Active Directory Lightweight Directory Services (AD LDS) provides data storage and retrieval for directory-enabled applications, without the dependencies that Active Directory Domain Services (AD DS) requires. AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. Similar to the way in which Active Directory Federation Services (AD FS) uses AD DS account store information, AD FS also retrieves user attributes from AD LDS and authenticates users against AD LDS if you configure AD FS to use AD LDS as the account store.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

You can use the following procedure to add an AD LDS account store to your AD FS configuration.

To add an AD LDS account store
  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. In the console tree, double-click Federation Service, Trust Policy, and My Organization.

  3. Right-click Account Stores, point to New, and then click Account Store.

  4. On the Welcome to the Add Account Store Wizard page, click Next.

  5. On the Account Store Type page, click Active Directory Lightweight Directory Services (AD LDS), and then click Next.

  6. On the AD LDS Store Details page, do the following, and then click Next:

    • In Account store display name, type the friendly name of the account store.

    • In Account store URI, type the Uniform Resource Identifier (URI) for the AD LDS account store.

  7. On the AD LDS Server Settings page, do the following, and then click Next:

    • In AD LDS server name or IP address, type the name or IP address of the AD LDS server.

    • In Port number, type the TCP/IP port number for the account service.

    • In LDAP search base distinguished name, type the distinguished name, for example, DC=adatum,DC=com.

    • In User name LDAP attribute, type the name of the user name attribute, for example, userPrincipalName.

  8. On the Identity Claims page, select one or more identity claims that will be provided by the account store, and then click Next:

    • If the account store provides UPN identity claims, select the User Principal Name (UPN) check box, and then type the Lightweight Directory Access Protocol (LDAP) attribute name.

    • If the account store provides e-mail identity claims, select the E-mail check box, and then type the LDAP attribute name.

    • If the account store provides common name identity claims, select the Common name check box, and then type the LDAP attribute name.

  9. If you do not want to enable this account store now, on the Enable this Account Store page, clear the Enable this account store check box, and then click Next.

  10. To add the new account store and close the wizard, click Finish.


AD FS cannot authenticate AD LDS accounts that use parentheses as part of the account name. Accounts that have an open parenthesis in the user name cause an LDAP search failure as a result of the user name forming an invalid LDAP filter.

Additional references