Splashtop On-Prem AD integration is compatible with Windows Server 2008 r2, 2012, 2016, 2019 Active Directory and Microsoft Azure AD. This allows system administrator easily authenticates and manages AD accounts and start to use Splashtop On-Prem service immediately.
Use User Principle Name as AD user to log in Splashtop On-Prem (Since Gateway v3.18.0)
1. Log in Splashtop Gateway as Owner, go to Management -> Team Settings -> Authentication
2. Edit or create your Active Directory server
3. Type the additional UPN suffixes mapping from your AD server (Check your UPN suffixes from Active Directory Domains and Trusts), save the settings. You can add up to 30 UPN suffixes in Splashtop System.
4. Make sure all the actual user logon suffixes are included in the UPN suffix list saved in Splashtop Gateway
5. Now all the existing Gateway AD users automatically acquire an additional login method. Both UPN name login and sAMAccountName+domain login are acceptable.
6. Adding a new AD user would require specify the UPN suffix for this user from all available UPN suffixes.
Active Directory integration
1. Add Ad Server
First things first, you will need to bind your local AD server to Splashtop Gateway. Once added, you can easily add AD users or AD groups from Gateway web console.
Please login Gateway Web Portal as team owner, go to Management -> Settings -> Authentication tab, and click Add AD Server:
- Name: Fill up an AD Server name concatenated to the actual AD server of your organization.
- LDAP URL Syntax: ldap scheme (ldap://) + implied address (of target AD server)+port number ( if needed). Below screenshots shows a syntax example: ldap://onpremise.corp
- LDAPS is supported.
- Users Base DN: The active directory user's Distinguished Name. We use Users Base DN as user authentication checkpoint in the AD hierarchy.
- To copy and paste the Distinguished Name of any AD object, you would like to go to View tab in Active Directory Users and Computers on Windows 2016, select Advanced Features, then right click on the target object that you want to get the distinguished name from, select Attribute Editor, double click on distinguishedName attribute to copy the parameters.
- Groups Base DN: The active directory group's Distinguished Name. We use Group Base DN as group authentication checkpoint in AD hierarchy.
- Bind Account: User account from target AD server to bind. The user account syntax: sAMaccountName@dc.dc
- Note: SAMaccountName can be duplicated in more than one AD, Gateway would search AD users via @dc.dc to make sure the uniqueness of a user existed in multiple AD servers.
- Password: The AD password associated to an AD user.
- Test Connection: Click this button to check the availability of target AD server for authentication.
- Add: Click this button to bind a validated AD server to Splashtop Gateway.
Note:
1. Avoid adding multiple AD Servers with overlapping scope. Please verify the uniqueness of Users Base DN and Groups Base DN so that each user and group only roots from one AD Server source. Overlapping scope may cause authentication invalidity and unsolvable group members.
2. Please Disable Browser extensions AdBlock or Adblock Plus when adding AD Server, otherwise the adding request will be blocked by your browser extension!
2. Add AD user or AD group
Once an AD server has been successfully authenticated, you should go to Management - Settings - Authentication to check your AD Server has been added to Gateway. Now navigate to Management tab – Users, click on Add AD User button on the top.
- Type: By selecting AD user, an AD individual user will be authenticated and added to Splashtop Gateway. Selecting AD group allows bulk authentication of its AD group members. (group members will have to login to Gateway Web portal first then displayed in the user list )
- AD Server: Select the AD server which contains the target AD user or group.
- Account: Fill up the sAMaccountName@ADDomainName of target AD user or group.
- Group: Chose the initial Splashtop group an AD user or AD group will fall into once added.
- Role: Chose Admin or Member to assign different access permission tailored to needs.
- *SOS Technician: Enable SOS on demand support capability. (*Based on subscription plan)
- Verify: Check the availability of an AD user or group for authentication.
- Add: Add a validated AD user or group to the target group.
3. AD Group Members
Green user icon represents AD users or AD groups as shown in the below screenshot below. If an AD group has been added to Splashtop Gateway, meaning its associated AD members have already been authenticated and able to log into Splashtop Gateway as well as On-Prem app.
The AD users in AD Group Members, however, will be only showed up in AD Group Members after log into Gateway portal or On-Prem app with his/her AD account at least once. But you can batch configure the access permission of just added AD Group collective (e.g. AD group "123" in below screenshot) beforehand. By contrast, an AD individual user added to Gateway will be displayed and modified property immediately.
Note: An AD group member authenticated via its parent AD Group would inherit the user role and access permission of that group.
Configure users in AD group member at Gear button of an AD group
All successfully authenticated AD users can login On-Prem app with their AD credentials and start to use Splashtop remote service.