To designate AD Connect with IIS as your identity repository, install AD Connect to your server and configure PingOne for Enterprise to connect to it.
- One of the following platforms:
- Microsoft Windows Server 2019 Desktop with IIS 10.0Note: Microsoft Windows Server 2019 Core is not supported.
- Microsoft Windows Server 2016 with IIS 10.0
- Microsoft Windows Server 2012 R2 with IIS 8.0 (32-bit/64-bit)
- Microsoft Windows Server 2012 with IIS 8.0 (32-bit/64-bit)
- Microsoft Windows Server 2019 Desktop with IIS 10.0
- TLS 1.2
- Administrator privileges on the Windows Server IIS host.
- The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC). We highly recommend that AD Connect is installed on its own IIS host to avoid potential conflicting IIS version requirements for other applications (such as SharePoint® .
- Port 443 (HTTPS) must be open to your organization.
- Time synchronization must be set up on the Windows Server IIS host.
- Microsoft .NET 4.7.2 Framework installed. The framework installation file is packaged with the AD Connect distribution.
- IIS Server role service installed.
- Windows Authentication role service installed for IIS.
- Port requirements (internal):
- TCP/UDP 389/636 or 3268 or 3269 inbound/outbound (LDAP connections)
- TCP/UDP 88 inbound/outbound (Kerberos connections)
- TCP/UDP 464 (Kerberos, set/change passwords)
There may be additional port requirements depending on your security policies and deployment.
- Ensure that the Active Directory account lockout option is enabled for all PingOne users. This is necessary to protect user information in PingOne.
- Authentication using Kerberos with Office 365 for Windows Applications and Mobile devices is supported. Mac Clients for Office 365 require forms-based authentication.
Note: Before you install AD Connect with IIS, ensure that your
deployment platform is secure. See Secure your AD Connect with IIS deployment.
You'll download AD Connect from the PingOne admin portal and install it on a Windows Server IIS host that resides in an Active Directory domain. During installation, AD Connect with IIS deploys as a Web application in IIS. If you're not downloading to the IIS host, you'll need to copy the AD Connect distribution to the host.
In PingOne
On the Windows host