AVG Business SSO – Connecting to
Active Directory
Contents
AVG Business SSO – Connecting to Active Directory ........................................... 1
Selecting an identity repository and using Active Directory .................................. 3
Installing Business SSO cloud connectors and administrator consoles ................... 4
Requirements ............................................................................................. 6
Firewall settings .......................................................................................... 7
Supporting user authentication for multiple domains ....................................... 8
Adding cloud connectors and administrator consoles ........................................ 9
Running the Business SSO Cloud Management Suite installer ........................... 9
Modifying cloud connector account permissions ............................................... 9
Using Active Directory certificates in devices for authentication ....................... 10
Uninstalling the Business SSO Cloud Management Suite software .................... 11
To uninstall the Business SSO Cloud Management Suite software: ................ 12
Referencing accounts from Active Directory ..................................................... 13
Notifying users with Active Directory accounts ................................................. 14
Simplifying logging in to identity platform portals for Active Directory accounts ... 15
Selecting an identity repository and using Active Directory
The Business SSO identity platform requires an identity repository for storing data
about your organization’s users and mobile devices. You can use either or both of
the following:
 Active Directory: The Business SSO identity platform securely connects
with your existing Active Directory infrastructure through the Business SSO
cloud connector to authenticate users when they log in to the web portals
and enroll a device. The Business SSO identity platform does not replicate
Active Directory accounts or attributes in the identity platform.
 Business SSO user service: The Business SSO identity platform includes
this built-in identity repository. When you select this option, the Business
SSO identity platform uses the Business SSO user service account to
authenticate users and, if you are using the Business SSO identity platform
for mobile device management, to store the enrolled device records.
If you are not already using Active Directory, you can get started right away using
the Business SSO user service. You can create user accounts individually or use the
bulk-import feature to import a set of users from a CSV or Excel file.
If your organization is heavily invested in Active Directory, you can continue to use
it as your primary identity store and use the same tools (for example, Active
Directory Users and Computers) to manage users and mobile devices. When you
use Active Directory, your users enter their Active Directory credentials to log in to
the Business SSO user portal and enroll devices.
You can use both identity stores simultaneously, too. For example, even if
you decide to use Active Directory as your primary identity store, the Business SSO
user service can provide a convenient supplemental repository for the following
types of users:
 Emergency administrators: If there is ever a network break down to the
Active Directory domain controller, no one with just an Active Directory
account can log in. However, if you create administrator accounts in Business
SSO user service, these users can log in to Cloud Manager and the Business
SSO user portal and launch web applications.
 Temporary users: If you have temporary users—for example, customers,
contractors, and partners—who need to run your web applications, it may be
easier and less risky to add them as Business SSO user service accounts
rather than Active Directory accounts.
Using the Active Directory and Business SSO user service
ID repositories
The Business SSO identity platform can use both Active Directory and Business SSO
user service accounts to authenticate users. You must have the cloud connector
installed to use Active Directory accounts.
When the identity platform receives an authentication request, it checks the ID
repositories for the account name in the following order:
1.
2.
3.
4.
Business SSO user service by name
Active Directory user by user
Active Directory user by email
Business SSO user service by email
In addition, the Business SSO identity platform uses the contact information in
Active Directory or the cloud accounts to contact users when multifactor
authentication is enabled for logging in to Cloud Manager and the Business SSO
user portal and applications that are configured for strong authentication. If the
contact information is wrong, the user is not able to log in.
Installing Business SSO cloud connectors and
administrator consoles
This document explains how to use the Business SSO Cloud Management Suite
installation wizard for the following purposes:


To install a Business SSO cloud connector for authenticating identity platform
users by using an Active Directory account
To create administrator consoles for identity platform administrators. This
lets you use Active Directory Users and Computers to manage identity
platform users and enrolled devices and the Group Policy Management Editor
to create group policy objects for mobile device policies.
You only need to install any of these components if you are using Active Directory
accounts to authenticate identity platform users. (Active Directory user accounts
and attributes are not replicated in the Business SSO identity platform.)
This document also describes modifying the cloud connector account permissions
and creating certificate templates if you want to use certificates for login
authentication for Wi-Fi connections, VPNs, or Exchange email accounts. Both of
these are identity platform options, and you do not need to perform these
procedures if you are not using these options.
