Twingate

Active Directory with Twingate

If you are deploying Twingate onto a network using Active Directory, a few configuration steps in Twingate will help your users continue to use their AD services without issue.

Domain Joins

If a computer is not yet joined to your domain and your domain controller is not on the computer's local network, at this time it is not possible to join an AD domain over Twingate for the first time. This functionality will be provided in an upcoming release. For now, we recommend configuring AD devices on a LAN before delivering them to the user. Do not attempt to join the domain over Twingate, as it could put the device into a bad state and will have to be reversed.

If properly configured, all other AD actions will work as expected, as long as the client is already part of the domain.

Setting up the Domain Controller

In order to use any services that require Active Directory authentication, you must enable clients using Twingate to discover and communicate with the domain controller. Any clients that need to use the domain in any way must have access to these Resources.

  1. Add a Resource with the DNS name of *_tcp.*.yourcompany.com, replacing yourcompany.com with the name of your AD domain, and make sure it appears in your client Resource list
  2. Run nslookup -type=any _ldap._tcp.dc._msdcs.yourcompany.com (Linux/Mac) or nslookup -type=all _ldap._tcp.dc._msdcs.yourcompany.com (Windows), replacing yourcompany.com with your AD domain, this should return the domains and/or IPs for your domain controller(s)
  3. Add the domain controller IPs and domain names to Twingate as Resources, make sure they appear in the clients' Resource lists

This will enable AD authentication for any service that requires it.

Below is a notional example using yourcompany.com as the AD domain

nslookup -type=any _ldap._tcp.dc._msdcs.yourcompany.com
Server:     100.95.0.251
Address:    100.95.0.251#53

_ldap._tcp.dc._msdcs.yourcompany.com    service = 0 100 389 zr5cdi61eltc73z.yourcompany.com.
_ldap._tcp.dc._msdcs.yourcompany.com    service = 0 100 389 a1ks10fndwoyhax.yourcompany.com.

In this situation, you want to add zr5cdi61eltc73z.yourcompany.com and a1ks10fndwoyhax.yourcompany.com and assign it to the Everyone Group.

Other Troubleshooting Tips

  • NetBIOS name resolution will not work over Twingate without a domain controller acting as a directory service, as this requires broadcast communication over a LAN. Windows file sharing will still work through using the machine's IP or DNS name, as long as the user in question has access to the Resource.
  • If your domain controller is in Azure and your Connector is deployed as an Azure Container, you must check the Custom DNS Server option when deploying and use one of the DC IPs. Make sure the subnet the Container is deployed is in the same VNet as the DC or can otherwise communicate with it. Azure Containers do not automatically inherit the right DNS settings otherwise. Alternatively, if deploying the Connector on a Linux VM instead, DNS will be configured correctly at start and should not need any special configuration.

Updated 23 days ago



Active Directory with Twingate


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.