List of published manuals

List of manuals for contractors

IIJ ID Service Manual [For Administrators]

Registering Active Directory of IIJ Directory Service for Microsoft

This section describes the procedure to register Active Directory to federate with this service.

[ Reference ]

The Active Directory account to be created in this procedure will be registered in Active Directory as an SPN (Service Principal Name).

An SPN is a name for clients to uniquely identify a service instance and is actually information that maps a service name (port number), a computer to execute the service, and an account to execute the service (service account).

  1. Create an Active Directory account to access Active Directory servers beforehand.
    Access Active Directory and create an Active Directory account with the Active Directory account-creation right and WinRM execution right.

    [ Reference ]

    Refer to “IIJ Directory Service for Microsoft User's Guide” for more information on how to create Active Directory accounts in IIJ Directory Service for Microsoft.

  2. Click "System" and then "Upstream ID Provider Management."
  3. Click the URL that appears next to “URL to the settings page” under “Integrated Windows Authentication Provider.”
  4. The dashboard of the Integrated Windows Authentication provider settings page appears.
  5. Click “AD Management.”
  6. Click “Register AD.”

  7. Select “Obtain AD information automatically” and enter the information of Active Directory to form a federation with.

    OptionDescriptionExample
    AD domainSelect the AD used in the IIJ Directory Service for Microsoft.example.com (service code: dsm00000000)
    Display nameName displayed in this serviceHead Office AD
  8. Click "Register."
  9. Click “Setup” for the registered AD.
  10. Enter the information of the Active Directory account that you created in step 1.

  11. Enter in “New AD account” the user principal name of the new administration AD account that you create for Integrated Windows Authentication, and then fill in “Password.”
    Click “Create New AD Account.”

    OptionRequiredContentExample
    New AD account (UPN)YesEnter an account nameadmin
    PasswordYesEnter an account password
    DN where the account is created

    Enter a DN (Distinguished Name) to create an account with.

    If this field is empty, the Users container (e.g.,CN=Users,DC=example,DC=com) is usually used to create an account. *1

    		OU=people,DC=example,DC=com

    *1 An account is created using the New-ADUser PowerShell command. The destination of the account to be created is as specified by the default value of this command.(Reference: https://learn.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps (English))

    [ Note ]

    Do not modify or perform other operations on the created Integrated Windows Authentication Administrative AD Account.Any of the following operations prevents Integrated Windows Authentication from functioning correctly.

    • Deleting the account
    • Changing the password of the account
    • Disabling the account

  12. Click “Confirm Connectivity” to check the connectivity from IIJ ID Service to AD.