The following topics are covered:
 Requirements
 Supporting user authentication for multiple domains
 Adding cloud connectors and administrator consoles
 Running the Business SSO Cloud Management Suite installer
 Modifying cloud connector account permissions
 Using Active Directory certificates in devices for authentication
 Uninstalling the Business SSO Cloud Management Suite software
Requirements
To install and configure a Business SSO cloud connector you need the
following:
Item
Description
Business SSO Cloud Management Suite installer
This program installs the cloud connector, Active Directory and
group policy console extensions, and the Business SSO Cloud
Connector Configuration Program. To get the installer, you open
Cloud Manager, click Settings, click Cloud Connectors, and
click Add cloud connector.
Repeat this procedure every time you install a cloud connector to
ensure you get the latest version of the cloud connector.
Host computer joined to the domain controller
You install the Business SSO cloud connector on a Windows
computer to establish the communications link between the
Business SSO identity platform and Active Directory domain
controller.
If you are referencing accounts in an Active Directory tree or
forest, the cloud connector can joined to any domain controller in
the tree (it does not need to be the root). In addition, that domain
controller must have two-way, transitive trust relationships with
the other domain controllers. Refer to the help section below on
Supporting user authentication for multiple domains for the
details.
This computer must be in your internal network and meet or
exceed the following requirements:
•Windows Server 2008 R2 or newer (64-bit only) with 8 GB of
memory, of which 4 GB should be available for cloud connector
cache functions.
•Has Internet access so that it can access the Business SSO
identity platform.
Has a Baltimore Cyber Trust Root CA certificate installed in the
•Local Machine Trusted Certificate root authorities store.
Microsoft .NET version 4.5 or later; if it isn’t already installed, the
•installer installs it for you.
Be a server or server-like computer that is always running and
•accessible.
User account with the proper Active Directory and
identity platform permissions.
To install the Business SSO cloud connector, the user account
must have Active Directory “Modify Permissions” permission.
Refer to the help section below on Required Active Directory
permissions to install the cloud connector for the details.
To register the cloud connector in your identity platform account,
you must be either a member of the sysadmin role or be a
member of a role that has the Register Cloud Connectors
permission.
Web proxy server (optional)
If your network is configured with a web proxy server that you
want to use to connect to the Business SSO identity platform, you
specify this server during the installation process. The web proxy
server must support HTTP1.1 chunked encoding.
Firewall settings
You should configure you firewall to allow outbound traffic over the
following ports:
Port numbers
Resource
443
*.sso.avg.com
443
*.windows.net
80
www.public.trust.com
80
mscrl.microsoft.com
80
privacy-policy.truste.com
80
Oscp.verisign.com
If your organization has outbound firewall rules that are based on IP address
whitelisting, you need to add the Microsoft Windows Azure Service Bus service to
the whitelist. Go to the following URL to get the most current list of IP addresses:
www.microsoft.com/en-us/download/details.aspx?id=41653
Required Active Directory permissions to install the cloud
connector
If you are a domain admin you have sufficient permissions to install the cloud
connector. However, if you are not, you need to have the Modify Permissions
permission before you begin the installation.
To add the Modify permissions permission to an Active Directory user or
group:
1. In Active Directory Users and Computers, make sure that you have Advanced
Features enabled (View > Advanced Features).
2. Open the properties for the desired user or group and click the Security tab.
3. In the Security tab, click Advanced.
4. In the Advanced Security Settings dialog box, click Add.
5. Enter the name of the user or service account that you will use to run the
cloud connector, and click OK.
6. In the Permission entry dialog box, click Allow for “Modify Permissions” and
click OK.
7. The Permissions tab of the Advanced Security Settings dialog box lists the
specified user with the ability to Modify Permissions.
8. In the Advanced Security Settings dialog box, click OK.
9. In the Properties dialog box, click OK.
Supporting user authentication for multiple domains
You install the cloud connector on a host Windows computer that is joined to a
domain controller to authenticate identity platform users who have an account in
that domain. If you want the identity platform to authenticate users in other
domains, there are two cloud connector installation models—which one you use
depends upon whether the accounts are in trusted domains in a single forest or in
multiple, independent domains trees or forests.
Note: If all of your identity platform users have their accounts in a single domain
controller, you can skip this topic.
Adding cloud connectors and administrator consoles
You use the same Business SSO Cloud Management Suite installer to install the
additional cloud connectors for load balancing and failover and administrator
consoles to manage identity platform users, devices and group policy objects.
