1. Guides
  2. /
  3. Connect to an external identity provider (IdP)
  4. /
  5. Enterprise Identity Provider
  6. /
  7. Windows AD

Windows AD

Update Time: 2025-06-11 08:01:00
Edit

Introduction

  • Overview: Windows AD is a localized user directory management service provided by Microsoft. You can configure and enable the enterprise login of Windows AD service provider application sweep code in Authing to quickly get the basic open information of Windows AD and help users to achieve the password-free login function through Authing.
  • Application scenario: Enterprise PC no-login scenario
  • End-user preview image.

Caution.

  • To use Windows AD you need a Windows server.
  • A server with Active Directory installed.
  • A machine running the Authing AD Connector that is able to connect to Active Directory.
  • A user account with read access to Active Directory.
  • If you do not have a Authing console account, go to AuthingConsole console (opens new window) to register for a developer account first.

This article contains the following sections.

  • Windows Active Directory Installation under Windows Server
  • Installing AD LDS
  • Configuring AD Domain Services
  • Checking Active Directory Service Connections
  • Installing AD CS
  • Configure AD CS
  • Test pass ldaps to connect to Active Directory
  • AD Related Policies Modification and Testing
  • Related services and configuration purposes

Windows Active Directory installation under Windows Server

Installing AD Domain Services 1.

  1. Open the Service Manager in Windows Server

2.

  1. Select Add Roles and Features
  1. Select installation type
  1. `Server selection
  1. select server-role
  1. Select featured
  1. Confirm
  1. AD LDS
  1. Installation in progress
  1. Installing successfully

Installing AD LDS

You can also choose not to do the installation and go directly to the Configure AD Domain Services installation, this is just to provide the installation process and points to note.

  1. Run the `Installation Wizard
  1. Installation Wizard
  1. Create the AD LDS instance
  1. Set the `instance name
  1. Set the `default port

If this default port conflicts with the AD default port, it will cause the AD domain service prerequisite check to fail

  1. Create the application directory partition
  1. Choose a storage location
  1. Select account association
  1. Assign administrative privileges
  1. Pour in the corresponding LDIF
  1. Installation confirmation
  1. Installation in progress
  1. Installation complete

Configuring AD Domain Services 1.

On Service Manager, elevate this service to Domain Controller

  1. Deployment configuration
  1. Domain Controller Options
  1. DNS Options
  1. Other options
  1. Paths
  1. View options
  1. prerequisites check
  1. Just execute the installation

Checking Active Directory service connections

Here you can use ldp for connection testing and get a response without entering more information about the ldap connection, or you can use some client (e.g. Apache Ldap Studio) for connection testing. Of course, the fact that AD Admin Center is open means that currently your connection test is OK.

  1. Win + r opens the CMD execution window, type ldp
  1. Select the link to open a link

Connecting to Active Directory via ldap

  1. Select the ldap protocol and test it

  2. View connection test results

Connecting to Active Directory via ldaps

For the ldaps protocol to work, you need to install and configure Active Directory Certificate Service, but there is no installation and configuration, the connection result should be failed.

  1. Select the ldaps protocol and test
  1. View connection test results

Install AD CS

  1. still open Server Manager
  1. Select Add Roles and Features
  1. Select installation type
  1. Make `server selection
  1. Add the corresponding `server role
  1. Select Add Functionality
7. Select the corresponding function

  1. AD CS

  2. Select the corresponding `Role Service

  1. Confirm the installation
  1. Installation in progress
  1. Installation complete

Configure AD CS

  1. Go to the interface for configuring the target server AD CS
  1. Specify the credentials
  1. Select Role Service
  1. Specify the CA setting type
  1. specify CA's type
  1. Configure the `private key
  1. Specify `encryption options
  1. specify CA name
  1. Specify the `CA expiration date
  1. specify CA database
  1. Confirm the current options
  1. View configuration results

Test ldaps connection to Active Directory

  1. Win + r open CMD execution window, type ldp
  1. Select the link to open a link
  1. Open the test application
  1. View the test results
  1. open AD Admin Center

or

  1. Add a new user via AD Admin Center
  1. Add a user
  1. View Added results
  1. open AD Policy Modifier
  1. Edit the `AD Policy
  1. Go to `Computer Configuration
  1. Go to Policy
  1. go to windows settings
  1. go to security settings
  1. Go to Account Policies
  1. Go to Password Policy
  1. modify `password-length-minimum

  1. Click Apply, click Confirm 15.

  2. Try again to add a user with not strong enough password

  1. View added results

This section focuses on the installation of the above services and the related configuration for the following purposes.

