The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration<\/a>, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords:<\/p>\n\n\n\n
This article provides a step-by-step guide for configuring ADI to manage users, security groups, and passwords in AD, JumpCloud, or both<\/strong>. This configuration provides the greatest flexibility. It allows AD and JumpCloud to manage user credentials and attributes together in unison, a full two-way sync. Users are able to change passwords within either AD or JumpCloud. It also supports a hybrid approach where specific information is managed in one system and other information is managed in the other system. This configuration supports:<\/p>\n\n\n\n
<\/p><\/div>
To sync passwords from AD to JumpCloud, the import agent must be installed on all<\/strong><\/em> DCs.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To explore the use cases and benefits of this configuration see Manage users and passwords in either system, or both<\/a> in the Configure Active Directory Integration (ADI)<\/a> help center article.<\/p>\n\n\n\n
To learn more about the general user identity workflow and expected behavior for any user, group, and password change after the AD Import and AD Sync agents have been configured, read Use and Manage the Active Directory Integration (ADI)<\/a> . <\/p>\n\n\n\n
The main steps you will take to install and configure AD for bi-directional use are:<\/p>\n\n\n\n
Import Agent<\/strong><\/p>\n\n\n\n
<\/p><\/div>
When upgrading from AD import agent v2.6.0 or lower, you must select Install New Agent<\/strong> from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Sync Agent<\/strong><\/p>\n\n\n\n
The delegated authentication functionality is specific to the ADI AD import agent. Review ADI: Use AD Delegated Authentication<\/a> for specific considerations and more information about delegated authentication to AD. <\/p>\n\n\n\n
When the delegated authentication setting, Delegated Password Validation<\/strong>, is enabled and Pending<\/strong> for the ADI configuration and the user’s Delegated Authority<\/strong> is Active Directory<\/strong>, the user will not be able to log in. An AD import agent, version 3.0 or higher, must be installed and active to change the status of Delegated Password Validation<\/strong> from Pending<\/strong> to Active<\/strong>. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
When upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the Delegated Authority<\/strong> is manually set to Active Directory<\/strong> for those existing users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
All installed agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
You must reboot the servers after the AD Import Agent installation.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
You DO NOT need to reboot the servers after the AD Sync Agent installation.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
In multi-domain environments, the security group must have a unique name within each domain (e.g., \u201cJumpCloud (mydomain1)\u201d and \u201cJumpCloud (mydomain2)\u201d)<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
The following are considerations only if you choose to install the ADI agents on member servers:<\/p>\n\n\n\n
Import Agent<\/strong><\/p>\n\n\n\n
Sync Agent<\/strong><\/p>\n\n\n\n
The following are considerations only if you choose to install the agents on DCs:<\/p>\n\n\n\n
Import Agent<\/strong><\/p>\n\n\n\n
Sync Agent<\/strong><\/p>\n\n\n\n
<\/p><\/div>
If the JumpCloud Administrator Account associated with the import is deleted or the API key is rotated, the import will stop working. All imports will fail until a valid API key is generated and updated in the registry on the AD servers.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
Users will not be able to log in to JumpCloud User Portal or SSO apps if JumpCloud AD import agent is installed on member servers<\/strong>, the user’s Password Authority<\/strong> is set to Active Directory<\/strong>, and the user’s Delegated Authority<\/strong> is set to None<\/strong>. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Sync from AD to JumpCloud<\/strong><\/p>\n\n\n\n
Export and sync from JumpCloud to AD<\/strong><\/p>\n\n\n\n
Regular<\/strong><\/p>\n\n\n\n
The user attributes that sync from AD to JumpCloud and JumpCloud to AD are:<\/p>\n\n\n\n
If the\u00a0SyncAdditionalAttributes<\/strong>\u00a0setting is\u00a0true<\/kbd>\u00a0in the\u00a0jcadimportagent.config.json<\/kbd>\u00a0file, the following attributes are also synced from AD to JumpCloud:<\/p>\n\n\n\n
<\/p><\/div>
These attributes become read-only (restrictedFields) in JumpCloud when a user’s Password Authority<\/strong> is set to Active Directory<\/strong>. The Password Authority<\/strong> setting can be changed for a specific user directly from their User Details page or for multiple users from Users<\/strong> >More Actions<\/strong>>Set External Password Authority<\/strong>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Before installing the AD import and AD sync agents, we recommend completing each of the following checklist items before continuing.<\/p>\n\n\n\n
<\/p><\/div>
API tokens are specific to each Admin account. Create a separate, dedicated account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
<\/p><\/div>
We strongly<\/strong> recommend installing and using LDAPS<\/a> for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Prepare for the agent installations in AD by determining the Root User Container.<\/p>\n\n\n\n
<\/p><\/div>
The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
The JumpCloud AD Import agent is designed to integrate with AD\u2019s default \u2018Users\u2019 container (CN=Users) which is pre-populated in the AD Users and Computers (ADUC) interface and labeled as \u201cUsers\u201d as shown in the following image. (This is a default domain with no custom containers. In this use-case the Root Container is CN=Users;DC=example;DC=com). <\/p>\n\n\n\n
The import agent installation wizard assumes that this is the Root User container and uses this path in your AD Import agent configuration file. During installation, you\u2019re prompted for the domain components (DC) used in your AD Domain (i.e., DC=example;DC=com). The installation wizard uses this base level domain information to construct the following Root user container DN (Distinguished Name).<\/p>\n\n\n\n
EXAMPLE: CN=Users;DC=example;DC=com<\/p>\n\n\n\n