Before you configure support for AD in HCP, you need to prepare AD for access by HCP. For instructions on doing this, see Configuring Active Directory to support HCP.
To enable and configure support for AD in HCP, on the Active Directory page:
1.Select one of these options:
oActive Directory with SSL — Enables both support for AD and secure communication with the AD
oActive Directory without SSL — Enables support for AD without enabling secure communication with the AD
With either of these options selected, the Active Directory page displays a Status section. This section contains alerts that report the status of various elements of HCP support for Active Directory. For descriptions of these alerts, see Active Directory page alerts.
2.If you selected the Active Directory with SSL option:
a.In the Certificates panel, click on the Browse button. Then select the file containing the AD SSL certificate.
b.Click on the Upload Certificate button.
The Certificates section shows the uploaded certificate.
![]() |
Note: You can download or delete the uploaded certificate if needed. To download the certificate, click on the download control for it ( |
3.In the Configuration Settings section, select the Enable Active Directory option. Then:
oIn the Domain field, type the fully qualified name of the AD domain in the AD forest that is to be used for HCP user authentication. All letters in this domain name must be uppercase.
oIn the Domain User field, type the username of an existing AD user account in the applicable AD domain. Make sure the user account belongs to one or more groups that have the applicable permissions, as described earlier in this section.
If the username that you specify is not all lowercase, HCP converts it to all lowercase before passing it to AD.
oIn the Password field, type the password that goes with the specified username. Passwords are case sensitive.
![]() |
Note: HCP uses the password that you type only to authenticate the username with the AD server. To help maintain AD security, HCP discards both the username and password after you submit the page. If you’re modifying the AD configuration, you need to specify the password again. |
oOptionally, to specify an organization unit and computer account other than the defaults and to use NTLMv2 instead of NTLM, click on the Advanced Configuration link. Then:
–In the Organizational Unit field, type the distinguished name of the existing organizational unit in which you want the HCP computer accounts to be created. This is the distinguished name relative to the AD domain (for example, OU=HCP, OU=Storage). Do not include the domain name elements.
–In the HCP Computer Account field, type the name of the computer account that HCP will use when querying AD for groups. This can be the name of an existing account in the specified organizational unit or the name of a new account to be created automatically in that organizational unit.
For a new computer account, the name must be from one through 64 characters long, can contain only alphanumeric characters and hyphens (-), and cannot consist only of digits.
If a computer account with the specified name already exists in a different organizational unit in the same Active Directory domain, the request to configure Active Directory support will fail.
–Optionally, to specify how the HCP user account obtains permissions, do either of these:
•If you created an AD group as described in Create an AD group, select Add HCP Computer Account to groups of Domain User. This allows the HCP Computer account from inherit permissions associated with the specified domain user.
•If you did not create an AD group, deselect Add HCP Computer Account to groups of Domain User. This prevents the HCP Computer account from inheriting the permissions associated with the specified domain user. If this checkbox is deselected, appropriate permissions need to be manually assigned to the HCP Computer account.
–Optionally, deselect the Use NTLMv2 authentication option to use NTLM for secure communication with AD when configuring the computer accounts for the HCP nodes. In release 7.2.1 of HCP or later, new AD connections are created with the Use NTLMv2 authentication option enabled.
–Optionally, select the Non-Hierarchical Realm Configuration option if you have multiple trees in your Active Directory forest. This permits authentication from any domain in the forest, and is necessary if they have different domain names.
–Select the Single Sign-On Support to determine how much control you want HCP to have over generating Service Principal Names for tenants and namespace. The possible values are:
•None — HCP does not generate SPNs for new tenants namespaces and there are no warnings if SPNs are missing
•Warning — HCP does not create SPNs for new tenants and namespaces, but it does warn you if they are missing
•Full — HCP creates SPNs for new tenants and namespaces and warns you if SPNs are missing
SPNs are used for Single Sign-on. If you're not using SSO, there is no need to have HCP create SPNs.
–In the Trusted Forests field, type a comma separated list of root domains of all trusted forests. This permits the HCP Computer Account to authenticate with multiple forests.
4.Click on the Update Settings button.
This update may take a few minutes to finish.
5.Optionally, in the Domain Filtering panel, click on the Add New Domain button. Then:
oIn the Domain Name field, type the name of the domain.
oIn the Domain Controllers field, type the name of the domain controller or controllers.
oClick on the Add Domain button.
oOptionally, to associate another domain controller with a domain:
1.Select an existing domain from the table in the Domain Filtering panel.
Once you have selected an existing domain, the Add New Domain Controllers button appears.
2.In the Domain Controllers field, type the name of the domain controller or comma-separated list of controllers.
3.Click on the Add New Domain Controllers button.
![]() |
Note: Domain controller filters are always added as a pairing of a domain and a domain controller or controllers. Each time you add one of these filters to the domain controller filter list, a one-time validation occurs. If a domain or domain controller fails the validation process, the filter is not added to the domain controller filter list. You can also manually invoke validation on the domain controller filter's entries by clicking on the Validate button. |
© 2017 Hitachi Data Systems Corporation. All rights reserved.