ADI: Use AD Delegated Authentication

Extending Active Directory (AD) to the Cloud is even simpler using the delegated authentication capabilities of the JumpCloud Active Directory Integration (ADI).

What is Delegated Authentication?

Delegated Authentication uses an external source, like AD, to verify a user’s password. Delegated authentication is different from federated user authentication in 2 key ways:

  1. JumpCloud is the Identity Provider (IdP). The external source is used for password validation only. 
  2. The user is not redirected to the external source. Instead, they remain in the JumpCloud login flow and the verification is happening behind the scenes.

Why Delegate User Authentication to AD?

There are several use cases for which delegated user authentication is required or preferred:

  • Easier integration deployment – Install the import agent on a small number of member servers not on all domain controllers (DCs) while still keeping and managing passwords in AD only
  • Compliance – Keep the password behind the AD firewall and still extend AD to the cloud using JumpCloud.
  • Seamless onboarding of existing users to the Cloud – End users log in to JumpCloud for the first time using their existing corporate email address and AD password. No need to reset passwords
  • SSO without ADFS – Allow users to use a single secure identity to access their on-premise and Cloud resources without having to use Active Directory Federation Services (ADFS)

Important Considerations

Important:

When upgrading from AD import agent v2.6.0 or lower, you must select Install New Agent from the Downloads dropdown menu in the ADI Details page to get the connect key, which is required to complete the upgrade of the agent on the AD server.

  • Delegated authentication to AD is supported by JumpCloud AD import agent v3.0 and higher and is supported when the import agent is installed on all AD Domain Controllers (DCs) or on AD member server(s)
  • To use delegated authentication to AD, the primary import agent must be version v3.0 or higher and the status of the ADI delegated authentication setting, Delegate Password Validation, must be enabled and active

Warning:

All installed import agents should be the same version to avoid unexpected behavior or the potential for users not being able to log in if the primary agent is switched.

Important:

When upgrading the AD import agent to version 3.0, existing users connected to the domain will not have their log in delegated to AD unless the Delegated Authority is manually set to Active Directory for those existing users.

  • User portal and SSO logins are delegated to AD when the following are true:
    • The delegated authentication setting, Delegate Password Validation, is enabled and active for the ADI configuration
    • User has access to the delegation-enabled AD domain, and their Delegated Authority is set to Active Directory on their user record

Warning:
  • Users will NOT be able to log in if their Delegated Authority is Active Directory and the status of the delegated authentication setting, Delegate Password Validation, is pending or disabled in the ADI configuration, all import agent(s) have been deleted, or the ADI integration has been deleted.
  • Users will NOT be able to log in to the JumpCloud User Portal or SSO apps if they are connected (bound) to multiple delegation-enabled AD domains.
  • Device password reset flow is delegated to AD when the following are true:
    • The device is managed by JumpCloud
    • The delegated authentication setting, Delegate Password Validation, is enabled and active for the ADI configuration
    • User has access to the delegation-enabled AD domain, and their Delegated Authority is set to Active Directory on their user record
    • Self-Service Account Provisioning is enabled and Default Password Sync is disabled in Devices > Settings

Note:

On devices, with the configuration above, only the password used during the password reset flow is delegated to AD for validation. The user must set and use a local password or PIN for device logins. Their device login credentials will be managed separately.

  • Existing AD users imported from AD to JumpCloud no longer have to reset their password in AD to log in to JumpCloud managed resources when delegation is enabled for them

