リニューアルのお知らせ

HDE One ヘルプセンター及び、HDE One サービスの最新稼働状況を
ご案内しております、ステータスダッシュボードをリニューアルいたしました。

大変恐れ入りますが、旧ステータスダッシュボードのリンク先をお気に入り等に
登録いただいているお客様は変更くださいますようお願いいたします。

[ヘルプセンター]
https://support.hdeone.com/hc/ja

[ステータスダッシュボード]
https://support.hdeone.com/hc/ja/articles/115007973667

なお、新ヘルプセンターではユーザー登録は不要でございます。
また、旧ヘルプセンターは 2017年9月にサイトを閉鎖させていただく予定です。

HDE Access Control : HDE One Directory Sync (Office 365 with Windows Active Directory)

This guide consists of the instructions on how to correctly install the HDE One Directory Sync (Office 365 with Windows Active Directory) and ensure that it is working properly before proceeding to Single Sign-on setup. This guide contains the following parts:

  1. Overview of HDE One Directory Sync (Windows Active Directory)
  2. Prerequisites of setting up HDE One Directory Sync.
  3. Password Sync
  4. Editing Configuration file (config.ini).
  5. Testing the Synchronisation.
  6. Configuring the Automation.

(1) Overview of HDE One Directory Sync (Windows Active Directory)

HDE One Directory Sync is an account information synchronization tool which is used to relate HDE Access Control Service (HAC) and Windows Active Directory.This is One-Way Synchronization. It means that once you create, delete or change any items in the source folder this will reflect in the destination directory.

*Note 
- Please contact Microsoft about DirSync tool.

HDE One Directory Sync and Microsoft Azure Active Directory Sync synchronize some piece of information from Active Directory. (It is One-Way synchronization from Active Directory to HDE Access Control.)
The correlation table of synced information between AD/HAC/O365 is shown as below:


*Note:
- Items in the red box MUST be the same value.

- Office365 Id is used for the login Id of rich clients such as Outlook. HDE One is case sensitive.
- Username is used for the login Id of web browser. HDE One is case sensitive.
- After the prior setup of Active Directory, user has to change password before his first login.

(2) Prerequisites of setting up HDE One Directory Sync 

(A) A Windows Active Directory that is:

1) Set up Microsoft ID management component (unixUserPassword) for Unix
Please refer to this article : 
How do I set up Microsoft ID management component (unixUserPassword) for Unix?

(B) A Windows machine that is:

1) Belonged to the Domain Server that is managed by Active Directory OR Active Directory Domain Controller (Windows Server 2008 R2 64bit or above)

2) Installed with PowerShell ver. 3.0 or above.

3) HDE One Directory Sync module:
If you would like to download this module, please contact our support team -> Here

4) Create the directory "C:¥HDEOne" and place the following four Password Sync Modules into it:

- Assign-HDEOnePasswrdSyncGroup.bat
- Check-SyncUser.ps1
- Set-ADUnixAttributes.ps1
- Set-SecurityGroupMember.ps1

If you would like to download these module, please contact our support team -> Here

5) Installed with Active Directory Module (PowerShell ver. 3.0 Cmdlet to manage existing Active Directory)

To install Active Directory Module (Example for Windows Server 2012 R2):

(i) [Server Manager] > [Manage] > [Add Roles and Features] > [Features] > Select and Install [Windows PowerShell 4.0]

(ii) To check if Active Directory Web Services are activated on Active Directory Controller:

- [Start] > [Administrative Tools] > [Services] check if the status is Started and Automatic.

- If Active Directory Web Services was not installed, please refer below and add the service to make the Started and Automatic.

Windows Server 2008 or older:

[Server Manager] > [Features] > [Add Features] > [Remote Server Administration Tools] > [Role Administration Tools] > Select and install [AD DS and AD LDS Tools]

Before Windows Server 2008:

Install Active Directory Managing Gateway Service and Patch.

 - https://www.microsoft.com/en-US/download/details.aspx?id=2852
 - https://support.microsoft.com/kb/969166
 - https://support.microsoft.com/kb/967574 

Please note that the server needs to be restarted after the installation.

(3) Password Sync

To synchronise password from Active Directory to HDE Access Control, you have to create a security group "HDE One Password Sync Group" and assign it to the primary group as each users' Unix attribute.

The script file below will automatically assign security groups to the users. Please start PowerShell to execute these scripts NOT only for the Sync module installation, but also every time the new target user is being added.

Script File Name : Set-ADUnixAttributes.ps1

Below Command is an example of how the script works when the target user belongs to SSO targeted domain @sample.co.jp and is active on Active Directory.

ps>cd "the folder in which you created a copy of above file"
ps>Import-Module ActiveDirectory
ps>$ExecutionPolicy = Get-ExecutionPolicy
ps>Set-ExecutionPolicy Bypass
ps>.\Set-ADUnixAttributes.ps1 -LDAPFilter "'(&(userprincipalname=*@sample.com)(mail=*@sample.com)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user))'"
ps>Set-ExecutionPolicy $ExecutionPolicy

Starting below .bat file, you can automatically execute above PowerShell command.

