Integrating Active Directory with vCommander

Integration vCommander with directory services is optional. If you do not use Active Directory or LDAP, you can set up local user accounts directly in vCommander.

NotePencil-smallWhen you integrate with Active Directory, you can enable single sign-on for Windows Domain users.

Adding an Active Directory server

Access through:

Configuration menu > System Configuration > Authentication tab > Directory Services pane

Available to:

vCommander Role of Superuser

1.Select Configuration menu > System Configuration, and in the Directory Services pane, click Add and select AD (Active Directory).

2.In the Configure Active Directory dialog, enter a display name of your choice to identify the AD server.

3.Enter a domain account for the Active Directory server in the standard username@domain format in the Username field.


To ensure that AD users can log in properly, make sure that the primary and secondary Active Directory server addresses are in the same realm.

4.Enter the password for that domain account.

5.If you want vCommander to automatically look up the domain controller, select Lookup domain controller via DNS.


If you want to specify your domain controller, select Use specified domain controller and enter the FQDN of the domain controller. Don't use the IP address.

6.To enable the use of Active Directory, click the check box beside Enabled.

7.To enable LDAPS to ensure security of data transmission, click the check box beside Use LDAPS (SSL).

8.Click OK.


If you see an error after specifying an IP address for your AD server in vCommander, you must add an SPN (Service Principal Name) to your AD server by running the following command on your AD server:

setspn –S ldap/<ipaddress> <hostname>

where <ipaddress> and <hostname> are the values returned by the ipconfig and hostname commands.

Setting up email notification for directory services issues

Access through:

Configuration menu > System Configuration > Email Notification tab

Available to:

vCommander Roles of Superuser and Enterprise Admin

To configure Embotics® vCommander® to notify administrators for directory services when events occur:

1.Select Configuration menu > System Configuration > Email Notification tab.

2.Under For Directory Services Connection Issues, click Add.

3.In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

The user account information is displayed.

4.Click OK.


Handling clock skew issues

If you are unable to log in with a directory services account, and you see messages like the following in the vCommander log:

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site Security.AD.Erro.Krb.clockSkew

2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - - Final AD map: AD Topology discovered by null

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed

See the Knowledge Base article Resolving Clock Skew Issues.

Removing an Active Directory server

Access through:

Configuration menu > System Configuration > Authentication tab

Available to:

vCommander Role of Superuser

1.Select the directory service and click Delete.

The Confirm Directory Service Deletion dialog appears.


If you remove access to a user directory, all user accounts in that directory are unable to access vCommander.

2.Click Yes.