myCHQ.net - Forum
Welcome, Guest. Please login or register.
September 24, 2017, 02:19:18 AM

Login with username, password and session length
Search:     Advanced search
57 Posts in 57 Topics by 15 Members
Latest Member: Katrina_Lai
* Home Help Search Login Register
+  myCHQ.net - Forum
|-+  MIS Integration
| |-+  Single Sign-On
| | |-+  Using Active Directory with CHQ
« previous next »
Pages: [1] Print
Author Topic: Using Active Directory with CHQ  (Read 1614 times)
Oliver Haskell
Administrator
Jr. Member
*****
Posts: 75


« on: November 04, 2014, 10:21:04 AM »

CHQ offers the ability to use your school Active Directory to authenticate users, thereby removing the need to issue an extra set of user IDs and passwords.

When working with Active Directory, a user enters their user name and password on a school-specific CHQ login page, which is sent to the school's A/D for authentication. If authentication fails then CHQ checks the credentials against its own database. If A/D authentication is successful, CHQ then queries the directory to find the user object then reads an attribute which allows it to link the A/D user to a person known in CHQ. The attribute chosen usually contains a unique data item that is common to both the school MIS and (through the interface) CHQ.

Configuring CHQ to work with A/D involves configuring the correct DC IP address and port, telling it which part(s) of the directory hierarchy to search for the user, and identifying which attribute allows a match.
In addition, the school must allow incoming connections to the DC through their firewall.

If you wish to use A/D integration, please raise a support ticket to CHQ including the following information:

    The public IP address or full domain name of your DC
    The default domain to use
    The full list of OU locations which should be included in the search for authenticated users
    If you intend staff to be able to log in via AD, the user name and password of a member of staff to test with (it has to be a real account of someone known in CHQ)
    If you intend students to be able to log in via AD, the user name and password of a student to test with (it has to be a real account of someone known in CHQ)
    If you intend parentsto be able to log in via AD, the user name and password of a parent to test with (it has to be a real account of someone known in CHQ)

Please open your firewall on ports 389 and 636 to forward to the DC (both TCP & UDP), for connections coming from seasia.mychq.net and from mychq.net (once testing is complete we will close unneeded ports again).

Armed with that information we will be able to look up the remaining information and configure CHQ accordingly.

There is no additional charge for using A/D integration with CHQ.

Please note that Active Directory authentication is only available when logging on your school-specific CHQ log-in page. You will find a link to your log-in page on your School Configuration page in CHQ.

Trouble-shooting a user who cannot log in with their AD credentials:
The most common reasons that a user cannot log in using their AD credentials include:
  • The user is not using the correct CHQ log-in page, or
  • The AD credentials being entered are not correct, or not correct for how the CHQ configuration is causing the authentication attempt to be performed, or
  • The AD user is not in the OU(s) that CHQ has been told to look in (see your school configuration page), or
  • The AD user does not have an attribute named as the CHQ configuration for the school specifies, or
  • The specified AD user attribute does not contain a value, or
  • The specified AD user attribute contains a value that is not found in the CHQ data for your school.

Are your users getting a message saying "LDAP server not available"? this error can be caused by internet connectivity issues or a firewall meaning that the LDAP server cannot be reached, or if you are using port 636 with SSL, that the certificate could not be validated.
Please note that if you change your certificate on the AD server, you must inform CHQ Support so that the new certificate can be added to the trusted certificate list; if you do not do this, none of your AD users will be able to log into your CHQ site.
« Last Edit: September 01, 2017, 01:58:17 PM by Oliver Haskell » Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!