.. _sso-ad: AD Domain Login ============================= Genian NAC can be used for Active Directory alternative authentication using Windows or macOS agents. To use alternative authentication via AD, you must first enable node policies. #. Go to **Policy** in the top menu. #. Go to **Node Policy** in the left Policy menu. #. Click the policy name you want to activate. In **Authentication Policy**, do the following: #. In **Single Sign-On Method**, select **Active Directory**. #. Enter the **AD Allowed Domain Name**. #. Click the **Update** button. Agent-based AD Alternative Authentication Settings -------------------------------------------------- - Install the agent. (:doc:`/install/installing-agent`) - The agent execution / installation account must be set as a domain administrator account or an account with installation privileges. If the agent is installed on a local account, SSO will not work. .. _sso-agentless: Agentless AD Alternative Authentication Settings ------------------------------------------------ - When adding the settings below, the authentication replacement function can be used even on nodes without the Agent installed. - Performs agentless SSO via WMI queries to the domain controller (supports all nodes authenticated in the domain). - The Network Sensor performs authentication replacement by comparing domain login event logs from the AD server with the hostname/domain name of the endpoint detected by the Network Sensor via NetBIOS. Therefore, the Network Sensor must be able to communicate smoothly with the endpoint's NetBIOS, remote WMI, etc. #. Go to **Preferences** in the top menu. #. In the left settings menu, go to **User Authentication > Authentication Integration > AD Single Sign-On**. Complete the **AD Single Sign-On** settings by entering the following items: #. **Server Connection Sensor** : Select the sensor to connect to the AD server. (If 'None' is selected, it connects from the Policy Server.) #. **Server Address** : Enter the address/domain of the server system for AD Single Sign-On. If the node is joined to the domain, the node's user information is replaced with authentication information. #. **User ID** : Enter the user ID of the AD server for event log monitoring. #. **Password** : Enter the user Password of the AD server for event log monitoring. #. **Use Secondary AD** : Select whether to use Secondary AD. #. Click the **Update** button. **AD Configuration** #. Confirm that the entered AD user account is included in the following groups: - Distributed COM Users - Event Log Readers - Domain Users - AD configuration #. Run `wmimgmt.msc` from the command prompt. #. In the WMI Control Properties Security tab, select the CIMV2 folder. #. Click Security, then Add, and then select the user account configured in NAC. #. Set 'Account Usage' and 'Remote Access' to Allow. #. Click the OK button to complete the settings. **How to Check Endpoint's AD Domain Join Status** 1. Method to check from AD server - On the AD server, run **Control Panel > Administrative Tools > Active Directory Users and Computers**. - Click **Domain > Computers** to check the list of joined computers on the right. 2. Method to check from client endpoint - In the client endpoint's CMD, check if ``ping [AD Domain]`` resolves to a valid IP. Genian NAC performs SSO for agentless endpoints via WMI queries. Please refer to the following link to configure WMI: .. toctree:: :maxdepth: 1 ms-wmi - Please refer to the Agentless-related items in :ref:`faq`. .. note: Detailed operation method GN-19274