Multiple Active Directory Domains Configuration#

Critical Manufacturing MES supports multiple Active Directory domains. You need to perform three simple steps to enable multiple domains:

Host configuration file#

Set the different fully qualified domain names (FQDN) on the LDAPPATH variable key on the BusinessTier\Cmf.Foundation.Services.HostService.dll.config file. As an example:

<!-- The Address of the LDAP Server -->
<add key="LDAPPATH" value="examplefirstdomain.com;exampleseconddomain.com"/>

GUI Configuration entries#

Set the configuration entries referencing the inserted LDAPs, specifically:

• /Cmf/System/Configuration/LDAP/Credentials/[domain]/DisableCertificateValidation
• /Cmf/System/Configuration/LDAP/Credentials/[domain]/Port
• /Cmf/System/Configuration/LDAP/Credentials/[domain]/UseSSL
• /Cmf/System/Configuration/LDAP/Credentials/[domain]/UserName/
• /Cmf/System/Configuration/LDAP/Credentials/[domain]/UserPassword/

For more information, see System Configuration Entries.

Security Portal#

In order for the Security Portal to interact with multiple domains, it has to be configured with one Active Directory strategy per domain. This can be achieved by modifying its config.json file and configuring the additional entries. The file is located in /app/src/config.json (in the Security Portal container) and you can see an example below:

{
 "id": "ExampleFirstDomain",
 "type": "local-ActiveDirectory",
 "config": {
  "defaultDomain": "examplefirstdomain",
  "ldap": {
   "url": "ldap://examplefirstdomain.local",
   "base": "DC=examplefirstdomain,DC=local",
   "user": "EXAMPLEFIRSTDOMAIN\\messervice",
   "password": "<password>"
  }
 }
},
{
 "id": "ExampleSecondDomain",
 "type": "local-ActiveDirectory",
 "config": {
  "defaultDomain": "exampleseconddomain.company.com",
  "ldap": {
   "url": "ldap://exampleseconddomain.company.com",
   "base": "DC=exampleseconddomain,DC=company,DC=com",
   "user": "EXAMPLESECONDDOMAIN\\mesadmin",
   "password": "<password>"
  }
 }
}