Add an AD LDS Account Store

  • Article

Applies To: Windows Server 2008

If you use multiple Active Directory Lightweight Directory Services (AD LDS) stores for user accounts that require access to one or more Web applications that are protected by Active Directory Federation Services (AD FS), you can add the AD LDS account stores to the Federation Service.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To add an AD LDS account store

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.

  3. On the Welcome to the Add Account Store Wizard page, click Next.

  4. On the Account Store Type page, ensure that Active Directory Lightweight Directory Services (AD LDS) is selected, and then click Next.

  5. On the AD LDS Store Details page, in Account store display name, type the name of the AD LDS account store as you want it to be displayed in the Active Directory Federation Services snap-in user interface (UI).

  6. In Account store URI, type the uniform resource identifier (URI) for the AD LDS account store, and then click Next.

Note

The account store URI uniquely identifies the AD LDS instance among multiple AD LDS account stores.

  1. On the AD LDS Server Settings page, do the following, and then click Next:

    1. In AD LDS server name or IP address, type the name or IP address of the AD LDS server.

    2. In Port number, type the TCP/IP port number for the account service. Accept the default of 389 unless Active Directory Domain Services (AD DS) is installed on the same server, in which case you must use a different port.

    3. In LDAP search base distinguished name, type the distinguished name of the AD LDS instance.

    4. In User name LDAP attribute, type the name of the user name attribute that users provide during logon, for example, userPrincipalName or sAMAccountName.

  2. On the Identity Claims page, select one or more identity claims that will be provided by the account store, and then click Next:

    1. If the account store provides user principal name (UPN) identity claims, select the User Principal Name (UPN) check box, and then type the Lightweight Directory Access Protocol (LDAP) attribute name to which UPN identity claims map (the attribute whose value is the user's UPN, usually userPrincipalName).

    2. If the account store provides e-mail identity claims, select the E-mail check box, and then type the LDAP attribute name to which e-mail identity claims map (the attribute whose value is the user's a-mail name, usually userPrincipalName).

    3. If the account store provides a common name identity claim, select the Common Name check box, and then type the LDAP attribute name to which the common name identity claim maps (the attribute whose value is the user's common name, usually displayName).

  3. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.

  4. On the Completing the Add Account Store Wizard page, click Finish.

Additional references

Add an AD DS Account Store