Configure Microsoft's Active Directory to manage your directory of users

Connect your Windows server to CSE using LDAP

  • Updated on Aug 21, 2025

Active Directory is Microsoft’s on-premise directory service, which allows employees to sign in and access resources. Cloud Secure Edge (CSE) integrates with your organization’s Active Directory Windows server via the LDAP protocol to authenticate end users that need access to CSE networks and services.

Pre-requisites

  • a reporting Global Edge Connector in CSE
  • a bind user account (to authenticate to an LDAP directory, like Active Directory).

Steps to set up Active Directory (AD) authentication in CSE

1.1 In the Cloud Secure Edge Command Center, navigate from Settings > Identity and Access > End User, and select Microsoft Active Directory (On Premise) as the Provider Name.

1.2 Under Provider Protocol, ensure that LDAP is selected by default.

1.3 Under CSE Connector, select a Connector. Ensure that the selected Connector is a reporting Global Edge Connector.

2.1 Enter the IP address or fully-qualified domain name (FQDN) associated with the LDAP Server used for Active Directory. If using a domain name (e.g., ad1.microsoft.com), ensure that the name can be resolved by your DNS server.

2.2 Enter the LDAP Server Port Number. Note that if using Port 636 that Use TLS/SSL will automatically be toggled on and the server will be accessed via HTTPS; if using Port 389, Use TLS/SSL will automatically be toggled off and the server will be accessed via HTTP.

2.3 If using an alternative port, toggle Use TLS/SSL on or off.

2.4 Enter the LDAP Bind User, adhering to Microsoft’s X.500 notation (e.g.,CN=name,OU=myOrg,DC=myCorp,DC=com).

2.5 Enter the associated LDAP Bind Password.

2.6 Enter the User Base Distinguised Name to specify where to start a search for an end user, using X.500 notation with key-value pairs (e.g., OU=myUnit,DC=myCorp,DC=com).

2.7 Optional: Specify a Username Filter (e.g., objectClass=user).

2.8 Enter the Username Attribute Mapping: Specify the LDAP schema mapping for username attribute object class (e.g., userPrincipalName).

2.9 Enter the Name Attribute Mapping: Specify the LDAP schema mapping for name attribute object class (e.g., cn).

2.10 Enter the Email Address Attribute Mapping: Specify the LDAP schema mapping for email address attribute object class (e.g., email).

2.11 Enter the Group Base Distinguished Name (DN): Specify the Base DN for where to start search for group names using x.500 notation (e.g., OU=groups,DC=myCorp,DC=com).

2.12 Optional: Specify a Group Filter (e.g., (objectClass=group)).

2.13 Enter the Group Attribute Mapping: Specify LDAP schema mapping for group attribute object class (e.g., member).

2.14 Save your configuration.

Once the configuration is saved, certificate provisioning can take up to 10 minutes; after 10 minutes, a Test Connection button will become available.

Enter your credentials (i.e., email and password, which should match inputs in Active Directory); if successful, a modal will pop up displaying the service, the LDAP server, and credentials. Review these to ensure that everything is configured correctly.

If specifying member as the group attribute object class isn’t sufficient for accessing nested groups, append the object identifier (OID) (i.e., a number string) to resolve the issue. We recommend entering the following value for member:

1.2.840.113556.1.4.1941