---
title: AD Connect for IIS final setup
description: You're completing the setup or manual update of AD Connect for IIS and are ready to verify the AD Connect for IIS installation and configure additional settings in PingOne for Enterprise.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise:p14e_adc_iis_final_setup
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_adc_iis_final_setup.html
revdate: June 5, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  next-steps: Next steps
---

# AD Connect for IIS final setup

## About this task

You're completing the setup or manual update of AD Connect for IIS and are ready to verify the AD Connect for IIS installation and configure additional settings in PingOne for Enterprise.

## Steps

1. On the PingOne for Enterprise admin portal page for AD Connect, click **Verify Installation**. PingOne for Enterprise checks the connection to the AD Connect identity bridge.

   |   |                                                                                                                                                                                        |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If you're using AD Connect in a clustered, high availability configuration, you will verify the installation in the PingOne admin portal only for the initial AD Connect installation. |

2. For Authentication, the setting for `Account Lookup Method` is displayed.

   This setting assigns the Active Directory user attribute to use when looking up the account information for the user during authentication. This can be:

   * **Mail**. The email address assigned to the user.

   * **sAMAccountName**. The legacy Windows logon name for the user.

   * **Filter**. An LDAP filter to use when looking up the account information for the user.

     Include `{0}` in your filter where you want the user's input to be substituted. For example, if you want to look up users by `sAMAccountName`, you would enter `sAMAccountName={0}`.

3. For Delegated Authentication, the setting for `Account Lookup Method` is displayed.

   This setting assigns the Active Directory user attribute to use when looking up the account information for the user during delegated authentication. This can be:

   * **Mail**. The email address assigned to the user.

   * **sAMAccountName**. The legacy Windows logon name for the user.

   * **Filter**. An LDAP filter to use when looking up the account information for the user.

     Include `{0}` in your filter where you want the user's input to be substituted. For example, if you want to look up users by `sAMAccountName`, you would enter `sAMAccountName={0}`.

4. In the Identity Provider SSO URL section, check that a valid URL to your IIS host is displayed, and that the connection string for the SSO URL is correct. If needed, change either of these URLs.

5. The settings for `Entity ID`, `Assertion Lifetime` and `Authentication Type` are displayed.

   |   |                                                                                                                                                                                                                                                                                          |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The `Entity ID` setting for your deployment is also displayed. This uniquely identifies the identity bridge to PingOne. This identifier is used in the Issuer element of the SAML assertion sent to us by the identity bridge. Do not change this setting unless we advise you to do so. |

   1. Check that the `Assertion Lifetime` setting is acceptable. Generally, you needn't change the default setting.

      This setting indicates how long the SAML assertion remains valid (in minutes).

   2. For Authentication, check that the `Authentication Type` setting is acceptable.

      This setting assigns the type of authentication the AD Connect identity bridge is to use. This can be:

      * **Integrated**. Integrated Windows Authentication (IWA) is used when the user is on your organization's network. A user is prompted for their credentials only once during the same browser session.

      * **Forms**. A Web-based authentication form is used. A user is prompted for their credentials at every authentication point during the same browser session.

      * **Hybrid**. A combination of Integrated Windows Authentication (IWA) and Form-based authentication is used. IWA is limited to intranet users who fall within a certain IP block range (specified in the `Intranet IP Block` attribute. Form-based authentication is used in all other cases (intended for those users authenticating from outside your organization's intranet).

   If you're using Integrated or Hybrid types, see [Configure IWA for AD Connect with IIS](p14e_configure_iwa_adc_iis.html).

6. Click **Finish**.

   When you return to the **Setup > Identity Repository** page, a summary of the settings for your identity bridge is displayed. You can click the Edit icon to modify the settings.

## Next steps

When you've completed your configuration:

* If you've upgraded:

  * You need to set the proper verification certificate. While logged in as an Administrator, browse to `https://localhost/adconnect/config.aspx`.

    In the bottom left of this page you will find the digital signature portion. Select the certificate that you'd assigned for the previous AD Connect installation, or want to assign for this installation. You can also choose to use the self-signed certificate.

    |   |                                                                                                                                                                                                                                                                                                                                                    |
    | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | If an error displays after you've selected the verification certificate stating that the certificate does not have the proper permissions, see the PingOne Knowledge Base article [Manually updating the AD Connect signing certificate](https://support.pingidentity.com/s/article/PingOne-Manually-updating-the-AD-Connect-signing-certificate). |

  * If you upgraded from version 1.x, in the PingOne admin portal, you will see that the group short names have been converted to their full DN. If you have multiple domains or child domains, check your application group mappings to ensure all of the correct groups have been selected for your application.

* If you're using AD Connect with IIS in a clustered, high availability configuration, repeat these steps on each AD Connect host.