  • Windows Active Directory installation under Windows Server

    For AD related operations, the prerequisite is to build an AD service, and the installation of AD domain services is building an AD service.

  • Installing AD LDS

    AD LDS installation is not required

As described in the documentation: AD LDS provides storage for application-specific data as well as for directory-enabled applications (which do not require an AD Domain Services infrastructure). Multiple instances of AD LDS can exist on a single server, each of which can have its own architecture

  • Configuring AD Domain Services

    The AD Domain Services are configured to initialize the AD Domain Services for subsequent core functionality building

  • Checking Active Directory service connectivity

    Check if the Active Directory service is available and can be connected via ldap, which means that AD administration can be mapped to ldap-related operations

  • Install AD CS

    AD CS provides a secure encryption suite for AD transmissions, supporting the ldaps protocol, both for secure transmissions and for non-tampering, etc. Some operations that are extremely sensitive to information data need to be done under ldsps, such as adding a new user and setting a password, adjusting a user's status to enabled, etc. The absence of this feature will result in the status of the Authing data synchronization of the user information is not available

  • Configure AD CS

    Configure AD CS to complete the initialization of AD CS to build the subsequent functionality.

  • Test connecting to Active Directory via ldaps

    Test if the configuration of AD CS is faulty and available.

  • AD-related policy modification and testing

    This action is intended to direct the user's attention to the password-related policies in the AD service, as it may cause problems with users added in Authing during synchronization to AD.

The scenario is as follows.

  • The current password strength level in Authing is low, the user adds a new weak password account, and the current password setting state in AD requires a certain complexity, when the user syncs over, the sync state will be abnormal due to these issues (the user can sync, but the state is always disabled because the password This will not match the AD policy and will cause the user to be unsuccessful in enabling it).
  • The username in Authing does not now have special rules for authentication filtering, i.e. by default the username in Authing can be any string. However, the username in AD is not, and the sAMAccountName property in AD has certain restrictions, so that the data from Authing to AD needs to deal with these differences, and it is reasonably common for these differences to come from different systems. Authing user username as authing@gmail.com, when synchronizing, username and sAMAccountName have the same meaning in the normal sense, and these two fields should be used as mapping sides, but authing@ gmail.com is illegal to assign to sAMAccountName and will cause an error.

Install AD Connector on Windows server

Configure Windows AD in Authing console

On the "Enterprise Identity Source" page of AuthingConsole, click the "Create Enterprise Identity Source" button to enter the "Select Enterprise Identity Source" page, then click "Windows AD" to enter the "Windows AD Login Mode" page.

Please configure the relevant field information in the AuthingConsole console on the "Enterprise Identity Source" - "Windows AD" page.

FieldDescription
unique identifiera. The unique identifier consists of lowercase letters, numbers, and -, and the length is less than 32 digits. b. This is the unique identifier of this connection and cannot be modified after setting.
display nameThis name will be displayed on the button on the end user's login screen.
Synchronize AD domain passwordIf set, when AD authentication succeeds, the user's password in the AD domain will be synchronized to their password in Authing
Synchronize the user's password in Authing to AD after the user's password is changedIf set, when a user's password in Authing is changed (both when the administrator changes the password and when the user resets the password manually), the user's password in AD will be changed as well.
Login ModeWhen "Login Only Mode" is enabled, only existing accounts can be logged in, and no new accounts can be created, please choose carefully.
Account identity associationWhen 「Account Identity Association」is not enabled, a new user is created by default when a user logs in through an identity source. After enabling 「Account Identity Association」, you can allow users to log in to existing accounts directly through 「Field Matching」 or 「Asking for Binding」.

After the configuration is completed, click the "Create" button to complete the creation.

After successful creation, you will be automatically redirected to the application details page, and you will get a Provisioning Ticket Url, which will be used in the following steps.

!

After that you need to enable this AD connection for your application: !

!

Running Authing AD Connector on Windows

Before installing the Authing AD Connector, make sure the following conditions are met.

  • A Windows server.
  • The server has Active Directory installed.
  • The machine running Authing AD Connector is able to connect to Active Directory.
  • A user account with read access to Active Directory.

