Integrate Active Directory/LDAP For Logins or Policy Mapping
search cancel

Integrate Active Directory/LDAP For Logins or Policy Mapping


Article ID: 286707


Updated On:


Carbon Black App Control (formerly Cb Protection)


How to setup the Console to allow users to log in with Active Directory Accounts, or use Policy Mapping with Active Directory.


  • App Control Console: All Supported Versions
  • Active Directory


  1. Verify the Carbon Black Service Account has the necessary Active Directory permissions.
  2. Verify the desired users in Active Directory are associated with the correct Groups.
  3. Log in to the App Control Console with a local admin account and navigate to: gear icon > System Configuration > General > Edit.
  4. Find the section: Active Directory / LDAP Integration and change the setting to Enabled.
  5. Use the following details:
    • AD-Based Logins: Enabled
    • AD Security Domain: If the AD Security Groups for App Control are in a domain other than login domains, enter that domain here. Otherwise, leave blank.
    • AD-Based Policy: If enabled an App Control Policy can automatically be assigned to Agents based on AD or LDAP.
    • Windows 2000 DCs: Enable if using Windows 2000 Domain Controllers. 
    • Search Level: Choose Global Catalog to search for objects in any domain in the Forsest, or choose LDAP for a restricted search.
    • Test AD Connectivity: Click to test the connectivity between the App Control Server and Active Directory.
  6. Click Update and confirm the changes. 
  7. Navigate to the gear icon > Login Accounts > User Role Mappings.
  8. Verify the current Mapping Rules are associated with the appropriate Active Directory Security Group.

AD Login Account Format:
The format for logging into the Console with an AD Account depends upon whether the account name is in the same domain as the Carbon Black App Control Server:

  • AD Accounts in a different domain must use a fully qualified version of their name. Example: DOMAIN\Username or Username@dnsDomain
  • AD Accounts in the same domain can log in either with a fully qualified username, or their username only (provided the username is not the same as a login account created directly in the Console).

Additional Information

  • Enabling Windows 2000 DCs will deactivate the option for AD Security Domain, as it relies on cross-domain membership tests which are only available with Windows 20003 SP2 Domain Controllers and higher.
  • Beginning with Server 8.9.0 it is possible to now login using the User Principal Name. Example: User logon name and User logon name (pre-Windows 2000) are different, either can be used.
  • It is recommended to make all Console logins using the same method (AD Logins vs Local Logins) to prevent confusion during login.
    Local Login: fred
    AD Login: fred@domain
  • More information on this is available in the User Guide chapter, Managing Console Login Accounts.