Integrating Active Directory with Commander

Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander.

When you integrate with Active Directory, you can enable single sign-on for Windows Domain users.

If you're running AWS Managed Microsoft AD, note that it disallows operations by customers that would interfere with managing the directory service. Therefore, AWS restricts access to directory objects, roles and groups that require elevated privileges. As an alternative, you can connect through LDAP to the directory service.

Adding Active Directory servers

Access through:

Configuration menu > Identity and Access > Authentication

Available to:

Commander Role of Superuser

  1. In the Directory Services pane, click Add and select AD.
  2. In the Name field of the Configure Active Directory dialog, enter a display name of your choice to identify the AD server.
  3. In the Username field, enter a domain user account for the Active Directory server. Use the standard username@domain format.

    You can use any user account that already belongs to the domain because only read access permission is required. If you want to specifically add a service account that doesn't belong to the domain users group, that account must have List Contents, Read All Properties and Read Permissions enabled.

    Caution: To ensure that AD users can log in properly, make sure that the primary and secondary Active Directory server addresses are in the same realm.

  4. In the Password field, enter the password for that domain account.
  5. If you want Commander to automatically look up the domain controller, select Lookup domain controller via DNS.


    If you want to specify your domain controller, select Use specified domain controller and enter the FQDN of the domain controller. Don't use the IP address.

  6. To enable LDAPS to ensure security of data transmission, select Use LDAPS (SSL).
  7. To enable the use of Active Directory, select Enabled.
  8. Click OK.


If you see an error after specifying an IP address for your AD server in Commander, you must add an SPN (Service Principal Name) to your AD server by running the following command on your AD server:

setspn –S ldap/<ipaddress> <hostname>

where <ipaddress> and <hostname> are the values returned by the ipconfig and hostname commands.

Setting up email notification for directory services issues

Access through:

Configuration menu > System > Notifications

Available to:

Commander Roles of Superuser and Enterprise Admin

To configure Commander to notify administrators for directory services when events occur:

  1. Under For Directory Services Connection Issues, click Add.
  2. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  3. Click OK.


Handling clock skew issues

If you're unable to log in with a directory services account, and you see messages in the Commander log similar to that below, see the Knowledge Base article Resolving Clock Skew Issues.

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site Security.AD.Erro.Krb.clockSkew

2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - - Final AD map: AD Topology discovered by null

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed

Removing Active Directory servers

Access through:

Configuration menu > Identity and Access > Authentication

Available to:

Commander Role of Superuser

  • Select the directory service and click Delete. Confirm the deletion.

    Caution: If you remove access to a user directory, all user accounts in that directory are unable to access Commander.