First you need to download (opens new window) the Authing AD Connector, which is an exe file that needs to run on Your Windows AD server, which is responsible for communicating with Authing. The Authing AD Connector needs to be installed in the LAN AD domain environment, but not necessarily on the server running the AD service, as long as the Authing AD Connector has access to the AD user directory .

Install Authing AD Connector

Click here (opens new window) to download the latest Authing AD Connector.

Upload the downloaded file to the AD domain environment machine, double click on the application and install it.

! (opens new window)

The system may raise a warning, click "Still running".

! (opens new window)

Select the language and click "OK".

! (opens new window)

Click on "Next".

! (opens new window)

Accept the license agreement and click on "Next".

! (opens new window)

Select the software installation directory and click "Install".

! (opens new window)

Wait for the installation to complete.

! (opens new window)

Click "Finish", a command line window will pop up and wait for the installation to complete.

! (opens new window)

There may be an error message about missing optional dependencies, you can ignore it. When you see the following screen, the installation is successful and you can exit by pressing any key.

! (opens new window)

Afterwards you can see the AuthingADConnector service in the Windows service management page: !

! (opens new window)

Next, open your browser and go to http://127.0.0.1:9743 and you will see the following screen.

! !

Fill in your Provisioning Ticket Url, AD Server Link Address, Base DN, Domain Username, Password, and click the "Save" button.

!

If you encounter a problem with the Connector linking to Authing and the test fails, please wait for a while as the Connector handshake with Authing has not yet completed due to network latency.

If you encounter AD-related errors, please check if the AD server link and hint information are correct.

Optional Action: Windows Active Directory User Directory Bi-directional Synchronization"

This section contains the following sections.

  • AD Two-Way Synchronization for the on time
  • Function points for AD Two-Way Synchronization
  • AD Synchronization to Authing
  • Authing sync to AD
  • User authentication related sync
  • A complete two-way sync process

AD two-way sync for the on time

Once configured, you can select the corresponding import method to import the organization.

By default, after you import an organization using AD and you have completed the previous steps, AD's two-way synchronization is turned on

!

Function point of AD two-way synchronization

  1. Sync from AD to Authing
  • Add user information
  • Change user information
  • Delete user information
  • Add organization node
  • Change organization node information
  • Add organization members
  • Delete organization members
  • Deleting organization nodes
  1. Sync from Authing to AD
  • User add (add organization member)
  • User change
  • User Deletion
  • Add organization member
  • Deleting organization members
  • Organization node deletion
  • Organization node information change
  • Organization node addition
  1. User Authentication
  • AD user import
  • Authing user synchronization to AD

Initialize the test environment

  1. Go to the AD root node and create a new organizational unit
  1. create authing-test organizational unit
  1. View the properties of this organizational unit
  1. Go to the attribute editor
  1. Copy the DN of this organizational unit
  1. In the Authing console, go to Sync Center, create a sync task, select Create Windows AD Sync Task, fill in the unique identifier and save.

Fill in the AD-Connector related configuration and save it. Note: Only after AD-Connector and Authing console are saved, the test connection for the console's sync task is available

AD Sync to Authing

Add user information

Change user information

Delete user information

Add organization node

Change organization node information

Add organization members

Delete organization members

Delete organization node

Authing sync to AD

User addition (add organization members)

  1. Add a new user in Authing
  1. add user information
  1. Ensure the existence of Organization imported from AD
  1. Import the new user to the corresponding organization
  1. AD data state before user import
  1. AD data state after user import

User Changes

  1. Modify the user's information
  1. Modify the previous AD data state
  1. AD data state after modification

User Deletion

  1. Delete the user's information
  1. Delete the previous AD data state
  1. AD data state after deletion

Add organization members

Equivalent to User add (add organization member)

Deleting organization members

  1. Remove an member of an organization node

  2. Delete theAD data statebefore theDelete Organization Member`

  3. AD data state after deleting organization members

Organization Node Additions

  1. Add an organization node

  2. AD data state before Added organization node 3.

  3. AD Data Status after Added Organization Node

Organization node information change

  1. Change organization node information 2.

  2. AD data status before Change 3.

  3. AD data state after change

Organization node deletion

  1. Delete organization node

  2. Delete the previous AD data state 3.

  3. AD data state after deletion

User Authentication

AD user import

Authing user sync to AD