63346: Acronis Cyber Cloud: integration with Active Directory

use Google Translate

This feature enables Partner tenant administrators to provision user accounts automatically in Acronis Cyber Cloud tenants. Also, it enables users to log in to their Acronis Cyber Cloud accounts by using their Active Directory (AD) credentials.

There are two possible destinations where you can sync your Active Directory accounts:

  • In а Partner-type tenant.
  • In a Customer-type tenant below your Partner-type tenant.

In а Partner tenant, you can provision:

  • User accounts with administrative functions only (Partner administrators).

In a Customer tenant, you can provision:

  • User accounts with access to different services (for example, Sync & Share, Backup)
  • User accounts with administrative functions (Customer administrators).
You can sync accounts from your Active Directory to one or more Customer-type tenants.

Solution overview

AD integration allows you to provision user accounts in your Acronis Cyber Cloud tenant by syncing those accounts from your Active Directory. To do so, you have to install a software component, called AD Connector, on a machine with a reliable connection to your Domain controller. AD Connector allows Active Directory to be registered as external Identity Provider (IdP) for the specific Acronis Cyber Cloud Partner tenant.

Active Directory users can have different roles in Acronis Cyber Cloud (for example, users of the Backup service, users of the Sync & Share service, or users with administrative functions). These roles are defined in a special file, called mapping.yaml. Your Active Directory administrator has to edit this file manually, in order to assign which Active Directory accounts should be synced to Acronis Cyber Cloud, and with what roles.

Finally, you can install Backup agents for all the synced user accounts, by using an Active Directory policy.

The AD Connector can be configured by your Managed Service Provider (MSP) only.

Prerequisites

To integrate Active Directory with an Acronis Cyber Cloud tenant, you need:

  • A branded URL for your Partner tenant.
  • Access to a machine in the desired domain where the AD Connector will be installed. All users must also have network connectivity to the AD connector.
  • An SSL certificate.
  • Appropriate tenant structure (Partner+Customer tenants).

Arranging the tenant structure for AD integration

These steps are carried out by the MSP.

1. Create a Partner-type tenant for your current Customer tenant. For more information on creating tenants, refer to this topic.

The new Partner tenant MUST use exactly the same storage as the service provider who created it.

2. Configure a branded URL and authentication URL, specified by the customer, for the newly created Partner tenant. To do so:

  1. Ask your DNS registrar to set up a CNAME record to resolve your desired domain name (for example, cloud.mycompany.com) into the respective Acronis domain name, according to the data center where your account is located. For more information, refer to this KB article.
  2. Prepare your SSL certificate (full chain) and private key for the desired domain name.
  3. Contact Acronis Customer Central to set up the branded and the authentication URLs, and to enable third Party IdP support for the newly created Partner tenant.
The authentication URL could be, for example: cloud.mycompany.com/login or login.cloud.mycompany.com
Ensure that this URL is publicly accessible so that Active Directory users can authenticate to the Acronis Cyber Cloud tenant.

3. If needed, configure the customized web UI for the newly created Partner tenant. For more information on how to do it, refer to this topic.

4. Move the existing Customer tenant to the newly created Partner tenant. For more information on how to do it, refer to this topic.

5. Request remote connection access to your customer’s Active Directory, in order to install and configure the AD Connector for them.

6. Ensure that you have access to the mapping.yaml file prepared by the AD administrator. For instructions on how to prepare the mapping.yaml file, refer to the Creating a mapping.yaml file section below.

In the current version, Active Directory integration can only be used with a Partner-Customer tenant structure. Creating and using this structure is subject to the contractual relationship between the Acronis Cyber Cloud service provider and their customers.

Installing the AD Connector

These steps are carried out by the MSP.

1. Provide yourself with the AD Connector installation file by requesting it at earlyadopters@acronis.com.

2. Log in as administrator on a machine in the client’s desired domain and run the installation file. Select where the AD Connector should be installed. The default path C:\Program Files\Acronis\AuthConnector\

The AD Connector has to be installed on a machine within your Active Directory domain with a reliable connection to the Domain controller.

3. After successful installation, the destination folder will contain: auth-connector.exe, creating-mapping-yaml and owners_example.csv files, and scripts folder.

Creating a mapping.yaml file

These steps are carried out by the Active Directory administrator.

You define how the Active Directory accounts are synced to Acronis Cyber Cloud in the mapping.yaml file. You can use the mapping_example.yaml file provided with the AD connector installation, edit the parameters in it, and then rename it to mapping.yaml.

Specify the following in the mapping.yaml file:

1. All the distinguished names (DNs) to be synced to Acronis Cyber Cloud.

You can only sync organizational units (OU) or individual users (CN).
All the accounts that you want to sync from the Active Directory to Acronis Cyber Cloud, must be active users in a single AD domain.

2. The Acronis Cyber Cloud UUID where the Active Directory accounts will be synced.

3. Desired syncing type: all-users (all descendant objects in the OU) or direct users (only child objects)

4. Acronis Cyber Cloud roles for the synced user accounts. You can select roles either for the whole tenant, or for specific units in this tenant, if they already exist.

All the possible roles are:
customer tenant: company_admin, readonly_admin, backup_user, sync_share_admin, sync_share_user, notary_admin, notary_user
unit tenant: unit_admin, readonly_admin, backup_user, sync_share_user, notary_admin, notary_user

You can configure mapping for all users (common in the mapping.yaml file), as well as for individual users (custom user in the mapping.yaml file).

For example, if you want all the users in an Organizational unit to have only Sync & Share access in Acronis Cyber Cloud, you have to define sync_share_user as their role in the mapping.yaml file.

If you want the Active Directory user Jane Doe to be your tenant administrator, to have Sync & Share access and to manage other users’ Sync & Share access, you should select company_admin, sync_share_admin, sync_share_user as her roles.

If you want your Active Directory users to access also other Acronis Cyber Cloud services as Backup or Notary, you have to choose and add these roles, respectively.

5. Syncing period (in minutes). You can omit this field or set its value to 0. If this value is 0, this mapping will be only saved – but not processed – until further explicit request.

For example, you can edit your mapping.yaml in this manner:
- dns:
- OU=Internal Users,OU=Accounts and Groups,DC=domain,DC=com
- CN=John Doe,OU=First Division,OU=Internal Users,OU=Accounts and Groups,DC=domain,DC=com
tenantID: c8495bc2-****-4862-97af-334*******3f
syncType: all-users
syncRoles: [ sync_share_user ]
periodInMinutes: 60

You can find all configuration options in the mapping_example.yaml file.

Running the AD Connector

These steps are carried out by the MSP.

1. Copy your SSL certificates in the AuthConnector folder by using their own names, or the default names cert.pem and key.pem.

In rare cases, if needed, you can also create and use self-signed certificates. This option is intended mainly for testing purposes and it is highly recommended to avoid using it.

Certs command options:
/c, /cert – Path to the certificate file (default: cert.pem)
/k, /key – Path to the key file (default: key.pem)
/n, /hostname – Hostname to use in certificate
/s, /subject – Certificate subject distinguished name (default:/C=CH/ST=Schaffhausen/L=Switzerland/O=Acronis/OU=AcronisBackup/CN=AuthConnector)
/i, /issuer – Certificate issuer distinguished name (default: /C=CH/ST=Schaffhausen/L=Switzerland/O=Acronis/OU=AcronisBackup/CN=AuthConnector)

You can see all commands and their options by running the auth-connector.exe help.

For example:
cd C:\Program Files\Acronis\AuthConnector>
auth-connector.exe /help

2. Run the register command to register auth-connector as an external Identity Provider (IdP) for the Partner tenant in Acronis Cyber Cloud.

In this command, you must use your Partner administrator username and password, and your Partner tenant UUID.

For example:
auth-connector.exe register /a eu2-cloud.acronis.com /u TenantAdmin /p ********** /t 20d4a3b6-c***-441f-b714-5c6ff7293e01 /d mydomain.mycompany.com /i https://cloud.mycompany.com /k

Register command options
/a, /address – Acronis Cyber Cloudaddress (default: mc-cloud.acronis.com)
/u, /username – Username of the Acronis Cyber Cloud Partner tenant administrator
/p, /password – User password of the Acronis Cyber Cloud Partner tenant administrator
/t, /tenant_uuid – Partner tenant UUID for which the external IdP will be configured
/d, /domain – Active Directory domain
/remote_ad – Use the local Active Directory connection (without credentials)
/i, /idp_address – External AD Connector address where the login page will be accessible for users
/L, /listen – Auth connector bind address (default: 0.0.0.0:443)
/C, /ssl_cert – SSL certificate to use, PEM format (default: cert.pem)
/K, /ssl_key – SSL private key to use, PEM format (default: key.pem)
/skip_idp_validate – Skip validation of the IdP address (this can help if the DNS address could not be resolved from the machine where AD Connector is running).

3. At the command prompt, navigate to the AD Connector installation folder and run the auth-connector.exe with the mapping command to create mapping configuration from the mapping.yaml file.

For example:
cd C:\Program Files\Acronis\AuthConnector>
auth-connector.exe mapping /k /c auth-connector.json5 /m mapping.yaml

Mapping command options
/c, /config – Path to configuration file (default: auth-connector.json5)
/m, /mapping – Path to mapping configuration file (default: mapping.yaml)

4. Run the service command to start auth-connector as a Windows service.

Service command options
/c, /config – Path to configuration files (default: auth-connector.json5)

Syncing is now done. It will repeat after the interval specified in the mapping.yaml file.

After the successful registration of the AD connector, all Active Directory accounts will be synced to theAcronis Cyber Cloud tenant. To log in to Acronis Cyber Cloud, these users see a login page and they have to use their company’s Active Directory credentials.

The Files Cloud users must update their Desktop clients in order to use the new authentication flow.

Configure account sync on a customer level

Syncing user accounts and roles

When you use Acronis Cyber Cloud with AD integration, all accounts have to be created and managed via Active Directory and the mapping.yaml file.
Acronis Cyber Cloud users can have one or more roles set in the mapping.yaml file. Every change in their account (for example, disabling it) or their roles (adding or removing one) is synced after the interval, defined in the mapping.yaml file.

If you need it, you can sync your Active Directory immediately. For more information, refer to Running the AD Connector.

The syncing rules for user accounts

 

The user exists both in AD and in mapping.yaml

The user exists in AD but does not exist in mapping.yaml

The user was disabled/deleted in AD

The user does not exist in Acronis Cyber Cloud

A new Acronis Cyber Cloud account is provisioned.

No action. 
No account is provisioned.

 

No action.
No account is provisioned.

 

The user exists in Acronis Cyber Cloud

No action. 
The account is active.

The account in Acronis Cyber Cloud becomes disabled.

The account in Acronis Cyber Cloud becomes disabled.

The user was disabled/deleted in Acronis Cyber Cloud

A new account is provisioned, if it was deleted. 
The account is enabled again, if it was disabled.

No action. 
The account in Acronis Cyber Cloud stays disabled/deleted.

No action. 
The account in Acronis Cyber Cloud stays disabled/deleted.

If you want to delete permanently Acronis Cyber Cloud accounts that have already been disabled, you need to use the Management Portal as the tenant administrator.

The syncing rules for roles

 

The user exists both in AD and mapping.yaml;
the role exists in mapping.yaml

The user exists both in AD and in mapping.yaml;
but the role in mapping.yaml has changed since the last sync

The user was disabled/deleted in AD

The user does not exist in Acronis Cyber Cloud

A new Acronis Cyber Cloud account is provisioned with the role(s) set in mapping.yaml.

A missing role becomes disabled in Acronis Cyber Cloud; a newly added role becomes active in Acronis Cyber Cloud.

N/A, no account is provisioned.

The user exists in Acronis Cyber Cloud

The account is active with the role(s) set in mapping.yaml.

A missing role becomes disabled in Acronis Cyber Cloud; a newly added role becomes active in Acronis Cyber Cloud.

NA, the account becomes disabled.

The user was disabled/deleted in Acronis Cyber Cloud

A newly provisioned or reenabled account has the role(s) set in mapping.yaml.

 

A newly provisioned or reenabled account has the role(s) set in mapping.yaml.

NA, the account in Acronis Cyber Cloud stays disabled/deleted.

 

Configure account sync on a partner level

Active Directory accounts can be synced to a Partner-type tenant as well.
However, the accounts synced to a Partner-type tenant are only administrative. Users with such accounts don‘t have access to all the Acronis Cyber Cloud services, for example Sync & Share.

Acronis Cyber Backup specific cases: Bulk installing of agents by using AD policy

In order to bulk install AcronisBackup desktop clients for your AD users, you have to match these users with their local computers. To do so, you can use the owners_example.csv file provided with the AD connector installation, edit it, and then rename it to owners.csv.

The syntax used is:
user, user login-machine’s fully qualified domain name
For example:
john.doe, johnd-B4n.mydomain.com
john.doe, johnd-B5n.mydomain.com
jane.doe, janed-B10n.mydomain.com

You can find more examples in the owners_example.csv file.

You also have to provide yourself with the Backup_Agent_for_Windows_x64.exe installation file by requesting it at earlyadopters@acronis.com.

1. Log on as an administrator on the machine that has AD Connector installed.

2. At the command prompt, navigate to the AD Connector installation folder and run the auth-connector.exe machine2tenant command to map the users’ machines according to the owners.csv file.

For example,
cd C:\Program Files\Acronis\AuthConnector>
auth-connector.exe machine2tenant /k /c auth-connector.json5 /u TenantAdmin /p ********* /t 326656de-***2-451e-b497-f*******a86c /e 12m /m owners.csv /o registration.json

Machine2tenant command options:
/c, /config – Path to the configuration file (default: auth-connector.json5)
/u, /username – Username of the Acronis Cyber Cloud Partner tenant administrator
/p, /password – Password of the Acronis Cyber Cloud Partner tenant administrator
/t, /tenant_uuid – Customer tenant UUID for which a registration token is going to be provided
/e, /expiration – Token expiration time, examples: 1h (1 hour), 2d (2 days), 3m (3 month)
/m, /mapping – Mapping the CSV file containing [user login; machine FQDN]
/o, /output – Sync clients registration mapping output file

3. Save the output file (for example, registration.json) to a shared folder that you can access later.

4. Log on as an administrator on any machine in the domain.

5. At the command prompt, run the Backup_Agent_for_Windows_x64.exe installation file, with the following parameters --reg-script=<path to registration script> --reg-script-params=<registration script parameters>

You can find the script in your AuthConnector installation folder. By default, it is C:\Program Files\Acronis\AuthConnector\scripts

For example,
Backup_Agent_for_Windows_x64.exe --reg-script=register_agent.py --reg-script-params="-c \\10.246.120.33\shared\registration.json -u AAA\Administrator -p ********* -l \\10.246.120.33\shared\results.log"

6. Select components and create .msi and .mst files.

7. Copy them to a share.

8. Log in to your AD Domain controller as domain administrator, and then open Group policy management console.

9. Select Forest -> Domains -> <your domain>, right-click it, and then select Create a GPO in this domain, and Link it here.

10. Enter a name for the newly created GPO (for example, Acronis Cyber Backup desktop agent deploy).

11. On the Group Policy Management console, right-click the GPO, and then select Edit.

12. In the Group Policy Management Editor, open Computer Configuration -> Policies -> Software settings -> Software installation.

13. Right-click Software installation and select New -> Package.

14. Select the previously created .msi file.

15. In the Deploy software dialog, select Advanced as the deployment method.

16. On the Modifications tab, press the Add button.

17. Select the .mst file previously saved on the share, and then click OK.

Uninstall

To uninstall the AD Connector, go to Windows Control Panel and navigate to Programs and Features. Select the AD Connector and press Uninstall.

Limitations

  • This version of AD Connector cannot be used by Customer tenant administrators.
  • Syncing of the AD hierarchy is not supported.
  • Only the Sync & Share, Backup, and Notary services of Acronis Cyber Cloud are supported.