Skip to main content

Search

Remotely Joining your Canary to a Microsoft Active Directory Domain

Learn how to join your Canary to Active Directory step by step. Enable Windows File Share, configure AD settings securely, and confirm a successful domain join with robust credential protection.

Looking to join your Canary to AD? Once a Canary has been deployed live into a production network, it can be remotely joined or removed from an Active Directory domain at any time from your Console.

Note

The Windows file share service will need to be enabled for you to join your Canary to AD.

Note

Domain joining is not available when DNS-Over-HTTPS (DoH) is enabled. This is due to the DoH server existing outside of your network, which would not be aware of your internal domain records required for a domain join.

Step 1: Log in to your Console

Log in to your Console.

Console Login.png

Step 2: Select Canary

Click on the Canary you want to domain-join.

decom1.png

Step 3: Open Canary Configurations

Click on Configure Canary to open its configuration settings.

configure.png

Step 4: Navigate to Windows File Share

Scroll down to the Windows File Share settings, where the Join Domain button will be present.

Note: Windows File Share need to be enabled and deployed before you start a domain join. That means, if the Windows File Share service was just enabled while navigating to the section, the Join Domain button will be greyed out at first. You will first need to deploy the new configuration to your Bird. After the Canary reboots, the Join Domain button will be clickable when you navigate back to this section.

domain2.png

Step 5: Fill in Active Directory Details

After clicking on the Join Domain button, you will be prompted to enter your Active Directory details before clicking the Join button.

domaaain.png

Tip: See below for a note on how the credentials are encrypted.
Tip: See here for information on the Guest Enabled option.
Note

When using an AD join user with limited privileges, in addition to being able to create objects, it also needs the WRITE permission set to the value msDS-SupportedEncryptionTypes on machines.

Step 6: Wait for Canary to reboot

Joining takes a few minutes before seeing a response. Correct any settings if an error shows, or contact support for assistance.

domain4.png

After a successful domain join, your Canary will reboot and report that the Domain join was successful.

Screenshot_2020-12-09_at_12.40.26.png

Step 7: Confirm the join was successful

Once the Canary has rebooted with the new domain-joined settings, it will show up on your Console as a Domain member, and the button name should change to Leave Domain.

domain6.png

A note on security

We treat your AD credentials used to join the domain with an abundance of caution. Credentials are encrypted in your browser before they leave your machine, and can only be decrypted with a key that’s present on the Canary. The decryption key is simply NOT present on the Console, so AD credentials cannot be accessed by Thinkst. It's worth mentioning that the credentials are also not stored on the Canary (or anywhere else).

There’s a well-known caveat with in-browser cryptography: the JavaScript cryptography is also supplied by Thinkst. For customers who wish to check that the credentials are indeed being encrypted for their Canaries:

  1. Connect to your device’s configuration interface over Bluetooth.
  2. Scroll to the bottom of the page and click to view the Canary’s public key.
  3. In the Console AD domain join modal, click Canary Public Key, and confirm that the key matches what is shown on the bird.

domain5.png

 

domain.png

If an alternative is preferred, the Canary can always be locally joined to a domain-joined when booted into Bluetooth configuration mode.

Was this article helpful?
1 out of 1 found this helpful
Return to top