The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
How to find the URL to connect to active directory default domain? RRS feed

  • Question

  • I am trying to integrate elasticsearch server hosted on azure VM with active directory domain for authentication. But when I try to access the domain from VM, it throws domain couldn't be resolved error. Any help is appreciated
    Monday, October 21, 2019 6:23 AM

Answers

  • Hello sanket007,

    The Domain name detaropwmail2com.onmicrosoft.com is not a Ldap domain name it is a endpoint which can not be queries using LDAP protocol. The domain name pertains to Azure Active directory instance and this instance is not similar to on-premise Active directory . You would need to enable Azure AD domain Services in your tenant which provides the on-premise like LDAP protocol support if you want to use it . This will create two managed Domain controller instances which allow restrictive management by end users. This would sync all your user accounts to Azure AD domain Services instance. You would need to reset the password of users you would like to sync the password to if you have a hybrid Azure AD environment . Alternatively you can make changes to on-premise AAD connect configuration to have password hash for the users synced. In case you have a cloud only environment where you do not have a On-premise active directory you can ignore this. AAD domain Services instance DCs will get a domain name which you would set during first time configuration. Once this is done , you can create a linux/windows VM within the same Azure Virtual Network where AAD domain services is deployed. You can setup secure LDAP by configuring NSG . Also, this would have some cost implications for your azure subscription , the AAD tenant is associated to. You can test it by creating free Azure subscription which provides you with with a trial credit of $200 for one month in case you are using Azure AD free edition and do not have a valid Azure subscription.  Once this is done , you can query the domain using the same LDAP protocol and use the format you were using with xpack . Any users that you create in azure AD will automatically get synced to the AAD domain services instance. 

    Azure AD support SAML authentication and you can probably use the SAML guide provided on the Elastic's product website https://www.elastic.co/guide/en/x-pack/6.2/saml-guide.html to further configure that however I cannot confirm this as I have not configured it. Please check the above guide along with the SSO guide for Azure AD non-gallery applications https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications and , I believe you should be able to configure the same without enabling Azure AD domain services. Should you still have any queries , please feel free to let us know and we will try to help you further. 

    I have provided you two ways above and both of them has considerable work to be done and require testing . Please check the reference links to understand more . It may take some time for your to read through . Please let me know the follow up questions if any. Should the information help , please do mark this as answer so that it helps other community members searching for similar solutions. 

    Thank you. 

    3rd Party Content Disclaimer 
    ============================
    The referenced links provide some content which may or may not be useful and Microsoft does not have any control on that content. Microsoft requests you to verify the content with the 3rd party publishers before using the information in production and disclaims any right to the same. We request any guidance to be throughly tested in test environment before being applied in production. 



    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Monday, October 21, 2019 3:38 PM
    Moderator

All replies

  • Hello sanket007

    I believe the DNS resolution for the domain is not working and its a name resolution error. Your Elasticsearch VM must be pointed to the same DNS server which hosts the DNS zone for for your active directory on a different VM  . I have a question though , if you are trying to connect to a AD domain which you have created on a VM in Azure . then you need to make sure that they both are in the same VNET or their VNETs can talk to each other . You may need to configure NSG rules properly to allow communications between the servers.

    If you are talking about Azure Active Directory then it is a little different. You would have to find out if Elasticsearch configuration supports Oauth protocol and what kind of oauth flows it supports.

    If its on-premise Active directory domain then What is the format elastic-search supports for connecting to AD ? Some applications just ask for AD domain name (contoso.local) or some use ldap:// DN path and others use something just take the IP address of the server and as long as incoming requests on port 389 or 636 are open on the domain controller server , the application are able to connect without an error. 

    Please let me know more and I will be able to help you further on this. I have included links on the same, please check more on them for detailed information . In case you have queries , please feel free to let me know. Also If you could provide some screenshots of the error and more information if you have a Active directory domain installed on the VMs or you are trying to configure elasticsearch with Azure AD, we can help you further better. 

    Thank you. 



    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Monday, October 21, 2019 7:27 AM
    Moderator
  • xpack:
      security:
        authc:
          realms:
            active_directory:
              my_ad:
                order: 0
                domain_name: detaropwmail2com.onmicrosoft.com

    This is how elasticsearch accepts domain. It supports ldap and it will create following url using
    provided domain_name: "ldap://detaropwmail2com.microsoft.com:389". It will use this URL to connect
    active directory for authentication.

