Set up Evo on Active Directory (LDAP)

This will walk you through the process of setting up Evo Secure Login & Elevated Access on a system that is connected to an Active Directory instance.

Tenants are your customers and directories are the sources that you connect customers to.

Start by selecting the Evo Admin > Tenants then Add New Tenant+ button on the right side of the screen

Once selected, give your Tenant (Customer) a name. Select the type of directory (In this case LDAP).

Give your directory a name, something that you'll be able to easily identify for each of your customers.

Once you fill that out you'll Hit next on the bottom right to continue in the wizard. Optionally you’ll be able to set license options for newly synced users.

On the next screen, you will be prompted to create your LDAP token. After selecting your desired expiration date and clicking Create LDAP Token, be sure to copy and securely store your deployment configuration. These values are required when installing the LDAP Agent, and the secret cannot be viewed again once you leave this step.

You will also see instructions on the same page for downloading the LDAP Agent, which should be completed before proceeding with the installation.

Before the installer is run you'll want to set up your Groups and Users.

Evo's LDAP agent will sync over users in a specified group that you designate and bring them into Evo for usage.

Go to Active Directory Users and Computers and start by creating a new Security Group. Name the group whatever you'd like.

Once you create the Security Group, you will add all users that you would like to manage in Evo to that group.

This should include anyone who you'd like to utilize Secure Login and/or Elevated Access products.

Before you add users in, you'll want to be sure that there's an email filled out in the properties field for each user.

The Email property is how users will be identified within Evo. You should use real emails wherever possible but in the case of some service accounts or an account that is using Elevated Access you don't need to use a real email. Emails must always be distinct in Evo even across tenants or users may not be able to sync.

Once you have all of your users set up with emails, add them into the LDAP group that you created.

If you are using Elevated Access you'll want to create a new Domain Admin for usage as the shared account. It's typically easiest to copy the Administrator profile and create a new user based off of those permissions. Just make sure that your newly created user is part of the Domain Admins group.

Note: You can use existing administrators if you'd like but be aware that when Evo takes over this account it will rotate the password on the account. It's best to create a separate admin to ensure that there will be no interference with any existing processes/systems using that profile.

You can right click a matching profile and select Copy to create a new user with those same permissions.

You can give this user any password as it will be rotated by Evo once taken over. Make sure to deselect the change password at next logon option and select Password never expires.

Once that is completed, provide an email address in the user profile (Can be a non-existent one as long as it's distinct within Evo) and add the user to the created Security Group.

Once the group is completed, you can now exit the AD menu and install the Evo LDAP agent that was brought over to the system.

Start the installer up and walk through the prompts. Be sure to take the values you received when “Creating your LDAP Token” and input them into the installer.

When you get to the point where it lets you select a group, you'll want to select the group that you created for the LDAP Sync.

Be sure to only select the targeted group or it will try to sync over every user from every group.

Once that's completed, finish the installer.

Now search for Evo on the Windows Taskbar to pull up the menu for the LDAP agent.

The user sync will be automatic. Once the Sync Users option shows again it has completed its initial sync.

From here, make sure that you can stop and start the service with the options to the right of the Agent Status field and that no errors are returned. You can also do a Connection Test to verify connectivity of the LDAP agent with Evo's services.

As long as both of those pass successfully, close the window and return to the Evo Portal.

In Step 3 of the setup wizard, you will be prompted to configure any Domain accounts you intend to rotate. This step is optional and can be skipped if you prefer to complete this configuration at a later time. If using Elevated Access and your users have synced in already, you can now designate an account to act as the Shared Account.

You will select the account that you are looking to elevated into and select options for rotating the password. Password rotations can be done as often as one hour or as little as every 30 days. Select the account you want to use and select Complete. If no users have been synced in, you can do this at a later time

In the final step of the wizard, you will be prompted to create the token information for your Evo Endpoint Agent. After providing a name and selecting an expiration date, the system will generate the required token values and present download options for the appropriate installer.

Be sure to copy and securely store your deployment configuration. These values are required when installing the Evo Endpoint Agent, and the secret cannot be viewed again once you leave this step.

Note: The LDAP Agent and the Evo Endpoint Agent are separate installers and each uses its own unique Access and Secret values.

Select the Tenant Access Tab under Evo Admin > Permissions >Tenant Access

Select your tenant by clicking on the pencil icon on the right.

Select all groups and/or users that you would like to have access to the tenant and click Save.

Your Tenant is now setup via On-Prem Active Directory (LDAP Agent). From here, you can proceed to setup our individual products:

If you have any issues, please contact support at support@evosecurity.com