Configuring a Microsoft Active Directory service

  • For the strongest security, Hewlett Packard Enterprise recommends to configure your directory server using TLS 1.2 protocol only.

  • The following maps the Active Directory attribute to the corresponding LDAP property:

    LDAP property

    Active Directory attribute

    cn

    Common-Name

    uid

    UID

    userPrincipalName

    User-Principal-Name

    sAMAccountName

    SAM-Account-Name

  • If a user object is created in the Active Directory Users and Computers Microsoft Management Console, the names default as follows.

    Specify the following components of the user name, displayed here with the corresponding attribute:

    User name component

    Attribute

    First Name

    givenName

    Initials

    initial

    Last Name

    sn

    The field labeled Full Name defaults to this format. This string is assigned to the cn attribute (Common Name).

    givenName.initials.givenName.initial.sn
            

    In the New Object – user dialog box, you are also required to specify a User logon name. User logon name, in combination with the DNS domain name, becomes the userPrincipalName. The userPrincipalName is an alternative name that the user can use for logging in. It is in the form:

    LogonName@DNSDomain
            

    For example:

    joeuser@example.com
  • Finally, as you enter the User logon name, the first 20 characters are automatically filled in the pre-Windows 2000 logon name field, which becomes the sAMAccountName attribute.

  • CN-logins for built-in Active Directory user accounts, like Administrator, are not accepted. Other login formats are acceptable if their respective attributes (sAMAccountName, userPrincipalName, and UID) are set properly.

  • When the active directory domain name and the pre-Windows logon name are different, use the pre-Windows logon name as the directory name in HPE OneView. A login with a plain user name will succeed in HPE OneView.
    Example:
    If the domain is example.com on an Active Directory, and the pre-Windows 2000 domain name is winNTexample, having the directory name as winNTexample allows users to log in using only their user name. A user specifying a login name of username is authenticated to the directory as winNTexample\username. If the directory name cannot be changed, the login name could be explicitly specified as winNTexample\username or a userPrincipalName attribute could be used to login such as username@example.com.