Running the Business SSO Cloud Management Suite
installer
You use the Business SSO Cloud Management Suite installer to install the Business
SSO cloud connector on the host computer and create administrator consoles. The
installer is included in the Business SSO Cloud Management Suite package you
download from a link provided in Cloud Manager. The package also includes the
release notes, license agreement, and acknowledgments.
Adding a Business SSO cloud connector is a two-phase procedure that you initiate
from Cloud Manager:
 You download the Business SSO Cloud Management Suite package from the
link in Cloud Manager to the computer.
 You run the installation wizard to install the software and register the cloud
connector to your Business SSO identity platform account.
Note: By default, the cloud connector is installed as a Local System process
account on the host computer. Refer to the help section on ‘Modifying cloud
connector account permissions’ to determine if this account and its permissions
serve your purposes.
Modifying cloud connector account permissions
By default, the cloud connector service is started as a Local System account
process. This account has sufficient permissions for most purposes with the
following exceptions:

If you want to give Active Directory users the ability to reset their password
from the administrator or user portal login prompt. This is a policy you have
to enable (Refer to the help section on Enabling forgotten password reset for
Active Directory users), and it is intended to let users with Active Directory
accounts reset their password if they have forgotten it when they try to log
in.
If you want to enable this policy, you can give the Local System account the
ResetPassword permission. Alternatively, you can run the cloud connector under a
different account (if you select this option refer to the help section on ‘Permissions
required for alternate accounts’) or provide the user name and password for an
account that has the ResetPassword permission.

If the host computer does not have read access to the container or
organizational unit that stores the user accounts. Without read access, the
cloud connector cannot authenticate the user. Domain computers have this
permission by default; however, the cloud connector host may not. This most
often occurs in multi-forest or multi-domain setups and can occur even when
two-way trust is already defined. You can tell when this occurs—the cloud
connector log would show the error message, "unable to locate forest or user
object."
In this case, you need to give the Local System account read access permission to
the containers or organizational units.
Note: If you change the cloud connector’s account or modify Local System account
permissions, be sure to make the same changes on all the cloud connectors you
install.
Using Active Directory certificates in devices for
authentication
You can use a certificate authority in the Active Directory Certificate Service to
generate user and computer certificates for user and device authentication. In turn,
you can use these certificates for login authentication in the Wi-Fi, VPN, and
Exchange ActiveSync server profiles rather than an account’s user name and
password. (See the Wi-Fi, VPN, and Exchange server profile configuration
descriptions in Mobile device configuration policies overview for the details.)
Note: This section only applies when you use Active Directory group policy for
device policy management (see Selecting the policy service for device policy
management) or you select Active Directory Certificate Service in Device Policy
Management (see Selecting the Business SSO cloud policy service). If you select
the Tenant Certificate Authority instead, you can skip this section.
To use certificates from your Active Directory certification authority, you must
create user or computer certificate templates on the Windows Certificate Authority
server used by the Business SSO cloud connector. In addition, you need to
configure the host computer for each of your Business SSO cloud connectors so that
it can revoke certificates.
After you create the templates, the certificates are automatically created for the
identity platform and then installed by the Business SSO identity platform when the
user enrolls the device.


If you are using Active Directory group policy for device policy management,
you can select the certification authority when you configure Device Policy
Management— Refer to the help section on Selecting Active Directory group
policy. If you are using Business SSO cloud policy service for device policy
management and select the Active Directory Certificate Service, the identity
platform uses the default Active Directory Certificate Services certification
authority only.
In many cases, additional server configuration is required before you can use
certificates for authentication. See your server’s documentation for the
details.
You need to go to the user certificate template on the Windows Certification
Authority server to confirm that the Domain Users group in Active Directory has the
permission to auto-enroll the certificate. For specific instructions for configuring
Exchange 2010 authentication using PKI, see this Exchange 2010 PKI
Authentication Configuration document.
The procedures in this section assume that you have a working Active Directory
Certificate Services certificate authority within your domain and you have sufficient
permissions to modify the settings.
Uninstalling the Business SSO Cloud Management Suite
software
You use the Uninstall command in the Windows Control Panel to remove the cloud
connector and console extensions.
All of the components are installed under the name Business SSO Cloud
Management Suite followed by the version number. Uninstalling this program
removes all of the Business SSO Cloud Management Suite components installed on
the computer. You cannot, for example, delete the cloud connector but leave the
console extensions.
