/
Active Directory

Active Directory

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers
  • Reviewing the Join and Provision Rules for your environment
  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip these prerequisites.


EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system. In this article, we demonstrate how to use the EmpowerID Active Directory connector to connect to Active Directory. After ensuring you have met the prerequisites specified in the Getting Started with Directory Systems topic, you connect EmpowerID to Active Directory by doing the following:

  1. Creating an account store in EmpowerID for Active Directory.
  2. Configuring EmpowerID settings for the account store connection, including whether to provision EmpowerID Persons during inventory or in batches using the Account Inbox permanent workflow.
  3. Mapping your external roles and locations to corresponding EmpowerID Business Roles and Locations.
  4. Reviewing and configuring the attribute flow rules for the account store.
  5. Turning on inventory.
  6. Enabling the Account Inbox Permanent Workflow when ready—if you are using batch processing to provision Person objects from the inventoried user accounts. This is the recommended method.
  7. Monitoring Inventory.

Before connecting EmpowerID to a directory system, you should determine whether you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If you do, then you should be able to answer the following questions before turning on inventory.

  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time using the Account Inbox (recommended)?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more than one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
  6. If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?

If you are connecting to an Active Directory Forest with multiple domains, you must first create an account store for the forest root domain before creating account stores for other domains in the forest. The proxy account used when adding your AD account store, must have read access to the AD Configuration Partition in order for topology discovery to succeed. Errors will occur if this process and its required access are not followed.


You do not need to enable inventory on the account store created for the forest root domain.

To create an account store for Active Directory via the web site

  1. From the Navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
  2. Click the Actions tab, and then click the Create Account Store action.



  3. Search for Active Directory and then click the record for Active Directory Domain Services to select that system type and click Submit.



    The Active Directory Settings page appears, where you enter settings to connect to your Active Directory to allow EmpowerID to discover and connect to it.



  4. On the Active Directory Settings page, do the following:

    1. In the Name and Display Name fields, enter a name for the Active Directory account store.
    2. In the FQDN field, enter the fully qualified domain name of the AD forest.

      If you are using LDAPS, enter the Subject name of the certificate for the domain controller to which you are connecting followed by port 636 in the FQDN of Forest field. Thus, if the Subject name is "dc01.eiddoc.com," you enter dc01.eiddoc.com:636.

    3. In the Proxy Account Username field, enter a user account that has read access to the Active Directory configuration partition that holds the list of all of the domains in the forest (and to the Exchange Organization, if present). 

    4. In the Account Domain field, enter the NetBIOS name of the domain or child domain that hosts Active Directory. 

    5. In the Password field, enter the password for the proxy account.
    6. Click Submit.

  5. On the Choose Servers page that appears, select the appropriate EmpowerID server and click Submit.

    The Choose Servers page displays only those servers where the EmpowerID Web Role service is running. If you do not see your server on the page, check the following:

    • Ensure that the server has been assigned either the All-in-One Server or Web Front-End server role.
    • Ensure that the EmpowerID Web Role service is running.

    (The LDAP Management Host Web Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.)


    Select the server or servers to register and click Submit.

    All selected servers must be in the same forest and able to communicate with the Active Directory over LDAP port TCP 389.