Managing connections to directory servers

Manage connections to the Active Directory domains to which you want to enable access.

Before you begin

Active Directory considerations

  • Active Directory referrals are not supported. You must create a connection for each domain that you want to synchronize.
  • You can create a connection to a Global Catalog server to synchronize an entire Active Directory forest. To ensure accurate results, you must create a connection to every domain within each Active Directory forest.
  • Domain resolution is also possible. However, all Domain Controllers that the domain resolves to must share a valid certificate. For LDAPS certificate requirements, see Microsoft: Requirements for an LDAPS certificate. If the domain resolves to a Domain Controller (DC) that has a certificate with a fingerprint that does not match the fingerprint returned by the DC that the domain resolved to when the domain configuration was saved, the connection fails.
  • If you are using the service synchronization type, you must submit a Tanium Cloud proxy request to allow communication between your Active Directory (either on-premises or Azure) and the Tanium Cloud server. For more information, see Tanium Cloud User Guide: Proxy access.

Active Directory user account

When you add a domain, you specify the Active Directory user account. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Directory Query has access to read attribute data from Active Directory:

  • Member of the Domain Users group
  • Permission to read the objectSID attribute from the domain object in the configured domains
  • Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
  • Permission to Read members on all groups in the configured domains
  • (Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Add a domain

Add a domain for each Active Directory domain to which you want to enable access.

  1. From the Main menu, go to Administration > Directory Query to open the Directory Query Overview page.
  2. Click New Domain.
  3. Specify the settings for the connection to the domain:

    1. Name: Specify a unique value that easily identifies the connection. For example: myDomainA.com.
    2. Satellite: If you are using satellite synchronization, select the satellite to use for this domain. The satellite should be in the domain. To select an endpoint not included in the list, add the endpoint as a satellite in Direct Connect. For more information, see Tanium Direct Connect User Guide: Managing satellites.

      The default selection is Sync from the Tanium Module Server. To use service synchronization, do not select a satellite.

    3. LDAP Server: Specify the LDAP connection string for the domain controller. For example: dc.domain.com/ or 10.0.0.5.

      Port: Specify the port to use when Tanium Cloud connects to the Active Directory server. The default port is 636.

      Use TLS is selected by default. TLS requires certificates on your domain controller. TLS is required for satellite synchronization.

      Disabling TLS sends data over the network in plain text. Always use TLS unless you are working in a lab or test environment with test data.

    4. Certificate: If you are using LDAPS, verify the details of the host certificate before you provide the credentials.

      For LDAPS certificate requirements, see Microsoft: Requirements for an LDAPS certificate. The same requirements apply to certificates issued by an internal certificate authority (CA). Because Directory Query uses a trust on first use authentication method, intermediate certificates are not required.

    5. Username: Specify the user name to use when connecting to the domain controller.

      The user name can be in DOMAIN\User format or UPN format ([email protected]). UPN format works only for user accounts that have the UPN attribute populated.

      Use an account with read-only permissions to the domain controller. For detailed requirements for this user, see Active Directory user account.

    6. Password: Provide the password for the user.

  4. Click Validate to verify that the information entered is valid.
  5. After you validate the credentials, click Save.

Work with domains

View domains

  1. From the Directory Query Overview page, go to the Domains section.
  2. View the domains. The table contains the details that were specified when adding the domain and the time it was last updated.

Manage domains

To edit a domain, click Edit and then save your changes.

To delete a domain click Delete and then confirm your action.