{"id":821,"date":"2019-08-14T15:25:05","date_gmt":"2019-08-14T10:55:05","guid":{"rendered":"https:\/\/www.enhisecure.com\/isecureblog\/?p=821"},"modified":"2020-02-24T11:40:09","modified_gmt":"2020-02-24T06:10:09","slug":"sailpoint-iiq-pass-through-authentication-using-active-directory-global-catalog","status":"publish","type":"post","link":"https:\/\/www.enhisecure.com\/isecureblog\/2019\/08\/14\/sailpoint-iiq-pass-through-authentication-using-active-directory-global-catalog\/","title":{"rendered":"SailPoint IIQ Pass Through Authentication using Active Directory &#8211; Global Catalog"},"content":{"rendered":"\n<p><strong>Purpose <\/strong>: Here, we will be discussing about the <a href=\"https:\/\/www.sailpoint.com\/\">SailPoint<\/a> IIQ <a href=\"https:\/\/www.enhisecure.com\/isecureblog\/2017\/08\/10\/sailpoint-identityiq-pass-through-authentication-via-active-directory\/\">Pass-Through Authentication<\/a> with respect to custom <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/virtual-dc\/active-directory-domain-services-overview\">Active Directory<\/a> <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/attributes\">attribute<\/a> using <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">Global Catalog<\/a> Server.<\/p>\n\n\n\n<p><strong>Quick Description :<\/strong><\/p>\n\n\n\n<p><strong>What is Pass-Through Authentication ?<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/www.enhisecure.com\/isecureblog\/2017\/08\/10\/sailpoint-identityiq-pass-through-authentication-via-active-directory\/\">Pass-Through Authentication<\/a>, the user logs in to the <a href=\"https:\/\/www.sailpoint.com\/products\/identityiq\/\">IdentityIQ <\/a>application through the normal <a href=\"https:\/\/www.sailpoint.com\/products\/identityiq\/\">IdentityIQ <\/a>login page but the system validates the user\u2019s credentials against an external source, \u201cpassing\u201d the ID and password \u201cthrough\u201d to the authorizing system instead of consulting <a href=\"https:\/\/www.sailpoint.com\/products\/identityiq\/\">IdentityIQ\u2019s<\/a> internal records. <\/p>\n\n\n\n<p><strong>What is Global-Catalog server ?<\/strong><\/p>\n\n\n\n<p>The <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">global catalog<\/a> contains a partial replica of every naming context in the directory like, the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/schema\">schema <\/a>and <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/administration-model\">configuration <\/a>naming contexts But, with only a small number of their <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/attributes\">attributes<\/a>.<\/p>\n\n\n\n<p><strong>Requirements Context :<\/strong><\/p>\n\n\n\n<p>In a multi domain environment, it would be efficient to use <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">global catalog<\/a> because <a href=\"https:\/\/www.sailpoint.com\/solutions\/identityiq\/\">IIQ<\/a> does not need to traverse through all the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Lightweight_Directory_Access_Protocol\">LDAP<\/a> referrals returned for different domains during user login <a href=\"https:\/\/en.wikipedia.org\/wiki\/Authentication\">authentication<\/a>. When using a Custom <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/virtual-dc\/active-directory-domain-services-overview\">Active Directory<\/a> <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/attributes\">attribute <\/a>for <a href=\"https:\/\/sailpointiiq.blogspot.com\/search\/label\/what%20is%20sailpoint%20iiq\">correlation<\/a>, where that attribute is not promoted to <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">global catalog<\/a> repository, then the <a href=\"https:\/\/www.sailpoint.com\/\">SailPoint<\/a> <a href=\"https:\/\/www.sailpoint.com\/products\/identityiq\/\">IIQ<\/a> will be driven to a tangled state which results in <a href=\"https:\/\/www.enhisecure.com\/isecureblog\/2017\/08\/10\/sailpoint-identityiq-pass-through-authentication-via-active-directory\/\">Pass-Through Authentication<\/a> Failure.<\/p>\n\n\n\n<p>In order to overcome such scenarios, we can<\/p>\n\n\n\n<!--more Continue Reading-->\n\n\n\n<ul class=\"wp-block-list\"><li>Remove the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">Global Catalog<\/a> Configuration (Not Recommended).<\/li><li>Promote the Custom <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/virtual-dc\/active-directory-domain-services-overview\">Active Directory<\/a> attribute to <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">global catalog<\/a> repository.<\/li><\/ul>\n\n\n\n<p>In order to replicate the custom created attribute in <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/get-started\/virtual-dc\/active-directory-domain-services-overview\">Active Directory<\/a> to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">Global Catalog<\/a> repository, we require a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/adschema\/active-directory-schema\">Active Directory Schema<\/a> snap-in. which can be installed using  <strong><code>regsvr32 schmmgmt.dll<\/code><\/strong>  on command prompt as an administrator.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.enhisecure.com\/isecureblog\/wp-content\/uploads\/2019\/06\/AD-PassThruAuth-Issue-GPOSnapIn.png\" alt=\"\" \/><\/figure>\n\n\n\n<p>Once the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/adschema\/active-directory-schema\">Active Directory Schema<\/a> Snap-in is installed, we can add this snap-in for further customization in the Microsoft Management Console (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Microsoft_Management_Console\">MMC<\/a>).Here, inside the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/adschema\/active-directory-schema\">Active Directory Schema<\/a> snap-in, we can replicate the custom created attribute to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/desktop\/ad\/global-catalog\">Global Catalog<\/a> server. <\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.enhisecure.com\/isecureblog\/wp-content\/uploads\/2019\/06\/Promoting_CustomAtt_GC.png\" alt=\"\" \/><\/figure>\n\n\n\n<p>Which will enable Successful <a href=\"https:\/\/www.enhisecure.com\/isecureblog\/2017\/08\/10\/sailpoint-identityiq-pass-through-authentication-via-active-directory\/\">Pass-Through Authentication<\/a> in <a href=\"https:\/\/www.sailpoint.com\/\">SailPoint<\/a> <a href=\"https:\/\/www.sailpoint.com\/products\/identityiq\/\">IdentityIQ<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Purpose : Here, we will be discussing about the SailPoint IIQ Pass-Through Authentication with respect to custom Active Directory attribute using Global Catalog Server. Quick Description : What is Pass-Through Authentication ? Pass-Through Authentication, the user logs in to the IdentityIQ application through the normal IdentityIQ login page but the system validates the user\u2019s credentials [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[40,98,97,96,11],"class_list":["post-821","post","type-post","status-publish","format-standard","hentry","category-sailpoint","tag-active-directory","tag-gc-server","tag-global-catalog","tag-pass-through-authentication","tag-sailpoint"],"_links":{"self":[{"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/posts\/821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/comments?post=821"}],"version-history":[{"count":17,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/posts\/821\/revisions"}],"predecessor-version":[{"id":910,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/posts\/821\/revisions\/910"}],"wp:attachment":[{"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/media?parent=821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/categories?post=821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.enhisecure.com\/isecureblog\/wp-json\/wp\/v2\/tags?post=821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}