6.6.1. Create AD User

On the domain controller or Active Directory Users & Computers, create a service account for the NexLog DX-Series recorder to use.

This account is used for user and group lookups to validate the access that a user should have on the recorder. The account must have read access to the OU where users and groups are stored, as well as the ability to read the attributes of recorder users.

The account name should be the same as the recorder’s hostname.

Important

If you would like to use Single-Sign On (SSO), the recorder’s AD sAMAccountName MUST be the same as the recorder’s hostname.

After creating the account, open its properties and navigate to the Account tab. In the Account options section, enable the option This account supports Kerberos AES 256 bit encryption

Below is an example powershell command that enables all of the required options. If using this example, be sure to set the correct Path, UserPrincipalName, and Account Password.

PowerShell Example

New-ADUser -Name "NexLog Recorder" `
           -GivenName "NexLog" `
           -Surname "Recorder" `
           -sAMAccountName "NLRecorder" `
           -UserPrincipalName "NLRecorder@contoso.net" `
           -Path "CN=Users,DC=contoso,DC=net" `
           -Enabled $true `
           -KerberosEncryptionType "AES256" `
           -TrustedForDelegation $true `
           -ChangePasswordAtLogon $false `
           -PasswordNeverExpires $true `
           -AccountPassword (ConvertTo-SecureString "1qazXSW2!@" -AsPlainText -force) `
           -PassThru