Prepare an ADAM instance for use with ADFS

  • Article

Applies To: Windows Server 2003 R2

Before you can use an Active Directory Application Mode (ADAM) instance as an account store in your Active Directory Federation Services (ADFS) deployment, you must perform two preliminary procedures:

  • Set an attribute to enable user accounts

  • Configure the member attribute with the federation server security identifier (SID) to enable federation servers to search the ADAM store

Enable ADAM User Accounts

On ADAM instances running on Windows Server 2003, where local or domain password policy restrictions are in effect, the ADAM user account is disabled by default. Before you can enable the user account, you must set a password that meets the password policy restrictions that are in effect. This rule does not apply to ADAM instances running on Windows XP Professional.

To enable user accounts, set the msDS-UserAccountDisabled attribute value to False. Be sure that the user account has been configured with a userPassword attribute value that meets policy requirements.

Use the following procedure to enable a user account in the ADAM account store.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To enable an ADAM user account

  1. Open ADAM ADSI Edit and connect to the ADAM instance.

  2. Right-click an ADAM user, and then click Properties.

  3. In the Attribute column, click msDS-UserAccountDisabled, and then click Edit.

  4. Click False, and then click OK twice.

    If an ADAM-ADSIEdit message appears stating that the password cannot be updated because the value does not meet requirements for the domain, right-click the user account and click Reset Password. Then repeat this procedure.

Configure the Federation Server SID

To enable federation servers to search the ADAM account store, you need to add the machine account SID of the account federation server to the member attribute in the Readers role of the ADAM instance.

Use the following procedures to prepare ADAM for searches by federation servers.

  • Obtain the machine account SID of the federation server

  • Add the SID to the member attribute in ADAM

Administrative credentials

To complete this procedure, you must be a member of the Domain Users group in the Active Directory domain of the federation server.

To obtain the SID of the federation server

  1. Open Ldp and connect and bind to the Active Directory domain to which the federation server is joined.

  2. On the View menu, click Tree.

  3. Expand the tree to locate the computer object of the federation server.

  4. Double-click the computer object and view the properties in the results pane.

  5. Make a note of the value in 1>objectSid.

Perform the next procedure to add the SID you obtained to the member attribute in ADAM.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To add the federation server SID to the member attribute for an ADAM instance

  1. In Ldp, connect and bind to the ADAM instance.

  2. On the View menu, click Tree.

  3. Double-click the ADAM instance and then double click the CN=Roles container.

  4. Right-click the CN=Readers container, and then click Modify.

  5. In Attribute, type member.

  6. In Values, type the SID value as follows, and then click Enter:

    <SID=objectSIDValue>

  7. Click Run to modify the attribute, and then click Close.