    But this domain of default azure active directory is not resolvable from azure VM. So, how can i make it resolvable from the azure VM?

    Monday, October 21, 2019 9:32 AM
  • Hello sanket007,

    The Domain name detaropwmail2com.onmicrosoft.com is not a Ldap domain name it is a endpoint which can not be queries using LDAP protocol. The domain name pertains to Azure Active directory instance and this instance is not similar to on-premise Active directory . You would need to enable Azure AD domain Services in your tenant which provides the on-premise like LDAP protocol support if you want to use it . This will create two managed Domain controller instances which allow restrictive management by end users. This would sync all your user accounts to Azure AD domain Services instance. You would need to reset the password of users you would like to sync the password to if you have a hybrid Azure AD environment . Alternatively you can make changes to on-premise AAD connect configuration to have password hash for the users synced. In case you have a cloud only environment where you do not have a On-premise active directory you can ignore this. AAD domain Services instance DCs will get a domain name which you would set during first time configuration. Once this is done , you can create a linux/windows VM within the same Azure Virtual Network where AAD domain services is deployed. You can setup secure LDAP by configuring NSG . Also, this would have some cost implications for your azure subscription , the AAD tenant is associated to. You can test it by creating free Azure subscription which provides you with with a trial credit of $200 for one month in case you are using Azure AD free edition and do not have a valid Azure subscription.  Once this is done , you can query the domain using the same LDAP protocol and use the format you were using with xpack . Any users that you create in azure AD will automatically get synced to the AAD domain services instance. 

    Azure AD support SAML authentication and you can probably use the SAML guide provided on the Elastic's product website https://www.elastic.co/guide/en/x-pack/6.2/saml-guide.html to further configure that however I cannot confirm this as I have not configured it. Please check the above guide along with the SSO guide for Azure AD non-gallery applications https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications and , I believe you should be able to configure the same without enabling Azure AD domain services. Should you still have any queries , please feel free to let us know and we will try to help you further. 

    I have provided you two ways above and both of them has considerable work to be done and require testing . Please check the reference links to understand more . It may take some time for your to read through . Please let me know the follow up questions if any. Should the information help , please do mark this as answer so that it helps other community members searching for similar solutions. 

    Thank you. 

    3rd Party Content Disclaimer 
    ============================
    The referenced links provide some content which may or may not be useful and Microsoft does not have any control on that content. Microsoft requests you to verify the content with the 3rd party publishers before using the information in production and disclaims any right to the same. We request any guidance to be throughly tested in test environment before being applied in production. 



    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Monday, October 21, 2019 3:38 PM
    Moderator
  • Thanks a ton!!!
    Tuesday, October 22, 2019 10:53 AM
  • You are welcome . :) 

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Tuesday, October 22, 2019 11:44 AM
    Moderator
  • I wan to integrate azure b2c active directory with elasticsearch?
    Any idea how to achieve this?
    Wednesday, October 23, 2019 7:25 AM
  • From what I understand , you are trying to create a search based service for end consumers where anyone can come and sign up for the service and use the same . The Azure AD B2C is being used as a Identity store/Identity provider in this case. I do not have exact idea on how to do that as I have not done that . But the following blog provides details on how to integrate with Normal Azure Active Directory. I would suggest to go through it once. 

     https://www.elastic.co/blog/saml-based-single-sign-on-with-elasticsearch-and-azure-active-directory 

    I believe with this and the other xpack links provided earlier in the thread , you should be able to get it done with Azure AD. Now SAML app integration with Azure AD is possible but for Azure AD B2C it is in preview at the moment.  You would have to create custom policies in Azure AD B2C in order to do that. Please check the github sample  https://github.com/azure-ad-b2c/saml-sp which talks about a basic application integration with AAD B2C as a SAML replying party. 

    I hope this helps you. :) 

    Thank you. 

    3rd Party Content Disclaimer 
    ============================
    The referenced links provide some content which may or may not be useful and Microsoft does not have any control on that content. Microsoft requests you to verify the content with the 3rd party publishers before using the information in production and disclaims any right to the same. We request any guidance to be throughly tested in test environment before being applied in production.

     

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Wednesday, October 23, 2019 10:07 AM
    Moderator