Connecting to AD LDS (ADAM)

AD Lightweight Directory Service (AD LDS) is a lighter version of Active Directory Domain Services that provides the means to maintain extranet directories separate from your Active Directory, create information consolidation stores, and authenticate web users with LDAP-based authentication. EmpowerID manages AD LDS in the same way that it manages an Active Directory account store.

This topic describes how to add AD LDS to the EmpowerID Identity Warehouse as a managed Account Store.

This topic serves as a quick "how-to" on connecting EmpowerID to an AD LDS account store. For a fuller discussion of the process involved with connecting to account stores, see Connecting to Active Directory.

To connect to AD LDS (ADAM)

  1. From the EmpowerID Management Console, click the EmpowerID icon and select Configuration Manager from the menu.
  2. In Configuration Manager, double-click the User Directories node in the navigation tree, and then click Account Stores.
  3. Click the Add New button above the data grid.
  4. In the Add New Security Boundary window that opens, select the ADAM Security Boundary type from the drop-down list and click OK.
  5. In the ADAM Server window that appears, do the following:

    1. Enter the name of the ADAM server in the ADAM Server field.
    2. Enter the partition suffix in the Partition Suffix field, such as "DC=litwareinc,DC=extranet".
    3. Enter the proxy information.
      • NetBIOS Domain - This is the domain in which the server hosting the ADAM instance is a member, such as "litwareinc."
      • Proxy User and Password - The user account must have read access to the partition that holds the objects in the ADAM instance. The user account entered here is saved as the default proxy account (connection credential) used when managing these objects. You can change this at any time.

    The image below shows what the screen looks like with the above selections made. Your values will differ accordingly.

  6. Click OK.
  7. In the Security Boundary Details screen that appears, click the Account Stores tab and then double-click the Security Boundary in the data grid or right-click it and select Edit from the context menu.
  8. This opens the Account Stores Details screen, which is where you adjust the settings to manage the ADAM security boundary.

    • General Pane

      This pane is used to set general configuration information for the Account Store.

      • Account Store Name - This is the name of the Account Store in question. This field is populated from the value supplied during the initial forest discovery process.

        To set this field, click the Edit button to the right of the line, enter the new name into the Account Store Friendly Name window that opens and then click OK to close the window.

      • Resource System Name - This is the name of the resource system that displays to users.

        To set this field, click the Edit button to the right of the line, enter the new name into the Resource System Friendly Name window that opens and then click OK to close the window.

      • Connection Account - This is the proxy account entered when scanning the forest. This account is used for inventorying, provisioning, making password resets, and enforcing permissions, so the information entered here must be an account with the appropriate administrative privileges.

        To set this field, click the Edit button to the right of the line, enter the account information into the Proxy Connection Account window that opens, and then click OK to close the window.

      • Monitored Domain Controller - This is the preferred domain controller that EmpowerID monitors for changes. This needs to be a reliable domain controller with good connectivity to the EmpowerID servers performing the inventory role. During the initial forest scan, EmpowerID discovers each domain controller and sets them to disabled by default. EmpowerID maintains a list of the last change seen on all domain controllers in case this setting needs to be changed, but only one is monitored at any given time in order to optimize performance. You can change the domain controller that EmpowerID monitors at any time.

        To set this field, click the Edit button to the right of the line, select a domain controller in the Change Domain Controller window that opens, and then OK to close the window.

      • Default User Creation Path - This is the creation location of last resort in the event that one is not selected in a workflow process.

        To set this location, click the Edit button to the right of the line, select a location from the Directory Path Selector window that opens, and then click OK to close the window.
      • Default Group Creation Path - This is the creation location of last resort in the event that one is not selected in a workflow process.

        To set this location, click the Edit button to the right of the line, select a location from the Directory Path Selector window that opens, and then click OK to close the window.
      • EmpowerID Group Creation Path - This is the creation location for the Domain Local groups used by EmpowerID for granting native AD permissions assignments.

        To set this location, click the Edit button to the right of the line, select a location from the Directory Path Selector window that opens, and then click OK to close the window.
      • Maximum Accounts Per Person - Specifies the maximum number of user accounts from this domain that a person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.

        To set a numeric value, click the Edit button to the right of the line, enter a number into the Change Max Accounts Per Person window that opens, and then click OK.

      • Role and Location Re-Eval Order - This is an optional policy setting that can be used by provisioning workflows to determine which Account Store has priority when determining the roles and locations that should be assigned to a person. Account Stores with a higher value take precedence. You must enable the Allow Business Role and Location Recalculation option in this pane as well.

        To set an order, click the Edit button to the right of the line, enter a number into the Change Business Role Priority window that opens and then click OK.

      • Icon - This is the image icon that represents this domain in user interfaces.

        To set the icon, click the Icon Selector button to the right of the line, select an icon from the drop-down list and click OK.
      • Partition Suffix - This is the partition suffix you entered when first connecting to the directory.

        To change this value, click the Edit button to the right of the line, and enter the new suffix into the Account Store Partition Suffix window that opens and then click OK.

      • Naming Context - This is the application naming context derived from the partition suffix.

