To configure an SEPM administrator account to use Active Directory authentication, both Step A and Step B are required.
Note: Repeat Step B for every account which needs to use Active Directory authentication.
Step A: Add the Active Directory Server to the SEPM
- Log in to the SEPM.
- Click Admin > Servers.
- Right-click your SEPM's machine name (top-left).
- Click Edit the server properties.
- Click Directory Servers > Add.
- Enter a name to identify your Active Directory server.
- Select Active Directory next to Server Type.
- Enter the Active Directory server IP Address or Hostname.
Note: If using a Secure Connection, specify the FQDN address of the directory server. Do no specify an IP address, or DNS Alias. If you must use an IP address, check the box to disable certificate verification. (14.3 RU6 and later)
- Enter a static Active Directory username and password (that will not change) so the SEPM can communicate with the Active Directory server.
- Click OK. The SEPM will test the Directory Server information to confirm that it works properly.
Step B: Create a new SEPM Administrator account
- Click Admin > Administrators > Add an administrator.
- Under General, enter a User name for the new administrator account. This will be the user name used to login to the SEPM.
- Enter a full name for the new administrator account. This is used for informational purposes only.
- Under Access Rights, select the appropriate rights for the administrator. (for a new Admin with Limited Access, at least one authority has to be selected in the Access Rights section so that the pop-up saying "All the access rights are disabled" doesn't appear)
- Under Authentication, leave the Current admin password, New Password, and Confirm new password fields blank.
- Select Directory Authentication.
- In Directory Server, select the Active Directory server configured in Step A-6.
- In Account Name, enter the account name as it appears in Active Directory.
- Click Test Account, you should see "Directory account authenticated."
- Click OK.
- Enter the password for the SEPM administrator account currently logged in, to complete the creation of the Administrator account.
Testing the newly created account:
- Log off of the SEPM, if logged in.
- Use the User name entered in Step B-2. User names are case sensitive.
- Use the Active Directory password for the Active Directory account specified in Step B-8.
- Leave the Domain field blank. (This field expects a SEPM domain and not an Active Directory domain).
Do not use the built-in SEPM System administrator account called: admin when setting up Active Directory Authentication, doing so can prevent logon access to SEPM with "Authentication Failure" error. Lockout issues can occur when changing the Active Directory account, upgrading Active Directory, changing Active Directory mode, and when removing SEPM(s) as a replication partner.
SEPM Active Directory Authentication is only supported for an administrator account that has been created in SEPM by clicking "Add an administrator."
Note: The SEPM administrator name you created/added is taken from SEPM database while the password is taken from Active Directory.
Note: There is no such dependency of Domain Functional Level/Forest Functional Level from AD to SEP.