The Keyfactor Windows Enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway provides the option to synchronize Active Directory user and group accounts from the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to the managed forest. When you configure this option, shadow accounts are created in the managed forest for each user and group configured for synchronization (including users within these groups). These shadow accounts can be used to grant access to resources in the managed forest. They are often used in conjunction with federated single sign-on to provide SSO to the hosted instance of Keyfactor Command.
There are three configuration options related to account synchronization:
-
Account Sync Interval
The number of minutes between each account synchronization attempt.
-
Groups To Sync
The Active Directory groups in the local forest that should be synchronized, along with the user members in the groups, to the managed forest. Multiple groups should be separated by commas. The Select and Validate buttons may be used to browse for and validate entered data.
Important: Active Directory groups selected for synchronization should not be renamed. Any groups that are renamed will not continue to synchronize. -
AD Search Base
Limit the search for groups to synchronize to only those found in the specified location in the Active Directory tree (a single OU and any OUs under it, for example). The value should be entered in DN
A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN. syntax (e.g. ou=Groups,dc=keyexample,dc=com). This setting is optional. If this field is left blank, the entire Active Directory tree will be searched for the groups entered in the Groups To Sync field.Note: Although the AD Search Base option limits the search to groups found within the specified location, all users in these groups, regardless of their location in Active Directory, will be synchronized.
