In order to have Veracross authenticate users against a school’s Active Directory server, a few things need to be set in place before AD Authentication can be enabled.
First, we need information about the school’s active directory server as requested in the Active-Directory Integration article here.
When Veracross has the information about the school’s AD server and has configured the school’s database with that information, we can then test the connection from VC to AD. In order to do this, we’ll need two or three usernames and passwords from the school’s active directory server to make sure we can log users in successfully with the information we have.
After we’ve tested the connection to the Active Directory server successfully, we are ready to create user accounts (for new schools) or change usernames (for existing schools) to match the username on file in the school’s active directory server. As part of this process, Veracross will add the school’s domain to the username in part to help ensure usernames are unique across all schools.
How it Works
All of the configuration setup and testing happens before the school actually has Active Directory Authentication enabled. Once Veracross has given the thumbs up for AD testing, we turn things over to the school to decide when to push Active Directory Authentication live at the school. There are two things the school has to decide:
- When to rename user accounts to include the school’s domain (this can happen any time before AD syncing is live, but users will need to log in with their full username during this time – domain included).
- When to push AD Authentication live.
Login Process with AD
When users access Veracross from Axiom or the Portal sites after Active Directory Authentication is enabled, users only need to enter the first part of their username; they do not need to enter their full username (e.g. john.smith instead of firstname.lastname@example.org).
For schools who have never logged in to Veracross yet (new schools):
Have all users *first* login with their Active Directory username and password to the portals. Users can just enter the first part of their username and will not need to include their school’s domain in the username. By first logging in to Veracross with their Active Directory username and password from one of our web access points, Veracross updates the users password on file immediately to match their AD password.
For existing schools switching to AD Authentication:
Because we still check the user credentials against what we have on file in Veracross first, staff and faculty have the ability to log in with either their Veracross password, or their Active Directory Password.
Portals users will be unaffected when the switch happens. They do not need to add the school’s domain to their user name because the web login does it for them. Because all Veracross users already have a username and password that’s cached on their person record, they can technically continue to log in with that password and not sync up their account credentials immediately. However, as soon as users log in with their Active Directory password, they will need to continue using their AD password.
After a school has Active Directory Authentication enabled at their school, users will not be allowed to change their password in Veracross (with the exception of parents who are not faculty or staff). All password changes from this point forward happen in Active Directory only. As soon as a user changes their password in Active Directory, they can use that new password the next time they log in to Veracross. If they change their Active Directory password while logged in to Veracross, they will not be kicked out of the system.