Usage Notes

This section lists dependencies and limitations related to using the Active Directory connector, including:

• Checking Password History

• Configuring Active Sync

• Specifying a Domain for Pass-Through Authentication

Checking Password History

To check the password history for an Active Directory account when an end-user changes his or her password, the user must provide an AD password. You can enable this feature on an AD resource by clicking the User Provides Password On Change checkbox on the Resource Parameters page and adding the WS_USER_PASSWORD attribute to the account attributes with type encrypted. WS_USER_PASSWORD must be added as a Identity Manager User Attribute and as a Resource User Attribute.

Configuring Active Sync

If the Search Child Domains resource parameter is NOT selected, the LDAP Hostname must be configured to specify the hostname of a specific Domain Controller, because Active Sync must always connect to the same Domain Controller. If the Search Child Domains option is selected, then the Sync Global Catalog Server must be set to a specific Global Catalog server.

See Chapter 52, Active Directory Synchronization Failover for information about limiting the number of repeated events that occur when you switch to a new domain controller.

Specifying a Domain for Pass-Through Authentication

In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the connector server searches all known domains and tries to authenticate the user in the domain that contains the user.

In a trusted multi-domain environment, there can be two possible situations:

• All domains contain a synchronized user/password combination

• The user/password combination is domain dependent.

When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Business Administrator's Guide for more information about setting up common resources.

In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.

Login failures will occur in domains if the user exists in the domain and the password is not synchronized.

It is not possible to use multiple data sources for the domain information in one Login Module Group.