Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003 R2
Before you can use an Active Directory Application Mode (ADAM) instance as an account store in your Active Directory Federation Services (ADFS) deployment, you must perform two preliminary procedures:
Set an attribute to enable user accounts
Configure the member attribute with the federation server security identifier (SID) to enable federation servers to search the ADAM store
On ADAM instances running on Windows Server 2003, where local or domain password policy restrictions are in effect, the ADAM user account is disabled by default. Before you can enable the user account, you must set a password that meets the password policy restrictions that are in effect. This rule does not apply to ADAM instances running on Windows XP Professional.
To enable user accounts, set the msDS-UserAccountDisabled attribute value to False. Be sure that the user account has been configured with a userPassword attribute value that meets policy requirements.
Use the following procedure to enable a user account in the ADAM account store.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
Open ADAM ADSI Edit and connect to the ADAM instance.
Right-click an ADAM user, and then click Properties.
In the Attribute column, click msDS-UserAccountDisabled, and then click Edit.
Click False, and then click OK twice.
If an ADAM-ADSIEdit message appears stating that the password cannot be updated because the value does not meet requirements for the domain, right-click the user account and click Reset Password. Then repeat this procedure.
To enable federation servers to search the ADAM account store, you need to add the machine account SID of the account federation server to the member attribute in the Readers role of the ADAM instance.
Use the following procedures to prepare ADAM for searches by federation servers.
Obtain the machine account SID of the federation server
Add the SID to the member attribute in ADAM
Administrative credentials
To complete this procedure, you must be a member of the Domain Users group in the Active Directory domain of the federation server.
Open Ldp and connect and bind to the Active Directory domain to which the federation server is joined.
On the View menu, click Tree.
Expand the tree to locate the computer object of the federation server.
Double-click the computer object and view the properties in the results pane.
Make a note of the value in 1>objectSid.
Perform the next procedure to add the SID you obtained to the member attribute in ADAM.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
In Ldp, connect and bind to the ADAM instance.
On the View menu, click Tree.
Double-click the ADAM instance and then double click the CN=Roles container.
Right-click the CN=Readers container, and then click Modify.
In Attribute, type member.
In Values, type the SID value as follows, and then click Enter:
<SID=objectSIDValue>
Click Run to modify the attribute, and then click Close.