This section provides information about supported connections and privilege requirements.
The Encryption Type resource parameter allows you to enter the encryption type that the Identity Manager gateway will use to communicate with the Active Directory server. Valid values for this field are None (the default value), Kerberos, and SSL.
To use SSL, a certificate authority must be set up in the domain. In addition, the username used to access Active Directory must be in UPN format (for example, DomainName\UserName).
This section describes Active Directory permission and reset password permission requirements.
The administrative account configured in the Active Directory resource must have the appropriate permissions in Active Directory.
The permissions to perform Create, Delete, and Update of resource objects are as expected. The account needs the Create and Delete permissions for the corresponding object type and you need appropriate Read/Write permissions on the properties that need to be updated.
To support Active Directory (AD) pass-through authentication:
When configuring the Gateway to run as a user, that user account must have the “Act As Operating System” and “Bypass Traverse Checking” user rights. By default, the Gateway runs as the Local System account, which should already have these rights. Also, the “Bypass Traverse Checking” user right is enabled for all users by default.
If you must update user rights, there might be a delay before the updated security policy is propagated. Once the policy has been propagated, you must restart the Gateway.
Accounts being authenticated must have “Access This Computer From The Network” user rights on the Gateway system.
The Gateway uses the LogonUser function with the LOGON32_LOGON_NETWORK log-on type and the LOGON32_PROVIDER_DEFAULT log-on provider to perform pass-through authentication. The LogonUser function is provided with the Microsoft Platform Software Development Kit.
The administrative account must have access to the Deleted Objects container in the active directory. By default, only Administrators and the System account have access to this container. Other users can be granted access to this container. For information on granting access to the Deleted Objects container, see Microsoft Knowledge Base article 892806.