”

Ex. PowerCAMPUS -> Malvern.PowerCAMPUS (DN=Malvern.PowerCAMPUS)

PowerCAMPUS -> Rochester.PowerCAMPUS (DN=Rochester.PowerCAMPUS)

• Domains do act as administrative boundaries in that it is easy to give one administrator control over all resources within a domain. But using domains as the boundary for administrative privileges does not offer great granularity. For that need, Active Directory includes the Organizational Unit (OU) object class.

(10)

10 Course ID 1240

Active Directory Groups • Creating Groups

• Groups in Active Directory are a way to organize individual user or computer accounts.

• They are typically used for security and distribution purposes.

• It is recommended that most of your directory

management should be done through groups, rather than to individual users or computers.

(11)

11 Course ID 1240

Active Directory Groups • Types of Groups

• Security Groups

• Security Groups are used to grant permissions to resources. Computers, users, and other groups can be members of a security group. If you wanted to grant users permissions on a share or to a particular machine, for instance, you could create a group,

grant that group the appropriate permissions, and

then add users (or other groups even) as members of that group.

• Distribution Groups

• Distribution Groups are used for non-security functions, such as e-mail. Distribution Groups cannot be assigned permissions or rights.

(12)

12 Course ID 1240

Active Directory Groups • Scopes of Groups

• The scope, or area of influence, for a group can be limited to a

single domain, to multiple domains (through trusts), or to the entire network.

• Domain Local Groups

• Domain local groups are limited to a single domain.

They can be used to grant permissions to resources only within that domain.

• Global Groups

• Global groups are used to grant permissions to objects

in multiple domains and are visible to all trusted domains. Global groups, though, can have as

members only users and groups from within their own domain.

• Universal Groups

• Universal groups are similar to global groups in that

they can be used to grant permissions across multiple domains. The big difference is that universal groups can contain any combination of user and global group accounts from any trusted domain in the forest.

(13)

13 Course ID 1240

Active Directory Security Groups

(14)

14 Course ID 1240

Active Directory Security GroupsGroups – Member Of

(15)

15 Course ID 1240

Active Directory Security Groups

(16)

16 Course ID 1240

Active Directory Organizational Units

• An Organizational Unit (OU) object is a container object used to organize the resources in your directory.

• Organizational Units form logical administrative units that can be used to delegate administrative privileges within a domain. Rather than add another domain to an existing structure, it is often more advantageous to just create another Organizational Unit to organize objects. • Organizational Units provide structure within a domain.

This structure is hierarchical in nature. Each OU acts as a subdirectory to help administrators organize the

various resources described within the directory. • Organizational Units should reflect the business

structure of your company or organization. One should not create containers just for the sake of structure. If you can’t justify a container for either management or user

(17)

17 Course ID 1240

Active Directory Organizational Units

• An OU can contain the following types of objects:

• Users • Groups • Computers • Printers • Applications • Security Policies • File Shares • Other OUs

* The only object an OU cannot contain is any object

(18)

18 Course ID 1240

Active Directory Organizational Units

• Why Create Containers

• To delegate administrative control, allowing an

individual the ability to add, delete, or modify objects in a limited portion of the tree.

• To ease management by grouping like objects. You might create containers to hold users with similar security requirements.

• To control the visibility of objects.

• To make administration more straightforward, assigning permissions once to the OU rather than multiple times for each object.

• To make administration easier by limiting the number of objects in a single container. Even though the limit in a container is large, no one wants to page through a huge list every time they need to view/manage a single object. • To be used as a holding container for other OUs.

(19)

19 Course ID 1240

Active Directory Organizational Units

(20)

20 Course ID 1240

Active Directory Organizational Units

(21)

21 Course ID 1240

Active Directory Organizational Units

(22)

22 Course ID 1240

Active Directory Organizational Units

(23)

23 Course ID 1240

Windows Server 2003 Support Tools

• Download the latest version of the Support Tools

• To enable the use of the ADSI snap-in module, you will need to

go to Microsoft’s site to download the latest version, or the version that supports your instance of Windows Server 2003, of the Windows Server 2003 Support Tools. The link below will get the latest Support Tools for Windows Server 2003 SP1.

http://www.microsoft.com/downloads/details.aspx?familyid=6 EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

(24)

24 Course ID 1240

Microsoft Management Console (Install ADSI Edit)

(25)

25 Course ID 1240

Microsoft Management Console

(26)

26 Course ID 1240

MMC ADSI Edit Snap-in

(27)

27 Course ID 1240

MMC ADSI Edit Snap-in

(28)

28 Course ID 1240

MMC ADSI Edit Snap-in

(29)

29 Course ID 1240

MMC ADSI Edit Snap-inViewing addition of Snap-ins

(30)

30 Course ID 1240

MMC ADSI Edit Snap-in

(31)

31 Course ID 1240

MMC ADSI Edit Snap-inADSI Edit Connection Settings

(32)

32 Course ID 1240

MMC ADSI Edit Snap-inTree display in ADSI Edit

(33)

33 Course ID 1240

Active Directory Attributes

(34)

34 Course ID 1240

Active Directory Attributes

(35)

35 Course ID 1240

Active Directory Attributes

Container distinguishedName AttributeJimmy.Page Container –

(36)

36 Course ID 1240

Sharepoint Portal

(37)

37 Course ID 1240

IQ.Web & Active Directory

(38)

38 Course ID 1240

PowerCAMPUS

Portal Message Sources –

(39)

