Installing AD Connect with IIS
To designate AD Connect with IIS as your identity repository, install AD Connect to your server and configure PingOne for Enterprise to connect to it.
Before you begin
AD Connect with IIS requirements:
-
One of the following platforms:
-
Microsoft Windows Server 2019 Desktop with IIS 10.0
Microsoft Windows Server 2019 Core is not supported.
-
Microsoft Windows Server 2016 with IIS 10.0
-
Microsoft Windows Server 2012 R2 with IIS 8.0 (32-bit/64-bit)
-
Microsoft Windows Server 2012 with IIS 8.0 (32-bit/64-bit)
-
-
TLS 1.2
-
Administrator privileges on the Windows Server IIS host.
-
The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC). We highly recommend that AD Connect is installed on its own IIS host to avoid potential conflicting IIS version requirements for other applications (such as SharePoint).
-
Port 443 (HTTPS) must be open to your organization.
-
Time synchronization must be set up on the Windows Server IIS host.
-
Microsoft .NET 4.7.2 Framework installed. The framework installation file is packaged with the AD Connect distribution.
-
IIS Server role service installed.
-
Windows Authentication role service installed for IIS.
-
Port requirements (internal):
-
TCP/UDP 389/636 or 3268 or 3269 inbound/outbound (LDAP connections)
-
TCP/UDP 88 inbound/outbound (Kerberos connections)
-
TCP/UDP 464 (Kerberos, set/change passwords)
There may be additional port requirements depending on your security policies and deployment.
-
-
Ensure that the Active Directory account lockout option is enabled for all PingOne users. This is necessary to protect user information in PingOne.
-
Authentication using Kerberos with Office 365™ for Windows Applications and Mobile devices is supported. Mac Clients for Office 365 require forms-based authentication.
Before you install AD Connect with IIS, ensure that your deployment platform is secure. See Secure your AD Connect with IIS deployment. |
About this task
You’ll download AD Connect from the PingOne for Enterprise admin portal and install it on a Windows Server IIS host that resides in an Active Directory domain. During installation, AD Connect with IIS deploys as a Web application in IIS. If you’re not downloading to the IIS host, you’ll need to copy the AD Connect distribution to the host.
Steps
-
In PingOne for Enterprise, go to Setup → Identity Repository, click Connect to an Identity Repository, select AD Connect and follow the prompts to download and install AD Connect.
You’ll be returning to this PingOne for Enterprise page as part of the AD Connect installation.
We recommend you copy and save the product key. If you find the need to reinstall AD Connect, you can reuse this key.
-
On the Windows host, if you’re installing AD Connect in a DMZ, see AD Connect in a DMZ for the ports to open, then join the host to the Windows network.
-
Extract the zipped file, and launch the installation package. The Welcome page is displayed.
-
Click Next.The installation options are displayed:
Choose from:
-
AD Connect (with the option to enable user provisioning between Active Directory and PingOne for Enterprise).
-
AD Connect with IIS (with the option to enable user provisioning between Active Directory and PingOne for Enterprise).
-
Provisioner only. Select this option if you already have an AD Connect or AD Connect with IIS installation and want to add user provisioning support for another Active Directory domain.
-
-
Select AD Connect with IIS and optionally, click Enable user provisioning, then click Next. TheAD Connect installer checks that the prerequisites are in place. If all prerequisites are in place, the installation proceeds to the activation tab.
The installer checks whether the following services are installed:
-
.NET framework. If this isn’t installed, you can install it using the .NET distribution located in the AD Connectinstallation directory.
-
IIS Server role. If this isn’t installed, install this role service using Windows Server Manager.
-
Windows Authentication role. If this isn’t installed for IIS, install this role service using Windows Server Manager.
If you need to install any of these services, return to the AD Connect screen when the service installations are complete and click Verify Install.
-
-
At the AD Connect activation screen, paste the
Organization ID
value displayed in the PingOne for Enterprise admin portal.If you’ve closed the browser window, log in to admin.pingone.com again, and on the Setup → Identity Repository page, select to Review/Change the AD Connect configuration.
-
In the
Product Key
field, enter the product key you assigned in the PingOne for Enterprise admin portal, then click Activate. The activation message is displayed. -
Click Next. The web site selection screen is displayed.
-
Select the IIS HTTPS-enabled site that AD Connect is to use. AD Connect is deployed to this site as a web application. Click Next. The installation screen is displayed.
-
You’re prompted for the installation path to use, and are then prompted to install AD Connect.
When the installation is complete, we’ll send you a notification email.
-
When you click Finish, the PingOne for Enterprise admin portal login page is automatically displayed in a new tab or window.
Whenever you log in to PingOne for Enterprise, your prior session state is retained.
-
See AD Connect for IIS final setup to complete the setup for AD Connect with IIS.