Note:
  • If the import agent is installed on DCs, the password is stored in JumpCloud after the initial log in. The stored password continues to be synced from AD to JumpCloud and from JumpCloud to other resources. The password can be used to log in to resources that don’t support delegated authentication to AD, such as Cloud RADIUS, Cloud LDAP, and devices.
  • If the import agent is installed on AD member servers, the password is never stored in JumpCloud.
  • Cloud RADIUS and Cloud LDAP resource log ins cannot be delegated to AD. A user must have a password in JumpCloud to be able to access these resources
  • The delegated authentication setting, Delegated Password Validation, is enabled by default for the Manage users and passwords in Active Directory ADI configuration and cannot be disabled
  • The delegated authentication setting, Delegated Password Validation, is disabled by default but can be enabled for the Manage users and passwords in JumpCloud, AD or both configuration
  • When the JumpCloud AD import agent is installed on DCs, the AD passwords sync to JumpCloud. This means that the password will be saved in both AD and JumpCloud. This applies to both ADI configurations: Manage users and passwords in Active Directory and Manage users and passwords in JumpCloud, AD or both
  • When the JumpCloud AD import agent is installed on member servers, the AD password does not sync to JumpCloud. 
    • In the Manage users and passwords in Active Directory configuration, this means the password will only be in AD. In this configuration, the user’s Password Authority should also be set to Active Directory to prevent a password from being entered in JumpCloud by either a JumpCloud Admin or the end user
    • In the Manage users and passwords in JumpCloud, AD or both configuration, this means users imported from AD will not have their AD password stored on their initial login to JumpCloud nor will the password sync from AD to JumpCloud. Any user connected to a delegation-enabled AD domain, ones created in AD and ones created in JumpCloud, with their Password Authority set to None (JumpCloud) can have a password set and managed in JumpCloud, and their password will be synced from JumpCloud to AD. This configuration is used when user passwords are managed in JumpCloud
  • Avoid users not being able to log in to JumpCloud managed resources when changing the delegated authentication settings

Important:

Do the following before disabling the ADI delegated authentication setting, Delegate Password Validation, or disconnecting a user from a delegation-enabled AD domain in the JumpCloud Admin Portal:

  • Verify the user’s Password Authority is set to None (JumpCloud)
  • Either send the user an activation email or set a password for the user from the user record in admin portal
  • A warning modal is shown with options to either automatically update the Delegated Authority for every connected (bound) user or not when the following actions are taken:
    • on save after delegated authentication is enabled or disabled in the ADI configuration
    • an ADI AD domain is deleted
    • a user is directly connected to (bound) or disconnected from (unbound) a delegation-enabled AD domain
    • a user is connected to (bound) or disconnected from (unbound) a user group connected (bound) to a delegation-enabled AD domain
    • when a user group is connected (bound) or disconnected (unbound) from a delegation-enabled AD domain.
  • The Delegated Authority can be updated for multiple users at once from the Users page
  • A user login to the User Portal and for SSO is always delegated to AD, even if they have a password in JumpCloud, as long as all of following criterion are true:
    • their Delegated Authority is set to Active Directory
    • they are connected to a delegation-enabled AD domain
    • the status of the ADI delegated authentication setting, Delegate Password Validation, in enabled and active for the AD domain
  • Delegated authentication can be enabled or disabled on a per user basis from the user details page even if they are not connected to a delegation-enabled AD domain
  • If an import agent is paused, delegated authentication will still occur. Only the import from AD to JC will be paused

Configuration Steps Overview

To configure delegated authentication to AD, the main steps you will take are outlined below:

  1. Select your ADI deployment configuration:
  2. If not already selected, check the option for Delegated Password Validation.
  3. Download and install the latest JumpCloud AD Import Agent from the JumpCloud Admin Portal.
  4. Give users access to ADI.

Enable Delegated Authentication for a New AD Domain

Tip:

The setting for delegated authentication on the ADI configuration is labeled Delegated Password Validation

To enable delegated authentication for the Manage users and passwords in Active Directory configuration

  • No action is required.
    • Delegated Password Validation is enabled by default for this configuration and cannot be disabled

Note:

All new users imported from AD to JumpCloud will automatically have their Delegated Authority set to Active Directory.

Important:

Users imported prior to the release of Import Agent v3.0 will continue to use the password stored in JumpCloud, unless the Delegated Authority is manually set to Active Directory. If the import agent is installed on a DC, the password will continue to sync to JumpCloud.

