Configuring Active Directory Authentication
You can configure EzyTime to authenticate the requester login with the active directory (AD). This provides you an advantage of not having to remember too many passwords. For this, you should configure AD authentication, then any password change that is made in the AD will also reflect in EzyTime. So the requesters can login using the login name and password of the system.
EzyTime Active Directory integration concepts:
EzyTime supports two types of active directory authentication.
- First option is automated way through which user will be automatically add as employee in EzyTime, if that particular user is member of corresponding mapped group in Active Directory.
- Using role management in admin options, you can configure EzyTime role mapping with Active Directory group. User will automatically assigned in that role in EzyTime if he is member of corresponding group member in active directory.
- For example, if an employee is member of EzyTimeUser group in [Active Directory], he will be automatically add as employee in EzyTime on first login with [User] role in EzyTime.
- By default, EzyTime come with two EzyTime roles with their active directory corresponding roles mapping. You can define your AD Group in EzyTime Roles management page.
Second way is to add all your employee manually in EzyTime. Administrator can define active directory username of employees during new employee creation. After adding employee with their active directory username, they can login in EzyTime using their active directory username and password.
- AD Group [EzyTimeAdministrator] --> map to EzyTime [Administrator] role.
- AD Group [EzyTimeUser] --> map to EzyTime [User] role.
Step by step: Active Directory integration:
EzyTime active directory integration required setup on two places. One is in active directory and second is defining server parameters in system configuration pages.
Step1: Changes required in Active Directory:
Here are the steps which are required to be done on active directory side.
- IT Administrator should decide first, exactly which Active Directory username will work as EzyTime Administrator. In this help section, we have assume one AD user with username [EzyTimeIT]
- Create a new [EzyTime Service User]. EzyTime APIs will use this username and password to communicate to Active Directory. Create a service user with name"EzyTimeserviceuser".
- Define some password for "EzyTime Service User" and make sure that [Password never expires] should be checked and [User must change password at next logon]should be unchecked.
- Create a new security group [EzyTimeAdministrator] in Active Directory.
- Now assign your user which you want to work as EzyTime Administrator, in [EzyTimeAdministrator] group. This user will become [Administrator] in EzyTime. Make sure that this user should have [First Name], [Last Name] and [EmailAddress] information are filled in Active Directory.
Step 2: Changes required in EzyTime:
- On first time execution, after database setup, EzyTime first open [Account Add] page where user can enter their organization and administrator user information. Do not fill this form if you are going to setup on [Active Directory] integration.
- Open [System Configuration] page (http://timesheet.VOZYE.com/home/systemsetting.aspx), where you can define system level parameters like active directory integration, database connectionstring and smtp server.
[More about system setting page]
- Select [Active Directory Authentication] checkbox to select your authentication mode as Active Directory.
- Enter "LDAP://YourServerName" in [Active Directory Connection String]. Yourservername should be replaced with physical server name where Active directory is installed. Please see below screenshots to get an exact idea of which value will appear where.
- Enter domain name in [Active Directory Domain Name] field. Domain name should be pre-windows 2000 server name instead of actual domain name.
- Enter your [EzyTime Service User] username in [Active Directory Username] field. Username should be in exact same case which is in Active Directory. Make sure that your (pre-windows 2000) username and your actual user name are same.
- Enter [EzyTime Service User] user's password in [Active Directory Password] field.
- Click on [Update] to update these changes.
- After update, EzyTime will open new account add page.
- Enter your organization information in top portion.
- Enter [EzyTime Administrator username] which you earlier assigned in [EzyTime Administrator] group in Active Directory. EzyTime will automatically populate FirstName, LastName and email address from Active Directory.
- Enter Active Directory password and verify password of [EzyTime Administrator user]. This should be active directory password of EzyTime administrator user.
- Enter First Name, Middle Name and Last Name.
- Click on [Signup] to complete Active directory integration steps.
- This administrator can now sign-in in EzyTime using his [EzyTime Admin] (EzyTime IT in above case) active directory username and password.
- Now administrator can add other employees using [Administration]-->[Employees] option by specifying AD user name in [User name] field.
- New employee will be automatically add if they are member AD Group whose mapping is defined with EzyTime roles.
Note: Migrating from standard authentication to Active Directory authentication:
- In case, if Active Directory is being setup for switching from already setup standard authentication to Active Directory authentication, system will redirect to login page directly instead of account add page. Administrator can login with EzyTime admin user created using instructions mentioned above.
- Just make sure that email address of EzyTime Administrator user should not be already defined to some other user.
- This administrator can now login in EzyTime using his [EzyTime Admin] (EzyTime IT in above case) active directory username and password.
- After login, administrator should edit every employee which are already defined in EzyTime and change value of "username" field from their email address to Active Directory login id.
- After having Active Directory login id in username field in employee form, employee then will be able to login using their Active Directory username and Active Directory password with their data, which they already have in EzyTime.