Create or Identify Accounts for Synchronization (Optional)

The Keyfactor Cloud Gateway provides the option to synchronize Active Directory user and group accounts from the local forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to the managed forest. When you configure this option, shadow accounts are created in the managed forest for each user and group configured for synchronization (including users within these groups). These shadow accounts can be used to grant access to resources in the managed forest. They are often used in conjunction with federated single sign-on to provide SSO to the hosted instance of Keyfactor Command.

Important: The passwords for the accounts are not replicated to the managed forest.

There are three configuration options related to account synchronization:

Account Sync Interval

The number of minutes between each account synchronization attempt.
Groups To Sync

The Active Directory groups in the local forest that should be synchronized, along with the user members in the groups, to the managed forest. Multiple groups should be separated by commas. The Select and Validate buttons may be used to browse for and validate entered data.

Important: Active Directory groups selected for synchronization should not be renamed. Any groups that are renamed will not continue to synchronize.
AD Search Base

Limit the search for groups to synchronize to only those found in the specified location in the Active Directory tree (a single OU and any OUs under it, for example). The value should be entered in DN A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN. syntax (e.g. ou=Groups,dc=keyexample,dc=com). This setting is optional. If this field is left blank, the entire Active Directory tree will be searched for the groups entered in the Groups To Sync field.

Note: Although the AD Search Base option limits the search to groups found within the specified location, all users in these groups, regardless of their location in Active Directory, will be synchronized.

Figure 691: Configure Account Synchronization

Important: The account synchronization function requires installation of the Active Directory module for Windows PowerShell, one of the options within the Remote Server Administration Tools Windows feature (see Add Remote Server Administration Tools). If you're using clustering, this must be installed on each node in the cluster.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: