Difference between revisions of "AD links"

From InsightWiki
Jump to navigation Jump to search
Line 1: Line 1:
{{Additional_module}}
 
 
AD Links is an additional module in Insight. It allows users to log in to Insight using their Active Directory account. This is essential for student logins and optional for staff logins. <br> <br>
 
AD Links is an additional module in Insight. It allows users to log in to Insight using their Active Directory account. This is essential for student logins and optional for staff logins. <br> <br>
  
 
As AD Links is an additional module of Insight, a separate charge applies. Please contact <span class="plainlinks">[mailto:sales@tascsoftware.co.uk sales@tascsoftware.co.uk]</span> for further information. <br> <br>
 
As AD Links is an additional module of Insight, a separate charge applies. Please contact <span class="plainlinks">[mailto:sales@tascsoftware.co.uk sales@tascsoftware.co.uk]</span> for further information. <br> <br>
  
Once accounts are created, pupils can log in to Insight and have all the same [[role options]] as a standard parental account - which can be configured to suit your needs. <br> <br>
+
=Configuration=
  
==Configuring AD links==
+
==Importing Identifying Numbers into Active Directory==
  
You will first need to enter the details of your Active Directory into the fields on this page. Once this has been done, existing student, staff or parent accounts can be linked to the AD by [[users#Creating and deleting users - the sync process|performing a synchronisation]]. <br> <br>
+
An identifying number must appear in each AD record in order for Insight to link with the Active Directory. It is recommended to use the Admission Number for students, although the UPN or SIMS PersonID can also be used. For staff only the SIMS PersonID can be used. <br> <br>
  
<div>[[Image:adlinks4.jpg]]</div> <br> <br>
+
A list of staff PersonID numbers can be obtained from Insight. Go to: <br>
 +
''Accounts > AD Links'' <br>
 +
Click the '''Staff report''' button to download a file containing the PersonID numbers for all staff. The file is in XML format but you can open it in Excel <br> <br>
  
'''Check in AD when logging in''' <br>
+
It is possible to use SIMS AD Provisioning to import Admission Numbers into the Active Directory for students. Alternatively you can use a script from TASC Software to perform this provisioning for you. The TASC script can also be used to import SIMS PersonID numbers for staff. The TASC script will enter the chosen identifying number into the EmployeeID field in Active Directory. <br> <br>
If this is switched off, all AD logins will be disabled <br> <br>
 
  
'''Domain''' <br>
+
If you wish to use the TASC Software script you will need a CSV file called INPUT.CSV in the format. The file must have exactly two columns; the first column must show the AD Username and the second column must show the identifying number. <br> <br>
Enter the domain to use when checking for AD accounts. The domain should be in the form: mydomain.local <br> <br>
 
  
'''Domain reading user and domain reading password''' <br>
+
The script file can be downloaded here: '''<span class="plainlinks">[http://www.tascsoftware.co.uk/wiki/PARS/files/import.vbs import.vbs]</span>''' <br>
Enter the username and password of an account to use to check the Active Directory for logins. Click the check button when you have entered these details to confirm that Insight can access the Active Directory. <br> <br>
+
(right click and select Save As to download) <br> <br>
  
'''Use alternative AD field in place of EmployeeID''' <br>
+
Once you have downloaded the file, edit it in Notepad (right click and select Edit). The first line of the file will read: <br>
By default Insight will check the EmployeeID field for the Admission Number (ADNO) to identify students. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS. <br> <br>
+
CONST strDomain="MyDomain" <br> <br>
  
Switch this option on if you want to use a different field <br> <br>
+
You need to edit this so that your domain appears between the quotation marks, instead of MyDomain. Save the file, then place it in a new folder with your CSV file. The folder must contain nothing else. Double click the import.vbs file to run the script which will update your Active Directory. <br> <br>
  
'''Name of alternative field to use''' <br>
+
==Settings within Insight==
When the above option is switched on, you will need to specify the name of the alternative field in AD that contains the Admission Number <br> <br>
 
  
'''Use student email addresses from AD''' <br>
+
[[Image:ad_links_page.png|thumb]]
The alternative is to use the email addresses in SIMS <br> <br>
 
  
'''Check button''' <br>
+
The following settings are entered into the AD Links page, which is accessed via: <br>
This will check to make sure that INSIGHT is happy with the AD configuration you have entered. <br>  
+
''Accounts > AD Links'' <br> <br>
Sometimes, this may say something like "A trust relationship does not exist between x and x" - This is often displayed, it should not cause any issues or be a cause for concern. <br> <br>
 
  
==Seamless login==
+
'''Check in AD when logging in''' must be enabled for Active Directory logins (if this is switched off, all AD logins will be disabled). <br> <br>
  
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log seamlessly into Insight, without requesting them to enter their account details by hand. <br> <br>
+
Next enter the '''Domain''', '''Domain reading user''' and '''Domain reading password''' fields. <br>
 +
The domain should be in the form: mydomain.local. Click the '''Check''' button when you have entered these details to confirm that Insight can access the Active Directory. <br>
 +
''In some cases you may see a message reading "A trust relationship does not exist between ..."; This should not cause any issues or be a cause for concern.'' <br> <br>
  
To enable this, all of the previous settings must be working correctly. <br> <br>
+
By default Insight will check the EmployeeID field for the Admission Number (ADNO) to identify students. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS. <br> <br>
  
To implement seamless login, direct those users who you expect to be able to login to the ADSSO.aspx page initially. If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password.  Otherwise, depending on their Security Group membership, they will be passed straight through to Insight.
+
Enable the '''Use alternative AD field in place of EmployeeID''' option if you would prefer to use an AD field other than EmployeeID. You then need to enter your choice of field into the '''Name of alternative field to use''' setting. <br> <br>
If you do not expect a user to be able to log in this way, they should be directed to the normal login URL. <br> <br>
 
  
<!--
+
'''Use student email addresses from AD''' <br>
Use the staff report to get Person_ID numbers for staff. Open the xml file in Excel
+
The alternative is to use the email addresses in SIMS <br> <br>
Save the file as CSV
 
Use the import.vb file to copy the Person_IDs into AD
 
-->
 
 
 
==Troubleshooting==
 
 
 
===Failed logins===
 
 
 
If users are not able to log in using their AD details then click on the Activity Report link. This will open a window showing the most recent login attempts from AD linked users. This will provide more information as to why the login failed. <br> <br>
 
  
'''Credentials Not Kerberos''' - User entered an incorrect Password. <br>
+
=Single Sign On=
'''Principal not found''' - User entered an unknown Username. <br>
 
  
===Assigning SIMS database IDs to AD records===
+
An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log into Insight seamlessly (e.g. without entering their account details again). <br> <br>
 
 
Many schools will use SIMS AD Provisioning and have their SIMS database perform this job for them. Alternatively, you can use a script from TASC Software to do this provisioning for you. <br> <br>
 
 
 
You will need a CSV called INPUT.CSV in the format: ADusername,MISID <br>
 
You will also need to download this script file: [http://www.tascsoftware.co.uk/wiki/PARS/files/import.vbs import.vbs] <br> <br>
 
 
 
First use notepad to edit the script file above by right-clicking on it and selecting the Open With option. The first line of the file is:
 
CONST strDomain="MyDomain" <br> <br>
 
  
You need to edit this so that your domain appears between the quotation marks, instead of MyDomain. Save the file, then place it and your CSV file into the same folder with not other contents. Run the import.vbs script and your Active Directory will be updated. <br> <br>
+
To implement seamless login, direct those users who you expect to be able to login using their Active Directory details to the ADSSO.aspx page initially. For example: <br>
 +
{|
 +
|Use this address:||<span style="color:#36b"><nowiki>https://insight.myschool.co.uk/ADSSO.aspx</nowiki></span>
 +
|-
 +
|Rather than this:||<span style="color:#36b"><nowiki>https://insight.myschool.co.uk/secure.aspx?ReturnUrl=%2f</nowiki></span>
 +
|} <br>
  
