AD Connect security best practices
Keep your AD Connect configuration and data secure with the following tips and tools.
Encrypt configuration files
AD Connect stores configuration data in the following files:
-
AuthenticationAgent.exe.config
-
Provisioner.exe.config
-
Softwareupdater.exe.config
These files contain sensitive data, such as the product key. |
You can encrypt these files using the Windows Aspnet_config.exe
utility.
Because of a limitation of
|
For more information, see Encrypting and Decrypting Configuration Sections in the Microsoft documentation.
Ping Identity does not test AD Connect with encrypted configuration files. Encrypting these files could cause unforeseen complications, and you do so at your own risk. If encrypted configuration files do cause trouble, you can reinstall AD Connect. |
Enable IWA
If you enable Integrated Windows Authentication (IWA), users within your organization’s network will be authenticated through IWA. This improves security by reducing the need for user credentials to be communicated over the internet.
However, IWA has other limitations to consider. For example, your users will be unable to sign off of PingOne for Enterprise because IWA will automatically sign them back on.
For more information, see Using IWA with browser clients.
Use userPrincipalName
as the subject attribute
AD Connect has two options for which attribute to use as the subject attribute. While sAMAccountName
is unique only within an Active Directory (AD) domain, userPrincipalName
is unique across all AD domains.
If your user population contains multiple AD domains, select userPrincipalName
as the subject attribute to avoid the potential of different users in different domains signing in using the same username.
For more information, see AD Connect final setup.