Integrating Active Directory with Commander

Snow Commander can leverage an existing AD server to provide multi-tenant RBAC for different departments or organizations.

When you integrate with Active Directory, you can enable single sign-on for Windows Domain users.

Note: Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander. For information, see Adding user or group accounts and assigning roles.

Note: AWS Managed Microsoft AD disallows operations by customers that would interfere with managing the directory service. Therefore, AWS restricts access to directory objects, roles and groups that require elevated privileges. As an alternative, you can connect through LDAP to the directory service.

In this topic:

Adding Active Directory servers

Access through:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

To add Active Directory servers that you want to integrate with Commander:

  1. Click the Authentication tab.
  2. In the Directory Services section, click Add and select AD.
  3. In the Configure Active Directory dialog, in the Name field, enter a display name of your choice to identify the AD server.
  4. In the Username field, enter a domain user account for the Active Directory server. Use the standard username@domain format.

    You can use any user account that already belongs to the domain because only read access permission is required. If you want to specifically add a service account that doesn't belong to the domain users group, that account must have List Contents, Read All Properties and Read Permissions enabled.

    Caution: To ensure that AD users can sign in, make sure that the primary and secondary Active Directory server addresses are in the same realm.

  5. In the Password field, enter the password for that domain account.
  6. If you want Commander to automatically look up the domain controller, select Lookup domain controller via DNS.


    If you want to specify your domain controller, select Use specified domain controller and enter the FQDN of the domain controller. Don't use the IP address.

  7. To enable LDAPS to ensure security of data transmission, select Use LDAPS (SSL).
  8. To enable the use of Active Directory, select Enabled.
  9. Click OK.

Setting up email notification for directory services issues

Access through:

Configuration > System > Notifications

Available to:

Commander Roles of Superuser and Enterprise Admin

To configure Commander to notify administrators for directory services when events occur:

  1. Under For Directory Services Connection Issues, click Add.
  2. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  3. Click OK.


IP address errors

If you see an error after specifying an IP address for your AD server in Commander, you must add an SPN (Service Principal Name) to your AD server by running the following command on your AD server:

setspn –S ldap/<ipaddress> <hostname>

where <ipaddress> and <hostname> are the values returned by the ipconfig and hostname commands.

Handling clock skew issues

If you're unable to sign in with a directory services account, and you see messages in the Commander log similar to that below, see the Snow Globe article Resolving Clock Skew Issues.

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site Security.AD.Erro.Krb.clockSkew
2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - - Final AD map: AD Topology discovered by null
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed

Removing Active Directory servers

Caution: If you remove access to a user directory, all user accounts in that directory are unable to access Commander.

Access through:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

To remove Active Directory servers from Commander:

  1. Click the Authentication tab.
  2. Select the directory service and click Delete.
  3. Confirm the deletion.