[[Category:Additional modules]]
+
If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password. If you do not expect a user to be able to log in this way, they should be directed to the normal login URL. <br> <br>
[[Category:Management]]
 
[[Category:Technical]]
 

Revision as of 12:13, 19 June 2018

AD Links is an additional module in Insight. It allows users to log in to Insight using their Active Directory account. This is essential for student logins and optional for staff logins.

As AD Links is an additional module of Insight, a separate charge applies. Please contact sales@tascsoftware.co.uk for further information.

Configuration

Importing Identifying Numbers into Active Directory

An identifying number must appear in each AD record in order for Insight to link with the Active Directory. It is recommended to use the Admission Number for students, although the UPN or SIMS PersonID can also be used. For staff only the SIMS PersonID can be used.

A list of staff PersonID numbers can be obtained from Insight. Go to:
Accounts > AD Links
Click the Staff report button to download a file containing the PersonID numbers for all staff. The file is in XML format but you can open it in Excel

It is possible to use SIMS AD Provisioning to import Admission Numbers into the Active Directory for students. Alternatively you can use a script from TASC Software to perform this provisioning for you. The TASC script can also be used to import SIMS PersonID numbers for staff. The TASC script will enter the chosen identifying number into the EmployeeID field in Active Directory.

If you wish to use the TASC Software script you will need a CSV file called INPUT.CSV in the format. The file must have exactly two columns; the first column must show the AD Username and the second column must show the identifying number.

The script file can be downloaded here: import.vbs
(right click and select Save As to download)

Once you have downloaded the file, edit it in Notepad (right click and select Edit). The first line of the file will read:
CONST strDomain="MyDomain"

You need to edit this so that your domain appears between the quotation marks, instead of MyDomain. Save the file, then place it in a new folder with your CSV file. The folder must contain nothing else. Double click the import.vbs file to run the script which will update your Active Directory.

Settings within Insight

Ad links page.png

The following settings are entered into the AD Links page, which is accessed via:
Accounts > AD Links

Check in AD when logging in must be enabled for Active Directory logins (if this is switched off, all AD logins will be disabled).

Next enter the Domain, Domain reading user and Domain reading password fields.
The domain should be in the form: mydomain.local. Click the Check button when you have entered these details to confirm that Insight can access the Active Directory.
In some cases you may see a message reading "A trust relationship does not exist between ..."; This should not cause any issues or be a cause for concern.

By default Insight will check the EmployeeID field for the Admission Number (ADNO) to identify students. This will also be required for staff if you want them to log in using the Active Directory details, but they do not have trusted login accounts in SIMS.

Enable the Use alternative AD field in place of EmployeeID option if you would prefer to use an AD field other than EmployeeID. You then need to enter your choice of field into the Name of alternative field to use setting.

Use student email addresses from AD
The alternative is to use the email addresses in SIMS

Single Sign On

An additional benefit of using this method to log in is that it supports Integrated Windows Authentication in supported browsers. This means that if the user is logged onto a computer within the domain, their account information can be used to log into Insight seamlessly (e.g. without entering their account details again).

To implement seamless login, direct those users who you expect to be able to login using their Active Directory details to the ADSSO.aspx page initially. For example:

Use this address: https://insight.myschool.co.uk/ADSSO.aspx
Rather than this: https://insight.myschool.co.uk/secure.aspx?ReturnUrl=%2f


If the user is not already logged into the domain, they will be redirected to the normal login page, where they can still enter their Active Directory username and password. If you do not expect a user to be able to log in this way, they should be directed to the normal login URL.

Retrieved from "https://www.tascsoftware.co.uk/wiki/INSIGHT/index.php?title=AD_links&oldid=5685"