INTRODUCTION
Dualog Identity can provision user accounts to Active Directory (AD) domains on vessels. This enables shipping companies to move from shared role-based Windows accounts (e.g., "Master", "Chief Engineer") to individual user accounts, improving security and traceability.
With AD integration:
- Users signed onto a vessel are automatically created in the ship's AD
- Crew can log into Windows with the same credentials they use for other Dualog services
- When crew sign off, their AD accounts can be disabled or deleted automatically
USE CASE
Many vessels have isolated Active Directory environments with shared role-based accounts. For example:
- All captains share the "Master" account
- All chief engineers share the "ChEng" account
- Passwords are shared and rarely changed
This creates security risks and makes it impossible to trace actions to individuals.
Dualog Identity solves this by:
- Creating individual AD accounts for each crew member currently onboard
- Syncing passwords so crew use the same credentials everywhere
- Automatically removing access when crew sign off
PREREQUISITES
Before setting up AD integration:
- The vessel must have an Active Directory domain
- You need an AD administrator account with permission to:
- Create users in the target Organizational Unit (OU)
- Modify and disable user accounts
- Delete user accounts (if using automatic deletion)
- Network connectivity from the Dualog server to the domain controller
- The vessels must be configured in the Dualog system
- Dualog Connection Suite installed on the vessel - The ship-side identity server (included in Connection Suite) handles AD provisioning. See Ship-Side Identity Server for setup instructions.
CREATING AN AD INTEGRATION
- Log in to
https://apps.dualog.com - Navigate to
https://apps.dualog.com/integrations - Click New Integration
- When asked "Where is the application running?", select:
"Installed On-Premise" - Select Active Directory Provisioning:
"Provisioning users from Active Directory gives you the ability to synchronize changes from Dualog and sign in to Windows using Dualog credentials."
CONFIGURATION STEPS
Step 1: Select Vessels
Choose which vessels this AD integration applies to. You can select multiple vessels for a single configuration.
Step 2: Server Information
Enter the Active Directory server details:
- Host IP: The IP address of the domain controller
-
Domain Name: The AD domain name (e.g.,
vessel.local)
Step 3: Administrator Credentials
Enter credentials for an AD account with sufficient permissions:
- Username: The admin account username (just the username, not including the domain)
- Password: The admin account password
Note: The domain is already specified in the previous step, so enter only the username (e.g., adminuser not DOMAIN\adminuser).
Important: This account must have permissions to create, modify, and delete users in the target OU.
Step 4: Organizational Unit (OU)
Specify where new user accounts should be created:
- OU Path: The distinguished name path of the target OU
Example: OU=Crew,OU=Users,DC=vessel,DC=local
Step 5: Disabled User Handling
Configure what happens when users are signed off or disabled:
-
Move disabled users to Disabled Users OU: When enabled, users who sign off the vessel will have their AD account moved to a separate OU. You must specify the path to this OU (e.g.,
OU=Crew,OU=Disabled_Users). - Delete disabled users after grace period: Optionally delete AD accounts after a configurable number of days. The default is 30 days.
Step 6: Name the Configuration
Give this integration a descriptive name (e.g., "Fleet AD Provisioning" or "Vessel Group A AD Sync").
Save
Click Save to create the integration.
HOW PASSWORD SYNC WORKS
Dualog Identity can sync passwords to Active Directory, allowing users to log into Windows with their Dualog credentials.
Important security note: Passwords are synced when the user logs in via the on-prem identity server. Dualog does not store passwords - the sync happens in real-time when the password is used, set or changed.
This means:
- When a user logs in with their password, it syncs to AD
- When a user is created with a password, it syncs to AD
- When a user changes their password, the new password syncs to AD
SYNC BEHAVIOR
What Gets Synced
Users who are:
- Currently signed onto the vessel
- Have active accounts
When Sync Occurs
- The AD integration syncs as part of the regular cloud-to-ship sync
- Changes appear within minutes when the vessel has connectivity
User Lifecycle
| Event | AD Action |
|---|---|
| User signs onto vessel | Account created in target OU |
| User password used | Password updated in AD |
| User signs off vessel | Account disabled (and optionally moved/deleted) |
| User disabled in Dualog | Account disabled in AD |
REQUIREMENTS ON THE VESSEL
For AD integration to work:
- The Dualog server must have network access to the domain controller
- The admin credentials must remain valid
- The target OU must exist
TROUBLESHOOTING
Users not appearing in AD
- Verify the user is signed onto the correct vessel
- Ensure the user's contract dates are current
- Verify network connectivity from Dualog server to domain controller
Authentication failures
- Verify the admin credentials are correct and not expired
- Check the admin account has sufficient permissions
- Ensure the domain name and host IP are correct
Password sync not working
- Passwords are only synced when used, set, or changed
- Verify the user account exists in AD
Sync delays
- Changes sync within minutes when the vessel is connected
- Check vessel connectivity status
- Verify the integration configuration was saved successfully
SECURITY CONSIDERATIONS
- Use a dedicated AD admin account for this integration
- Limit the admin account's permissions to only what's needed
- Consider using a service account with password that doesn't expire
- Regularly audit AD accounts created by the integration
Comments
Please sign in to leave a comment.