Skip to content

Multiple Active Directory Domains Configuration#

Critical Manufacturing MES supports multiple Active Directory domains. You need to perform three simple steps to enable multiple domains:

Host configuration file#

Set the different fully qualified domain names (FQDN) on the LDAPPATH variable key on the BusinessTier\Cmf.Foundation.Services.HostService.dll.config file. As an example:

<!-- The Address of the LDAP Server -->
<add key="LDAPPATH" value="examplefirstdomain.com;exampleseconddomain.com"/>

Info

For more information on the variables, see the Configuration Files page.

GUI Configuration entries#

Set the configuration entries referencing the inserted LDAPs, specifically:

  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/DisableCertificateValidation
  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Port
  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UseSSL
  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UserName/
  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/UserPassword/
  • /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Domain/

Warning

Each set of configurations must exist for every different configured domain.

Info

The configuration entry /Cmf/System/Configuration/LDAP/Credentials/[FQDN]/Domain for each domain is optional. When specified, it allows the system to retrieve the domain directly from the configuration during startup, thereby eliminating the need for LDAP queries to discover this information. The configuration entry /Cmf/System/Configuration/LDAP/EnableMultipleDomain/ enables role synchronization across multiple domains. When activated, the system leverages the user's domain context, automatically manages referrals, and searches for roles across all configured domains.

For more information, see System Configuration Entries.

Security Portal#

In order for the Security Portal to interact with multiple domains, it has to be configured with one Active Directory strategy per domain. This can be achieved by modifying its config.json file and configuring the additional entries. The file is located in /app/src/config.json (in the Security Portal container) and you can see an example below:

{
 "id": "ExampleFirstDomain",
 "type": "local-ActiveDirectory",
 "config": {
  "defaultDomain": "examplefirstdomain",
  "ldap": {
   "url": "ldap://examplefirstdomain.local",
   "base": "DC=examplefirstdomain,DC=local",
   "user": "EXAMPLEFIRSTDOMAIN\\messervice",
   "password": "<password>"
  }
 }
},
{
 "id": "ExampleSecondDomain",
 "type": "local-ActiveDirectory",
 "config": {
  "defaultDomain": "exampleseconddomain.company.com",
  "ldap": {
   "url": "ldap://exampleseconddomain.company.com",
   "base": "DC=exampleseconddomain,DC=company,DC=com",
   "user": "EXAMPLESECONDDOMAIN\\mesadmin",
   "password": "<password>"
  }
 }
}

Info

It is not possible to configure more than one strategy through the DevOps Center.

Info

For more information, see the Critical Manufacturing Security Portal page.