Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Change the Connector Account Password

For regulatory compliance or other reasons, you may need to periodically change the password for the connector account. You can modify this password without impacting the functionality of the connector.

Changing the password ensures that the connector can connect to AD using the new credentials. Failure to change the connector account password results in the connector being unable to subscribe to login events and AD changes. If the password is not changed, you will lose AD attribution for your DNS requests and be unable to propagate AD changes to Umbrella.

Table of Contents

Prerequisites

Connector Server

To support Umbrella Active Directory (AD) integration, you must configure a server that is a member of the AD domain with the following environment:

  • Windows Server 2012, 2012 R2, 2016, 2019 or 2022 with the latest service packs and 100MB free hard disk drive space.
  • Service pack SP2 or above
  • .NET Framework 4.5 or above
  • If a local anti-virus application is running, allow list the CiscoAuditClient.exe and CiscoAuditService.exe processes.
  • AD Domain Services Snap-ins and Command-line Tools feature installed through Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools. This is required for troubleshooting purposes.

There are two methods to deploy the connector effectively:

  • If you have already deployed a centralized Windows Event Log Collector to which all domain controllers forward login events, and you wish to deploy AD integration with Virtual Appliances using this Windows Event Log Collector, you will need to deploy a single AD connector for all AD domains, with an optional second connector for redundancy.
  • If you are deploying AD integration with Virtual Appliances through integration with domain controllers, you will need to deploy one connector per AD domain (with an optional second connector per AD domain for redundancy). For more information about registering a Domain Controller please see the section titled Run the Configuration Script on the Domain Controllers on the page Prepare Your Active Directory Environment.

Outbound Network Access to Cisco Umbrella

The Connector server requires outbound access as specified below:

  • 443 (TCP) to api.opendns.com for syncing
  • Access to additional URLs on port 80/443 (TCP) may be required for Windows to perform Certificate Revocation List and Code-Signing checks. For a complete list of ports, see the section on Communication Flow and Troubleshooting.
  • 443 (TCP) to disthost.umbrella.com (for downloading upgrades)

If you are using a transparent HTTP web proxy, ensure that the URLs on port 80/443 are excluded from the proxy, and not subject to authentication.

Connector Account

The connector deployment requires you to create a new user account in each AD domain that needs to be integrated. This account should have:

  • The logon name (sAMAccountName) set to Cisco_Connector. A custom username can be configured, but this custom username should be specified as a parameter when running the Configuration Script on the Domain Controller.
  • Password never expires selected
    Note: Passwords must not include backslashes, quotations (single or double), greater-than or less-than chevron brackets (< >), or colons.
  • The Connector account (Cisco_Connector or custom username) must be a member of the following built-in groups on each AD domain:
  • Enterprise Read-only Domain Controllers
  • Event Log Readers

Note: In a parent/child domain scenario, the "Enterprise Read-only Domain Controller" only exists in the parent domain. In this case, follow the instructions listed here to provide the required permissions for the Connector account. You must add other missing groups.

Procedure

  1. Log in to the account from any system that is a member of the domain, and then set the new password.
  2. Stop the Cisco AD Connector service.
  3. Navigate to C:\Program Files (x86)\Cisco\Cisco AD Connector and run the file CiscoPasswordManager.exe. If you see any errors, you may need to run this utility as an administrator.
  4. When prompted, add your new password.
  5. Start the Cisco AD Connector service.
  6. Repeat steps 2, 3, 4 and 5 for each deployed connector.

Multiple Active Directory and Umbrella Sites < Change the Connector Account Password > Communication Flow and Troubleshooting

Updated 6 days ago