Active Directory Lightweight Directory Services (AD LDS) provides data storage and retrieval for directory-enabled applications, without the dependencies that Active Directory Domain Services (AD DS) requires. AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. Similar to the way in which Active Directory Federation Services (AD FS) uses AD DS account store information, AD FS also retrieves user attributes from AD LDS and authenticates users against AD LDS if you configure AD FS to use AD LDS as the account store.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
You can use the following procedure to add an AD LDS account store to your AD FS configuration.
|
To add an AD LDS account store |
-
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
-
In the console tree, double-click Federation Service, Trust Policy, and My Organization.
-
Right-click Account Stores, point to New, and then click Account Store.
-
On the Welcome to the Add Account Store Wizard page, click Next.
-
On the Account Store Type page, click Active Directory Lightweight Directory Services (AD LDS), and then click Next.
-
On the AD LDS Store Details page, do the following, and then click Next:
- In Account store display name, type
the friendly name of the account store.
- In Account store URI, type the Uniform
Resource Identifier (URI) for the AD LDS account store.
- In Account store display name, type
the friendly name of the account store.
-
On the AD LDS Server Settings page, do the following, and then click Next:
- In AD LDS server name or IP
address, type the name or IP address of the AD LDS
server.
- In Port number, type the TCP/IP port
number for the account service.
- In LDAP search base distinguished
name, type the distinguished name, for example,
DC=adatum,DC=com.
- In User name LDAP attribute, type the
name of the user name attribute, for example,
userPrincipalName.
- In AD LDS server name or IP
address, type the name or IP address of the AD LDS
server.
-
On the Identity Claims page, select one or more identity claims that will be provided by the account store, and then click Next:
- If the account store provides UPN identity
claims, select the User Principal Name (UPN) check box, and
then type the Lightweight Directory Access Protocol (LDAP)
attribute name.
- If the account store provides e-mail identity
claims, select the E-mail check box, and then type the LDAP
attribute name.
- If the account store provides common name
identity claims, select the Common name check box, and then
type the LDAP attribute name.
- If the account store provides UPN identity
claims, select the User Principal Name (UPN) check box, and
then type the Lightweight Directory Access Protocol (LDAP)
attribute name.
-
If you do not want to enable this account store now, on the Enable this Account Store page, clear the Enable this account store check box, and then click Next.
-
To add the new account store and close the wizard, click Finish.
|
Note |
|
AD FS cannot authenticate AD LDS accounts that use parentheses as part of the account name. Accounts that have an open parenthesis in the user name cause an LDAP search failure as a result of the user name forming an invalid LDAP filter. |