--- title: Installing AD Connect description: To designate AD Connect as your identity repository, install AD Connect to your server and configure PingOne for Enterprise to connect to it. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_installing_adc canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_installing_adc.html revdate: March 30, 2023 section_ids: before-you-begin-ad-connect-requirements: Before you begin AD Connect requirements: about-this-task: About this task steps: Steps result: Result: result-2: Result: choose-from: Choose from: next-steps: Next steps --- # Installing AD Connect To designate AD Connect as your identity repository, install AD Connect to your server and configure PingOne for Enterprise to connect to it. ## Before you begin AD Connect requirements: * One of the following platforms: * Microsoft Windows Server 2019 Desktop (not Core) * Microsoft Windows Server 2016 * Microsoft Windows Server 2012 R2 * Microsoft Windows Server 2012 * TLS 1.2 * Microsoft .NET Framework 4.7.2 installed. The framework installation file is packaged with the AD Connect distribution. * Port requirements: * TCP 443 inbound/outbound (Websocket connections to PingOne for Enterprise) * (If IWA is enabled) TCP 80 internal, inbound/outbound (IWA connections) * Ensure that the AD Connect account lockout option is enabled for all PingOne for Enterprise users. This is necessary to protect user information in PingOne for Enterprise. * AD Connect does not support authentication using IWA with Microsoft 365 or mobile devices. IWA does not work with iOS. ## About this task You must install AD Connect on a Windows Server host that resides in an Active Directory domain. If you're installing AD Connect on a host in a DMZ, you must ensure some ports are open. For more information, see [AD Connect in a DMZ](p14e_adc_dmz.html). ## Steps 1. Go to **Setup > Identity Repository**, and then click **Connect to an Identity Repository**. If you are changing to AD Connect from another identity repository, click **Change Identity Repository**. 2. Select **Active Directory**. Click **Next**. 3. Download AD Connect: 1. Click **Download AD Connect** and save the `adconnect-installer.zip` file to your directory. 2. Extract the `.zip` file and open the `ADConnectSetup.msi` file to start the installer. 3. When the installer starts, click **Next**. 4. On the **Installation Type** window, select **AD Connect**. Click **Next**. 5. **Optional:** To enable users and groups to be automatically provisioned into PingOne for Enterprise, select **Enable user provisioning**. 4. Set up the product key: 1. In **PingOne for Enterprise**, on the **Set Up Product Key** tab, in the **Product Key** text field, enter a key. 2. In the **AD Connect Installer**, on the **Enter Product Key** field, enter the same key you entered in the previous step. 5. Install AD Connect: 1. From the **Install AD Connect** tab in **PingOne for Enterprise**, copy the **Organization ID** value. 2. In the **AD Connect installer**, paste the value in the **Enter Organization ID** field and click **Activate**. ### Result: If the product key and organization ID match in both PingOne for Enterprise and the AD Connect installer, the AD Connect installer displays a confirmation message. 3. Click **Next**. 4. In the **Destination Folder** window, enter the destination folder where you will install AD Connect. Click **Next**. 5. Click **Install**. 6. When the installation finishes, click **Finish**. 7. In **PingOne for Enterprise**, click **Verify Installation**. ### Result: PingOne for Enterprise displays a message confirming the installation. 8. Click **Next**. 6. In **PingOne for Enterprise**, from the **Authentication - Account Lookup Method** list, select the Active Directory attribute to verify the user account: ### Choose from: * **Mail**: the email address assigned to the user. * **sAMAccountName**: The legacy Windows login name for the user * **Filter**: An LDAP filter to use when looking up the account information for the user * **userPrincipalName**: Typically the user's email address without the divider or the domain 7. From the **Subject Attribute** list, choose a value to return to your applications as the SAML subject. Possible values are **sAMAccountName** or **userPrincipalName**. **userPrincipalName** is appropriate for most organizations. 8. **Optional:** To pass Windows credentials through your web browsers for automated authentication, click **Enable Integrated Windows Authentication**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This requires further configuration for your web browsers. For more information, see [Using IWA with browser clients](p14e_adc_using_iwa_browser_clients.html). | 9. **Optional:** To allow users to reset their Active Directory password from the PingOne for Enterprise sign-on page, click **Enable Password Change**. 10. **Optional:** To return all of the nested group memberships for your users, click **Enable Group Hierarchy**. | | | | - | ------------------------------------------------------- | | | Enabling this option can cause sign-ons to take longer. | 11. Click **Next**. 12. On the **Map Attributes** tab, map attributes from Active Directory to the SAML assertions for your applications. 1. For the **SAML\_SUBJECT** list, select the same value that you chose for the **Subject Attribute** list in the previous tab. 2. For the **memberOf** attribute, select **memberOf**. 3. For the **fname** attribute, select **givenName**. 4. For the **lname** attribute, select **sn**. 5. For the **email** attribute, select **mail**. 6. For the **phoneNumber** attribute, select **telephoneNumber**. 13. Click **Save**. ## Next steps To assign branding for your AD Connect connection, see [Assign AD Connect branding and designs](p14e_assign_adc_branding_design.html).