To enable delegated authentication for the Manage users and passwords in JumpCloud, AD or both configuration

  1. When creating a new AD domain in the JumpCloud Admin Portal:
    • Check Delegated Password Validation checkbox in the Configuration Summary section of the Setup step
    • Download and install the Import and Sync agents
    • Click Configure ADI
  2. When updating the configuration for an existing AD domain in the JumpCloud Admin Portal:
    • Go to Directory Integrations > Active Directory
    • Click the domain to which you want to enable delegated password validation
    • Check Delegated Password Validation checkbox in the Integration Details section
    • Make other configuration changes, if needed
    • Click Save
    • Review the confirmation message:
  3. Select the update option.
  4. Click Continue.
  5. When adding an ADI for a new AD domain using the JumpCloud v2 API:

curl --request POST \
  --url https://console.jumpcloud.com/api/v2/activedirectories \
  --header 'content-type: application/json' \
  --header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
  --data '{"delegationState":"ENABLED","domain":"string","groupsEnabled":true,"useCase":"TWOWAYSYNC"}'

  1. When updating an existing ADI configuration using the JumpCloud v2 API:

Warning:

Users may not be able to log in after this change is made. Changing the delegated authentication setting via the API does not automatically update the Delegated Authority for users connected to the ADI AD domain. You must update that setting manually for each connected (bound) user.

Tip:

Replace {id} with the ID of your ADI instance.

curl --request PATCH \
  --url https://console.jumpcloud.com/api/v2/activedirectories/{id} \
  --header 'content-type: application/json' \
  --header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \

  --data '{"delegationState":"ENABLED","domain":"string","groupsEnabled":true,"useCase":"TWOWAYSYNC"}'

Enabling delegated authentication for users

These steps are intended for users who are already connected (bound) to a delegation-enabled AD domain but do not have their Delegated Authority set to Active Directory.

Warning:

Users will NOT be able to log in to the JumpCloud User Portal or SSO apps if any of the following are true when their Delegation Authority is set to Active Directory:

  • they are connected (bound) to multiple delegation-enabled AD domains.
  • the status of the ADI delegated authentication setting, Delegated Password Validation, is NOT enabled and active.
  • they are NOT connected to a delegation-enabled AD domain.
  • all import agents that support delegation have been deleted.

Considerations

  • Users must manage their passwords in AD once delegated authentication has been enabled

Prerequisites

  • Verify ADI delegated authentication setting, Delegated Password Validation, is enabled and active on the AD domain to which you will be connecting (binding) the user or to which the user is already connected (bound).
  • Verify users are not already connected (bound) to a delegation-enabled AD domain.
  • Verify users do not need access to JumpCloud LDAP integrations and JumpCloud Cloud RADIUS WiFi Networks.
  • Remind users they will need to log in with their AD login credentials.

To enable delegated authentication for a single user in Admin Portal

  1. Log in to JumpCloud Admin Portal.
  2. Go to the USER MANAGEMENT> Users.
  3. Click the user for whom you want to delegate password validation.
  4. Verify the user is connected to a delegation-enabled domain:
    • Click the Directories tab and see if there is a check next to an ADI domain with the delegation enabled label (Delegation ENABLED).
    • Select the User Groups tab
    • Expand each user group of which the user is a member (bound).
    • Verify the group gives access to the delegation enabled AD domain.
  5. Select the Details tab.
  6. Expand User Security Settings and Permissions.
  7. From the Delegated Authority dropdown, select Active Directory
  8. Review the confirmation message.
  9. Click Update Setting.
  10. Click Save User.

To enable delegated authentication for multiple users in Admin Portal:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to the USER MANAGEMENT> Users.
  3. Select the users for whom you want to delegate authentication to AD .
  4. Click the More Actions dropdown menu.
  5. Click Set Delegated Authority.
  6. Select Active Directory.
  7. Click Save.

To enable delegated authentication for a single user through the API:

  1. Generate an API key if you do not already have one.
  2. Example curl request:

curl --location --request PUT 'https://console.jumpcloud.com/api/systemusers/(id}' \
--header 'Content-Type: application/json' \
--header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
--data '{
   delegatedAuthority":{"name": "ActiveDirectory"}
}'

  1. Example PowerShell request:

'https://console.jumpcloud.com/api/systemusers/{id}?fullValidationDetails=SOME_STRING_VALUE' -Method PUT -Headers $headers -ContentType 'application/json' -Body '{"delegatedAuthority":{"name": "ActiveDirectory"}'

Tip:

Replace {id} with the ID of your ADI instance.