39 Course ID 1240

IQ.Web Administration/Setup

• Portal Settings icon on Global Settings page • 2 Portal administrative pages

(40)

40 Course ID 1240

IQ.Web Administration/Setup

(41)

41 Course ID 1240

IQ.Web Administration/Setup

• Portal Settings page

• Easy access to all Portal/Active Directory

Settings

• For your IQ.Web and Active Directory

Integration to work properly, the General Portal Settings page must be entered initially and

(42)

42 Course ID 1240

IQ.Web Administration/Setup

(43)

43 Course ID 1240

IQ.Web Administration/Setup

The ability to view which users Active Directory credentials have been authenticated

(44)

44 Course ID 1240

IQ.Web Administration/Setup

This page contains all of the accounts that have reached the maximum credential verification attempts. They will not be prompted to enter any Active Directory credentials once they have been locked.

(45)

45 Course ID 1240

IQ.Web Administration/Setup • No locked accounts

(46)

46 Course ID 1240

Directory Integration

(47)

47 Course ID 1240

Directory Integration Setup • Dataconfiguration.config

(48)

48 Course ID 1240

Directory Integration • Script Execute Tab

(49)

49 Course ID 1240

Directory Integration

(50)

50 Course ID 1240

Directory Integration • General Settings Tab

(51)

51 Course ID 1240

Directory Integration

(52)

52 Course ID 1240

Directory Integration

• Log and Information Files

• AD Connect Log File

• User chooses name and location on Disk. *.log

extension is recommended.

• AD Watcher Log File

• ADWatchService Log.txt

• User chooses location on Disk

• AD Watcher Information (Verbose) File • ADWatchInfo Log.txt

• User chooses location on Disk • AD Watcher Event Log File

• ADWatchService Log • Windows Event Viewer

(53)

53 Course ID 1240

Directory Integration

(54)

54 Course ID 1240

Directory Integration

(55)

55 Course ID 1240

Directory Integration

(56)

56 Course ID 1240

Directory Integration • AD Connect Tab

(57)

57 Course ID 1240

Directory Integration

• AD Connect – Settings Saved in Registry in 3 locations • General Section

(58)

58 Course ID 1240

Directory Integration

• AD Connect – Settings Saved in Registry in 3 locations • Bindings Section

(59)

59 Course ID 1240

Directory Integration

• AD Connect – Settings Saved in Registry in 3 locations • Containers/Paths Section

(60)

60 Course ID 1240

Directory Integration

• AD Connect – Settings Saved in Registry in 3 locations • General Section – Trace Log File for AD Connect process

(61)

61 Course ID 1240

Directory Integration • Change SID Tab

(62)

62 Course ID 1240

Directory Integration

(63)

63 Course ID 1240

Directory Integration • Logon Format Tab

(64)

64 Course ID 1240

Directory Integration

Logon Format Tab – Changing the format of a field (via right context menu)

(65)

65 Course ID 1240

Directory Integration

(66)

66 Course ID 1240

Directory Integration

• Logon Format Tab – Current Format changed and display changed

(67)

67 Course ID 1240

Directory Integration

(68)

68 Course ID 1240

Active Directory Logon Name

(69)

69 Course ID 1240

Active Directory Attributes

(70)

70 Course ID 1240

Directory Integration • Name Format Tab

(71)

71 Course ID 1240

Directory Integration

(72)

72 Course ID 1240

Active Directory Full Name

(73)

73 Course ID 1240

Active Directory Full Name

(74)

74 Course ID 1240

Active Directory Full Name

(75)

75 Course ID 1240

Active Directory Full Name

(76)

76 Course ID 1240

Directory Integration • Windows Service Tab

(77)

77 Course ID 1240

Directory Integration

(78)

78 Course ID 1240

Directory Integration

(79)

79 Course ID 1240

Directory Integration

• Windows Service Tab – ADWatcher Service showing in System Services

(80)

80 Course ID 1240

Directory Integration

ADWatcher Service – Set Logon Properties to user Administrator Account

(81)

81 Course ID 1240

Directory Integration

(82)

82 Course ID 1240

Directory Integration

• Windows Service – Event Log

(83)

83 Course ID 1240

Directory Integration

• Windows Service – Event Log

• Service executing and notifying records found for

(84)

84 Course ID 1240

IQ.Web Administration/Setup

All new Portal/Active Directory pages as displayed in ‘Maintain Pages’ section of Security Setup

(85)

85 Course ID 1240

Portal – Identify Yourself

• Portal – Identify Yourself page

• If you have one of the People Types as mapped in the

Portal Roles page, and have not been prompted for Active Directory credentials previously, you will be directed to the Portal – Identify Yourself page when you log into the IQ.Web application.

(86)

86 Course ID 1240

Portal – Enter Credentials

• Yes, I do have credentials

• User shall enter proper Active

Directory/Network credentials per their institution

(87)

87 Course ID 1240

Portal – Enter Credentials

Invalid credentials entered or problem communicating with Active Directory

(88)

88 Course ID 1240

Portal – User Information

Data Stored in PORTALACCOUNT Table after

(89)

89 Course ID 1240

Questions & Answers

(90)

90 Course ID 1240

Thank You!

Chad Sexton

Chad.sexton@sungardhe.com

Please complete the online class evaluation form Course ID 1240

SunGard, the SunGard logo, Banner, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.

Figure

Updating...

References

Updating...

Related subjects :