Configure Active Directory authentication

Active Directory is a Microsoft-produced, Windows-centric method used to authenticate user login requests.

Although user authentication is performed on the Active Directory server, user authorizations and access rights are maintained on the SMS server. You can configure a second Active Directory server that the SMS can use for authentication when the primary authentication server goes down or otherwise cannot be reached. If either Active Directory (AD) server is unavailable, SMS can authenticate the user locally. The account password for an AD-authenticated user must be changed on the SMS. The SMS does not permit you to manage user accounts on the Active Directory server. User credentials for remote AD accounts must be managed on the Active Directory server. The SMS is not permitted to change passwords for user accounts on the Active Directory server.

The SMS server supports using Active Directory to authenticate logon requests as well as mapping users to AD groups for authorization requests. You specify Active Directory Global Group Mapping when you configure the Active Directory server for authentication on the SMS.

Before you configure an Active Directory server for user authentication, the SMS must be able to resolve the IP address of the server. The Domain Name System (DNS) must be configured and enabled on the Active Directory server, and all domain clients must use the AD server as their primary DNS server.