Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2014-10-08) Setting Up Yammer DirSync

Posted by Jorge on 2014-10-08


If you are using Yammer somehow and you really care about provisioning, but also about deprovisioning, you need to implement some kind of directory synchronization between your on-premises AD and the YAMMER.COM cloud system. Now, the next question is: "how can you do that?".

If you already are using Azure AD/Office 365, you may already be using some directory synchronization tool such as the Directory Synchronization Tool (DirSync), Azure Active Directory Sync Services (ADDSync) or even Forefront Identity Manager (FIM) to provision and deprovision Azure AD/Office 365 accounts that can be used in Exchange Online, Lync Online and Sharepoint Online. So would you be able to use Azure AD/Office 365 accounts in Yammer? Well, no. If you have linked your Yammer tenant to your Azure AD/Office 365 tenant, then every Office 365 account automatically gets a Yammer license and with that Office 365 is able to map existing Office 365 accounts to existing Yammer accounts/ Nothing more, nothing less. So, how can you get directory synchronization between your on-premises AD and Yammer? You will have to implement the Yammer Directory Sync Service (DSync) to provision and deprovision (suspend) accounts into/from Yammer.

So, if you are using Office 365 and Yammer, you need to implement 2 different directory synchronization products, one for Azure AD/Office 365 and one for Yammer. Now keep in mind that when you use DSync to enable directory synchronization, you can see in Yammer (Admin –> User Management –> Directory Integration) you have done so when you see the following:

image

Figure 1: Directory Sync Being Enabled In Yammer

When using DSync you can also configure an e-mail invitation for new users when these are added to Yammer through DSync as you can see below.

image

Figure 2: E-mail Invitation

Now remember that when you are using Office 365 (Exchange Online) and Yammer at the same time, where a user’s mailbox is in Office 365, make sure to provision the mailbox first before provisioning the Yammer account so that you are certain the Yammer e-mail invitation reaches the user!

More info about directory synchronization between your on-premises AD and Azure AD/Office 365 or Yammer can be found through the following links:

Now, let’s install Yammer DSync. The Yammer Directory Sync tool should be installed on a Windows Server that is on the internal network, and not in the DMZ network. The Yammer Directory Sync tool requires an outbound connection to YAMMER.COM and an inbound connection from every AD forest for which you need to synchronize identities from. Keeping that in mind, you therefore need to setup a Yammer service account and an AD service account for every connected AD forest. You also need to make sure the required ports are open. See the documentation and blog posts above to get that info.

Double-click the latest Yammer DSync MSI. By default the install folder on a x64 server is: "C:\Program Files (x86)\Yammer\Directory Sync\"

image

Figure 3: Yammer Installation Folder

Right after the installation finishes you will see the following screen. At the top enter the Yammer service account credentials and configure the proxy settings as needed. Either use a direct outbound connection or use an authenticated or unauthenticated proxied connection. After doing that, the [Login] button becomes available and you should click to validate the Yammer credentials and access to the Yammer network.

image

Figure 4: Yammer Directory Sync Setup – Yammer Settings

If you get to the next screen, that means the Yammer service account credentials and the proxy settings are correct. This will allow you to setup the connection to the first AD forest. As a hostname either provide the FQDN of a DC or the FQDN of the AD domain. If you choose the FQDN of a DC, you are fully depended on that single DC. If you choose the FQDN of the AD domain, by default all RWDCs in the AD domain are a source candidate for the Yammer Directory Sync tool. This will not be the case if you have configured branch RWDCs not to register that mnemonic (the host record for the AD domain for non-SRV aware clients) (also see: (2011-09-11) Service (SRV) Locator Records Registered By Windows Domain Controllers). In general only central RWDCs should register that mnemonic (the host record for the AD domain for non-SRV aware clients). For the connection service account, you can either use the so called "service user", which is the user account of the "Yammer Directory Sync v3.0" service (by default "Network Service") or you can use a custom AD service user account. After doing that, the [Login] button becomes available and you should click to validate the AD credentials for that AD domain/forest.