        To change this value, click the Edit button to the right of the line, and enter the new suffix into the Account Store Partition Suffix window that opens and then click OK.
      • Enable Pass-Through Authentication - This allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enabled, the domain\username format needs to be used.

        To enable this function, click the Enable Pass-Through Authentication button to the left of the line and toggle it so that the green check is visible.
      • Enable Simple Username Search for Pass-Through Authentication - Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct user name and password combination. Note: Simple search can cause long delays during the login process in environments with a large number of domains.

        To enable this function, click the Enable Simple Username Search button to the left of the line and toggle it so that the green check is visible.
      • Allow Password Sync - Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.

        To enable this function, click the Allow Password Sync button to the left of the line and toggle it so that the green check is visible.
      • Allow RET Provisioning - Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.

        To enable this function, click the Allow RET Provisioning button to the left of the line and toggle it so that the green check is visible.
      • Allow RET De-Provisioning - Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.

        To enable this function, click the Allow RET De-Provisioning button to the left of the line and toggle it so that the green check is visible.
      • Allow Business Role and Location Recalculation - Allows or disallows the Account Store to be used by the Role and Location Compiler and Role and Location Processor to determine the Business Roles and Locations that should be associated with a person.

        At this time the Business Role and Location Recalculation functionality is not implemented for AD LDS-based Account Stores. Currently, the Business Role and Location Recalculation applies only to custom connections, such as flat files that connect to an HR system.


        To enable this function, click the Allow Business Role and Location Recalculation button to the left of the line and toggle it so that the green check is visible. You must also enable the Role and Location Compiler and Role and Location Processor jobs within the EmpowerID Servers and Roles interface of Configuration Manager.

    • Inventory Pane

      This pane is used to enable or disable inventory of the Account Store as well as to set the run schedule for the EmpowerID Inventory Job.


      • Inventory Schedule - This is the time span that occurs before EmpowerID performs a complete inventory of the resource system. The default value is 5 minutes.

        To set this value, click the Edit button to the right of the Inventory Schedule line, enter a value into the Set Schedule Inventory window that opens, and then click OK.
      • Enable Inventory - This allows EmpowerID to perform a complete inventory of the resource system.

        To enable inventory, toggle the Enable Inventory button to the left of the line so that the green check is visible.
      • Inventory Provision Request Workflow - This is the request workflow that is initiated when new accounts are discovered via the inventory feature. If you set this workflow, the Allow Automatic Person Provision and Allow Automatic Join Provision flags described below are ignored.


        This setting is not enabled by default and should be used only where customization of the process is required.

        To set the workflow, click the Edit button to the right of the line, select a workflow from the Change Request Workflow window that opens, and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.

      • Allow Automatic Person Provision on Inventory - This allows EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure. When provisioning people, you have the following optional settings that can be made:
        • Business Role for New Inventory Provision - This allows you to select a Business Role for people discovered during the inventory process. The default setting assigns newly discovered people to the Temporary Business Role.

          To pick a Business Role other than the default, click the Edit button to the right of the line, select a Business Role from the Business Role Selector window that opens and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.
        • Location for New Inventory Provision - This allows you to a select the location that is to be the primary location for the people discovered during the inventory process. The default setting uses the Active Directory OU of the user object as the primary location. It is recommended that you leave this set to the default setting.

          To pick a location other than the default, click the Edit button to the right of the line, select a location from the Business Role and Location Selector window that opens, and then click OK. You can clear the selection by clicking on the red sphere to the right of the Edit button.

          Selection of a specific location overrides the default logic that assigns the Active Directory OU of the user object as the primary location for the new person.
      • Allow Automatic Person Join on Inventory - This allows EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.

        To enable automatic joining, click the button to the left of the line and toggle it so that the green check is visible.

        All Join rules are commented out from their SQL stored procedures by default. To use a Join rule, you must uncomment the rule in the appropriate SQL stored procedure. If the Join rule is not used, EmpowerID classifies the accounts as Orphaned Accounts.

      • RBAC-Assign Initial Group Membership On First Inventory - This converts each user account in an Active Directory group to a Resource Role Assignment for the person who owns the user account.

        Enabling this function is not recommended in most cases as it removes the ability to manage groups in Active Directory. A consequence of this is that if a user account is removed from an ADAM group, EmpowerID puts the account back in the group.
      • Re-Inventory - Enabling this option sets the usn to 0 and re-inventories all changes.
    • Group Membership Reconciliation Pane

      Use this pane to enable or disable and schedule group membership reconciliation for the domain. When this function is enabled, EmpowerID dynamically manages the membership of Active Directory groups, adding and removing users to and from groups based upon policy-based assignment rules.

      To set the Group Membership Reconciliation Schedule, do the following:

      1. click the Membership Schedule button to the right of the Membership Schedule line.
      2. In the Set Schedule Interval window that opens, enter the desired schedule parameters, and click OK to close the window.
      3. Click the Enable this Functionality button and toggle it so that the green check is visible.
      4. Clicking the Run Now button immediately runs the Group Membership Reconciliation process and adjusts the next run time to the Enforcement Schedule setting. You should not run the process until you have completed all configuration steps.

The UPN Suffixes tab contains suffix information for the Account Store. This suffix is what becomes appended to a user's logon to create an email address. You can edit this information by clicking on the UPN Suffixes tab.