To enable delegated authentication for multiple users through the API

  1. Generate an API key if you do not already have one
  2. Example curl request:

curl --request PATCH \
  --url 'https://console.jumpcloud.com/api/v2/bulk/users?suppressEmail=SOME_BOOLEAN_VALUE' \
 --header 'content-type: application/json' \
--header 'x-api-key: REPLACE_KEY_VALUE' \
--header 'x-org-id: REPLACE_ORG_VALUE' \
--data '[{
    "id":{ID},
"delegatedAuthority":{"name": "ActiveDirectory"}
}]'

  1. Example PowerShell request:

'https://console.jumpcloud.com/api/systemusers/{id}?fullValidationDetails=SOME_STRING_VALUE' -Method PUT -Headers $headers -ContentType 'application/json' -Body '[{"id":{ID},"delegatedAuthority":{"name": "ActiveDirectory"}}]'

Tip:

Replace {id} with the ID of your ADI instance.

Give Users Access to Delegation-enabled AD Domains 

These steps are for giving users who are not already connected to a delegation-enabled AD domain access to that AD domain.

To give user direct access to a delegation-enabled AD domain

From the ADI configuration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the Users tab.
  5. Select the user(s) to whom you want to give access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user details page

  1. Log in to the JumpCloud Admin Portal.
  2. Go to the USER MANAGEMENT> Users.
  3. Click the user for whom you want to enable delegated authentication.
  4. Select the Directories tab.
  5. Select the AD domain with delegation authentication enabled label (Delegation ENABLED).

Note:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won’t be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

To give user access to a delegation-enabled AD domain through a user group

Important:

For dynamic groups, users who meet the conditions set will automatically get access to the delegation-enabled AD domain. You must manually set the Delegated Authority to Active Directory for these users.
Follow the instructions in section To give user direct access to a delegation-enabled AD domain for manually enabling delegated authentication to AD for these users.

From the ADI configuration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the User Groups tab.
  5. Select the group(s) to which you want to give access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

From the user groups detail page

  1. Log in to JumpCloud Admin Portal.
  2. Go to the USER MANAGEMENT>User Groups.
  3. Select the user group to which you want to give access to your delegation-enabled AD domain.
  4. Select the Directories tab.
  5. Select the AD domain with delegation authentication enabled label (Delegation ENABLED).

Important:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won’t be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

Remove User Access to Delegation-enabled AD Domains 

To remove access for users with a direct connection to a delegation-enabled AD domain:

From the ADI configuration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the Users tab.
  5. Deselect the user(s) from whom you want to remove access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user details page

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT> Users
  3. Click the user for whom you want to disable delegated authentication
  4. Select the Directories tab.
  5. Deselect the AD domain with delegation authentication enabled label (Delegation ENABLED).

Note:

Make sure only one AD domain with delegation enabled is selected. Otherwise, users won’t be able to log in.

  1. Click Save.
  2. Read the warning message.
  3. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue.

To remove access users connected to a delegation-enabled AD domain through a user group

From the User Groups tab of the User page

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT> Users
  3. Click the user for whom you want to disable delegated authentication.
  4. Select the User Groups tab.
  5. Deselect the group that is connecting the user the delegation-enabled AD domain.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Note:

If the group from which you removed the user is a dynamic group, you will be prompted to add the user to the exclude list for that group.

From the Users tab of the User Group page

  1. Log in to JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT> User Groups
  3. Click the user group that is connecting the user the delegation-enabled AD domain.
  4. Select the Users tab.
  5. Deselect the user(s).
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Note:

If the group is a dynamic group and the user still meets the conditions for being a member of that group , you will need to add the user(s) to the exclude list.

To remove access for user groups connected to a delegation-enabled AD domain

Important:

For dynamic groups, users who no longer meet the conditions set on the group will automatically lose access to the delegation-enabled AD. You must manually set the Delegated Authority to None (JumpCloud) for these users.
Follow the instructions in section To remove access for users with direct access to a delegation-enabled AD domain for manually disabling delegated authentication to Active Directory for these users.