To be able to connect to a DC, you need at least the ports TCP:389 (LDAP) and TCP:3268 (GC) to be opened between the DirSync server and the targeted DC. To make the connection faster, you would also need to open in addition TCP:88 (Kerberos).

image

Figure 5: AD Connection Settings For The First AD Domain/Forest

If you get to the next screen, that means the hostname and AD credentials are correct. You will now have the possibility to add connections for other AD domains/forests.

image

Figure 6: One AD Domain/Forest Added – The Possibility To Connect Additional AD Domains/Forests

In this case I wanted to add an additional AD domain/forest as you can see below. The same logic applies as when providing connection settings for the first AD domain/forest. After doing that, the [Login] button becomes available and you should click to validate the AD credentials for that AD domain/forest.

image

Figure 7: AD Connection Settings For An Additional AD Domain/Forest

If you get to the next screen, that means the hostname and AD credentials are correct. You will now have the possibility to add connections for other AD domains/forests.

image

Figure 8: Two AD Domain/Forest Added – The Possibility To Connect Additional AD Domains/Forests

When done of adding AD domains/forest, click the [Validate] button on the left and you will get to the next screen.

image

Figure 9: Starting Validation – Importing Data From The Connected AD Domains/Forests

If you would continue by clicking the [Start Validation] button the Yammer Directory Sync tool will import ALL USERS from all configured AD domains/forests. If you want to scope specific OUs only you should stop the Yammer Directory Sync setup by clicking the red cross in the upper right corner. Even if you do not want to scope users at OU level, you must still stop the Yammer Directory Sync setup by clicking the red cross in the upper right corner as otherwise, you might go nuts in the trying to start synchronization in a later stage. Therefore, now stop the Yammer Directory Sync setup.

The Yammer Directory Sync configuration by default is stored in the folder "C:\ProgramData\Yammer\DirSync". You can also find that out yourself by right-clicking the Yammer icon in the tray area and selecting "About".

image

Figure 10: Accessing The Yammer Advanced Configuration

Now click on the [Advanced Configuration] button.

image

Figure 11: Accessing The Yammer Advanced Configuration

This will open the folder "C:\ProgramData\Yammer\DirSync" where the Yammer Directory Sync configuration is stored, including log files. The file "globalsettings.config.json" holds the complete Yammer Directory Sync configuration.

For the ADCORP.LAB AD domain/forest I just specified the source OU

image

Figure 12: Specifying A Source OU For The ADCORP.LAB AD Domain/Forest

For the PARTNER.LAN AD domain/forest I just specified the source OU

image

Figure 13: Specifying A Source OU For The PARTNER.LAN AD Domain/Forest

If you need to modify the filter, or specify additional OUs, check the Yammer Directory Sync Advanced Configuration Guide first.

Now in the file "globalsettings.config.json" search for (without the quotes) "EmailNotificationSettings" . By default you will find the following.

image

Figure 14: Default E-mail Notification Settings

As you can see the default "FromAddress" may not match the from address you want/need to use. If your e-mail system only accepts authentication from accounts with valid mailboxes, you cannot use the default "FromAddress". To be able to send mails/notification you need to change the "FromAddress". Now change it to a value that will be accepted by your e-mail system and save the file "globalsettings.config.json".

You can also find that out yourself by right-clicking the Yammer icon in the tray area and selecting "Open".

image

Figure 15: Re-opening The Yammer Directory Sync Setup

When everything is correct you will right away to the validation page.

image

Figure 16: Starting Validation – Importing Data From The Connected AD Domains/Forests

Click the [Start Validation] button and you will see something similar too:

image

Figure 17: Validation Result Of The Yammer Directory Sync Tool

When the validation is done you can click the [Sync] button on the left and you will get to the next screen. The following e-mail settings are used when the Yammer Directory Sync tool encounters issues.

image

Figure 18: Configuring The E-mail Settings

In the server field enter the SMTP server of your e-mail system. If you are using Office 365, then enter "smtp.office365.com".

In the port field enter the SMTP port of your e-mail system. If you are using Office 365, then enter "587".

If your e-mail system requires SSL, then check it.

Enter the credentials (username and password) of the account to connect to the e-mail system.

Enter the e-mail address of one or more recipients eligible to receive test notifications.

As a final test, click the [Send Test Email] button.

If everything is OK, then you will the following:

image

Figure 19: Successful Configuration Of The E-mail Settings

Now click the [Apply] button and you will see something similar to:

image

Figure 20: Enabling The Yammer Directory Sync

Finish it by clicking the [Enable Sync] button and you will something similar to:

image

Figure 21: Finished Configuration Of The Yammer Directory Sync Tool

Close the window by clicking the red cross in the upper right corner. You’re done!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2014-10-08 at 23:00 and is filed under DirSync, Yammer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “(2014-10-08) Setting Up Yammer DirSync”

  1. benwaynet said

    2014-10-28 at 13:21

    Can’t azure active directory sync yammer yet? If you have dirsync setup for your o365 your using WAAD on the backend.

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»