If you use just one Business SSO cloud connector, uninstalling the Business SSO
Cloud Management Settings from the Active Directory Control Panel terminates
mobile device policy enforcement. However, if you uninstall the Business SSO Cloud
Management Suite from one computer but have the Business SSO cloud connector
installed on one or more other computers, service is not interrupted. In this case,
the Business SSO identity platform automatically switches to another cloud
connector.
To uninstall the Business SSO Cloud Management Suite
software:
1. On a Windows computer on which you installed Business SSO Cloud
Management Suite, close any open Microsoft Management Consoles, such as
Active Directory Users and Computers and Group Policy Management Editor
that may be using the components.
2. Click Start > Control Panel > (Programs) Uninstall Program, then right-click
Business SSO Cloud Management Suite version.
3. Click Yes when the confirmation message appears.
4. If no Microsoft Management Console applications are open, the installer
finishes and removes the Business SSO Cloud Management Suite software. If
applications are open, you are prompted for how to close them.
5. If prompted to close open applications, do the following:
a. Leave the following option selected and click OK:
b. Automatically close applications and attempt to restart them after
setup is complete.
c. If prompted that a Microsoft Management Console application has
stopped working, click Close the program.
d. The cloud connector and, if also installed, the console extensions are
now removed from your computer. However, a directory and some
files will still reside on your computer. To remove these files, complete
the next step.
6. To remove all Business SSO Cloud Management Suite related files navigate
to and delete the C:\Program Files\AVG folder.
Referencing accounts from Active Directory
Generally, when you use Active Directory accounts to authenticate identity platform
users you do not add them to the Business SSO user service. Instead, the Business
SSO identity platform automatically adds their Active Directory account to the Users
page when they log in to the Business SSO user portal or enroll a device. You
manage the account’s properties (for example, email address and phone numbers),
entirely in Active Directory.
However, you do need to add an Active Directory account to a role to deploy
applications to that user. In this case, you can add either the user’s Active Directory
account or the user’s Active Directory group to the role. Refer to the Help Section
on Adding and removing users and groups to and from roles for the details.
Notes:


After you add an Active Directory user or group to a role, the name is not
listed on the Users page until the user logs in to the Business SSO user portal
or enrolls a device.
The Business SSO User Portal web application must be assigned to a role in
which users are a member before they can log in. By default, Business SSO
User Portal is assigned to the Everybody role so this is normally not a
problem. In addition, when you use the Invite User button, the role you
specify is automatically added to the Business SSO User Portal User Access
settings.
You can delete an Active Directory account from either Active Directory or the
Business SSO user service. When you delete the account in Active Directory, the
account is also removed from the Users page in Cloud Manager. When you remove
the account using Cloud Manager, the account is deleted from Active Directory. In
both cases, it can take several minutes for the synchronization to occur.
Notifying users with Active Directory accounts
Users with Active Directory accounts log in to the Business SSO user portal and
enroll devices using their Active Directory credentials.
To get Active Directory users started with the identity platform you can send them
an invitation or you can provide the following URL to the users and tell them to use
their Active Directory credentials to log in:
https://sso.avg.com/my
They use the same credentials to enroll devices.
Simplifying logging in to identity platform portals for
Active Directory accounts
Users with Active Directory accounts can log in to the Business SSO user portal and
Cloud Manager without entering their user name and password from computers that
are within your organization’s intranet. For example, you can log in to Cloud
Manager without entering your credentials by appending the login suffix to the
portal’s URL as follows:
https://sso.avg.com/manage?customerid=<loginsuffix>
You substitute <loginsuffix> with any login suffix defined in the Login Suffix tab in
Cloud Manager Settings. If you have not yet defined any other login suffixes, you
can use the default suffix—your Active Directory account’s UPN suffix.
For example, if your domain name was abcorp.com, you would enter the following
URL to log in without entering your user name and password:
https://sso.avg.com/manage?customerid=abcorp.com
Similarly, users can log in to the Business SSO user portal by adding the login suffix
to their URL. In this case the syntax is as follows:
https://sso.avg.com/my?customerid=<loginsuffix>
Both of these methods use Integrated Windows Authentication to authenticate the
user using their Active Directory credentials and require the user to be on your
organizations intranet. You may need to reconfigure the default Integrated
Windows Authentication settings and define IP Addresses on your Business SSO
cloud connector to use this feature. Refer to the help section on Configuring cloud
connectors to configure a cloud connector.
You can also define a login suffix as an alias for a long, Active Directory UPN suffix.
Refer to the help section on ‘Creating an alias for long Active Directory domain
names’ for the details.