From the ADI configuration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Select your AD domain.
  4. Select the User Groups tab.
  5. Deselect the group(s) from which you want to remove access.
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

From the user groups detail page

  1. Log in to JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT>User Groups
  3. Select the user group to which you want to give access to your delegation-enabled AD domain.
  4. Select the Directories tab.
  5. Deselect the AD domain with delegation authentication enabled label (Delegation ENABLED).
  6. Click Save.
  7. Read the warning message.
  8. Select the update option you prefer.

Tip:

We recommend automatically updating the settings for the user.

  1. Click Continue

Disabling Delegated Authentication for Users

These steps are intended for users who are already connected (bound) to a delegation-enabled AD domain and have their Delegated Authority set to Active Directory.

Considerations

  • Users won’t be able to log in until a password has been set in JumpCloud
    • If the import agent is installed on a DC, the users will have a password in JumpCloud. The AD password is synced in this configuration
    • If the import agent is installed on an AD member server, the users will not have a password in JumpCloud. Passwords are not synced from AD to JumpCloud in this configuration

Prerequisites

  • Notify users they will be getting a welcome email with a link to set their password in JumpCloud

To disable delegated authentication for a single user

  1. Log in to JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT>Users.
  3. Click the users for whom you want to disable delegated authentication to AD.
  4. Select to None from the Delegated Authority dropdown menu.
  5. Review the confirmation message.
  6. Click Update Setting
  7. Click Save

To disable delegated authentication for a multiple users

  1. Log in to JumpCloud Admin Portal.
  2. Go to USER MANAGEMENT>Users.
  3. Select the users for whom you want to disable delegated authentication to AD.
  4. Click the More Actions dropdown menu.
  5. Click Set Delegated Authority.
  6. Select None.
  7. Click Save.

Disable Delegated Authentication for a Domain

Tip:

The setting for delegated authentication on the ADI configuration is labeled Delegated Password Validation

Considerations

  • Users won’t be able to log in until a password has been set in JumpCloud
    • If the import agent is installed on a DC, the users will have a password in JumpCloud. The AD password is synced in this configuration
    • If the import agent is installed on an AD member server, the users will not have a password in JumpCloud. Passwords are not synced from AD to JumpCloud in this configuration

Prerequisites

  • Notify users they will be getting a welcome email with a link to set their password in JumpCloud

To disable delegated authentication for the Manage users and passwords in Active Directory configuration

Delegated Password Validation cannot be disabled for this configuration.

To disable delegated authentication for the Manage users and passwords in JumpCloud, AD or both configuration

  1. Log in to JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Click the domain to which you want to enable delegated password validation.
  4. Uncheck Delegated Password Validation checkbox in the Integration Details section.
  5. Make other configuration changes, if needed.
  6. Click Save.
  7. Review the confirmation message and select the appropriate update option.
  8. Click Continue.

Auditing and Troubleshooting

Use Directory Insights to audit and troubleshoot changes and actions related to delegated authentication. See Troubleshoot: Active Directory Integration (ADI) for detailed troubleshooting guidance.

Event Description Delegated Authentication Specific Information
user_login_attempt Logs every time a user tries to log in to a JumpCloud managed resources JSON includes a new field “password_delegated_authority” in the auth_context when the user’s login is delegated to AD for authentication

"auth_context": {

    "auth_methods": {

      "password": {

        "success": true

      }

    },

    "password_delegated_authority": "ActiveDirectory"

 

 },

association_change Logs every time two resources are associated (bound) or disassociated (unbound). Logged when a user is associated (bound) or disassociated (unbound) to a delegation-enabled AD domain.
Logged when a user group is associated (bound) or disassociated (unbound) to a delegation-enabled AD domain.
user_delegated_authority_update Logs when a change is made to the Delegated Authority setting on the User record. This event is specific to the delegated authentication functionality.
activedirectory_domain_delegated_password_change Logs when the delegated authentication setting Delegated Password Validation in the ADI configuration is changed This event is specific to the delegated authentication functionality.

Next Steps

Haven’t installed the import agent yet?

Check out the step-by-step configuration guides

Ready to use ADI?

Read the Using and Managing the ADI article next.

Want additional assistance from JumpCloud? 

If you’re having issues with getting JumpCloud’s ADI working, try the Troubleshooting Guide. JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case