[.bat file name]

Assign-HDEOnePasswordSyncGroup.bat

*To run above .bat file regularly by Windows scheduler, please refer to the settings explained in the last part of this article.

(a) Check list of Windows Server which is used for Active Directory domain controller

1. Please select user to check result.

Following command examples are written based on UserPrincipalName=username@sample.com 

2. Start PowerShell and execute below command to get UnixUserPassword before changing password.

ps>Get-ADUser -Properties * -LDAPFilter "(userprincipalname=username@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassword, objectguid > before.txt

3. Start "Active Directory user and computer" on AD domain controller to reset password of username@sample.com

4. Start PowerShell and execute below command to get UnixUserPassword after changing password.

ps>Get-ADUser - Properties * -LDAPFilter "(userprincipalname=username@sample.com)"| select userprincipalname, samaccountname, sn, givenname, displayname, mail, unixuserpassowrd, objectguid > after.txt

* The results of no. 2 and 4 will be saved just below the path written in the command. Please read the files and check if UnixUserPassword has been changed. 

(b) Check UnixUserPassword if the value has been changed after the assignation.

(i) Example of user information before changing password (Before.txt)

userprincipalname : username@sample.com
samaccountname : username
sn : Sample Organisation
givenname : givenname
displayname : displayname
mail : username@sample.com
unixuserpassword : {}
objectguid : [long guid]

(ii) Example of user information after changing password (After.txt)

userprincipalname : username@sample.com
samaccountname : username
sn : Sample Organisation
givenname : givenname
displayname : displayname
mail : username@sample.com
unixuserpassword : {36 49 36 66 86 117 77 75 122 122 122 36 86 109 90 122 113 117 90 54 100 100 116 100 79 97 112 122 87 114 74 98 90 47}
objectguid : [long guid]

(4) Editing Configuration file (config.ini)

After installing the HDE One Directory Sync module, locate a file named "Config.ini" that is located in the folder where the Sync module is installed (Typically installed in "C:\Program Files\HDE One Directory Sync"). 

Default condition for User Extraction: 
(i) Suffix in UserPrincipalName is the target domain of Office 365
(ii) *@sample.com domain is set on 
(iii) User attribute is active on Active Directory domain controller

(a) Edit the condition to extract users from the Active Directory Controller

ldapfilter='(&(userprincipalname=*@sample.com)(mail=*@sample.com)(!(userAccountControl:12.840.113556.1.4.803:=2))(objectClass=user))'

(b) Add access information to Active Directory Controller

server=ad.sample.com <= Destination Active Directory server name of Sync module
username=admin@sample.com <= Domain Admin ID
password=1qaz2wsx <= Domain Admin Password

(c) Update config.ini in below directory

"C:\Program Files\HDE One Directory Sync" <= Directory for the setting files

(5) Testing the Synchronisation 

To make sure the configuration file is correctly and properly configured before the actual synchronisation, please perform a test run.

To perform the test run, please run the following commands:

# cd "C:\Program Files\HDE One Directory Sync"
# .\console.exe /n 

"/n" allows the application to perform a test run. If the command is executed without the "/n", actual synchronisation will be executed.

The results of the command if there is unsynchronised accounts:

##### Sync set [sync01] #####

    Active Directory ---> HDE Access Control

Add: Administrator / iUBFiuf92738bce2byJBA==
Add: Guest / bA929bus9jsdhfvua837==
Add: david / david@sample.com / JOsf2983nsnjjk12j1kj1==
Delete: bowie / bowie@sample.com / asHD839hasH891dh98d==

The results of the command if there is no account to be synchronise since last synchronisation:

##### Sync set [sync01] #####

    Active Directory ---> HDE Access Control

* No sync data *

(6) Configuring the Automation

To ensure that the HDE One Directory Sync and HDE One Password Sync runs on the Windows machine's startup, please configure the settings based on the instructions below:

(a) Configuring the Properties of HDE One Directory Sync Service :

Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HDE One Directory Sync]. Right-click on it and click into [Properties].

Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.

Step 3 On the "Log On" tab, please input the login details of your domain account (Username and Password).

Step 4 - Finally ensure that the service is started and running.

(b) Configuring the Properties of HDE One Password Sync Service :

Step 1 - Go to the Control Panel and click into the [Administrative Tools]. In the list of Administrative Tools, click into on [Services] and in the list of Services, look for [HDE One Directory Sync]. Right-click on it and click into [Properties].

Step 2 - In the Properties, change the [Startup type] from [Manual] to [Automatic [Delayed Start]]. Click [Ok] to save the configuration.

Step 3 - On the "Log On" tab, please input the login details of your domain account (Username and Password).

Step 4 - Finally ensure that the service is started and running.

Powered by Zendesk