List of published manuals

List of manuals for contractors

IIJ ID Service Manual [For Administrators]

Registering Active Directory for Synchronization with On-premise Active Directory Servers

This section describes the procedure to register an Active Directory server to form a federation with.

[ Reference ]

The Active Directory account to be created in this procedure will be registered in Active Directory as an SPN (Service Principal Name).

An SPN is a name for clients to uniquely identify a service instance and is actually information that maps a service name (port number), a computer that executes the service, and an account executes the service (service account).

  1. Click "System" and then "Upstream ID Provider Management.
  2. Click the URL that appears next to “URL to the settings page” under “Integrated Windows Authentication Provider.”
  3. The dashboard of the Integrated Windows Authentication provider settings page appears.
  4. Click “AD Management.”
  5. Click “Register AD.”

  6. Select “Enter AD information manually” and enter the information of Active Directory to form a federation with.

    [ Reference ]

    For a federation with multiple domains and forests, configure Active Directory by reference to “Active Directory Network Topologies.”

    OptionRequiredContentExample
    General

    		Enter the Active Directory information.
    Display nameYesName displayed in this serviceHead Office AD
    AD domainYesActive Directory domain nameexample.jp
    Domain controller IP addressesYesTo enter multiples IPs, separate them with commas (,).192.0.2.1,192.0.2.2
    Multi-forest/Multi-domain Settings

    		Enter an Active Directory domain in a trust relationship. Users of the registered Active Directory domain can also federate with this service.
    AD domain
    		Active Directory domain namesub.example.jp
    Domain controller IP addresses

    IP addresses of the domain controller

    To enter multiples IPs, separate them with commas (,) or new lines.

    		192.0.2.3, 192.0.2.4
  7. Click "Register."
  8. Click “Setup” for the registered AD.

  9. Enter the information of the new Integrated Windows Authentication Administrative AD Account to create, and then click “Download PowerShell Script.”

    OptionRequiredContentExample
    New AD account (UPN)YesEnter an account nameadmin
    PasswordYesEnter an account password
    DN where the account is created

    Enter a DN (Distinguished Name) to create an account with.

    If this field is empty, the Users container (e.g.,CN=Users,DC=example,DC=com) is usually used to create an account. *1

    		OU=people,DC=example,DC=com

    *1 An account is created using the New-ADUser PowerShell command.The destination of the account to be created is as specified by the default value of this command.(Reference: https://docs.microsoft.com/en-us/powershell/module/addsadministration/new-aduser)

  10. Start PowerShell with administrator privileges on the Active Directory server, and execute the following command:

    PS> powershell -ExecutionPolicy bypass -File '.\setup_spn.ps1'
    [ Reference ]

    If the following error occurs during execution of the PowerShell script, check if the password of the new Integrated Windows Authentication Administrative AD Account meets the password policy of the domain controller.

    Enter the password that you set in step 9, download the PowerShell script again, and then execute the command.

    New-ADUser: The password does not meet the length, complexity, or history requirement of the domain.

    [ Note ]

    Do not modify or perform other operations on the created Integrated Windows Authentication Administrative AD Account.Any of the following operations prevents Integrated Windows Authentication from functioning correctly.

    • Deleting the account

    • Changing the password of the account

    • Disabling the account

  11. Click “Confirm Connectivity” to check the connectivity from IIJ ID Service to Active Directory.