Versions Compared

Version Old Version 6 New Version 7
Changes made by

TERM-Marco Palella

TERM-Marco Palella

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Our Active Directory integration uses a script to pull a CSV containing all of the accounts within the Organizational Units that you will set. To automate this, we This guide outlines how to automate pulling user information from Active Directory. We store the CSV onto an sFTP Server that either Zilla or you can host, and Zilla pulls the information from there. For more general information on this process, please see this documentation. You have the option to do this manually, but the automated approach is recommended.

Prerequisites:

This setup requires the following

  1. Ensure that powershell is up to date and installed on your server (odds are it is). For more info, please refer to this documentation

  2. That Ensure that you have Admin access to the microsoft servers Microsoft server containing your domain controller

  3. If you’d like this process to be automated, we We require a service account on AD Active Directory with domain user access that can will be used to export user data from AD.

  4. We will also require an requirean SSH Public/Private RSA Key to be made in RSA Format. To do this, do the following:

    1. Run the following command:

      Code Block
      ssh-keygen -b 2048 -t rsa -f '/home/...'

    2. This will generate a public/private key in the filepath that you defined. If you didn’t define a path, it will be stored at /home/user_name/.ssh/id_rsa

    3. If you are using Zilla’s sFTP server, you will need to provide the public key to you Zilla Technical Contact. You can also email support@zillasecurity.com to open a ticket and request an sFTP server. Be sure to include the public key file in the request.

    4. take note of this the filepath for later configuration. You will also need the private key value as wellfor later configuration.

  5. You will need to add an on-prem AD Application inside of Zilla. To do this, login to Zilla as an admin, select Add Application, then search for On-Prem AD and add it as an app.

...

If you will be asking another system owner to setup sFTP who doesn’t have admin access to Zilla, ensure that you add them as the technical owner to the application before adding them:

...

Configuring Active Directory

Creating a Service Account

We require you to create a domain user account that will be used to run the AD script

...

we use to pull users. This account also requires read/write access to the directory where the Active Directory script is being stored.

For more information on how to create users in Active Directory, please see the video below:

...

Info

Ensure that you take note of the username/password of the service account, as this will be needed for the next step of the process.

Configuring the AD Script

  1. Download the script

    View file
    nameADscript_version-R-12.ps1
    onto your domain controller

  2. Open the file in an editor like VS Studio, and define what Organizational Units Zilla Will Pull Accounts from. You will do this by editing the below variable:

    1. $DNs = @("DC=yourdomain,DC=com") - this variable is used to define what Organizational Units Zilla Will Pull Accounts from. For example, if my OU is zillasecurity.com, then this line would look like this: $DNs = @("DC=zillasecurity,DC=com"). You can add multiple OUs by comma separating each OU’s domain name. NEED TO FINISH ONCE I GET CLARIFICATION

    If you want to automate this script, you will also need to adjust the following parameters in the file

    1. For example, if I had 2 OUs zillasecurity.com and zsec.io, this parameter would look like this: $DNs = @("DC=zsec,DC=io"), @("DC=zillasecurity,DC=com)

  3. There are several parameters affiliated with pushing the generated export to an sFTP server:

    1. $isSftpEnabled = $false - this determines whether the CSV gets sent to an sFTP server. By default, this is turned off, and you will need to set this to $true to automate Active Directory.

    2. $sftpHost = "sftp.zillasecurity.com" - this is the hostname of the sFTP server we are sending the CSV to. If you are sending it to an sFTP server hosted by Zilla, then the default value (sftp.zillasecurity.com) can be left. If you are hosting this on your own sFTP server, then change the value to the hostname on your server.

    3. $sftpUsername = "<your domain.com>" - this is the username of the service account that will need to be created on your sFTP server. If you are using Zilla, the value for this will be the domain that is affiliated with your tenant. You can view this inside of Zilla by logging in as an admin, going to the settings on the left hand side panel, and looking at the first domain inside of your internal domains

      image-20240404-234830.png

    4. $applicationId = "<application-id>" - the application ID can be found by navigating to your active directory application inside of Zilla:

      image-20240404-235104.png

      and copying the string that appears inside of the URL:

      image-20240404-235224.png

    5. $sftpPrivateKeyPath = "<location of your private key>" - this is the filepath where you have stored your SSH Private Key. Please see the 3rd prerequisite for more details.

    6. $Csvfile = "$path\directory.csv" - you can use this setting to change the name of the CSV file that is generated. You can leave this as is

  4. Once the script is configured, use task scheduler to automate the running of the above script using the service account you you’ve created in the prerequisitesCreating a Service Account step. This guide goes through how to accomplish this.

...