Encrypt configuration files

AD Connect stores configuration data in the following files:

  • AuthenticationAgent.exe.config
  • Provisioner.exe.config
  • Softwareupdater.exe.config

These files contain sensitive data, such as the product key.

You can encrypt these files using the Windows Aspnet_config.exe utility.


Because of a limitation of Aspnet_config.exe, you must:

  1. Rename the configuration files to web.config.
  2. Run Aspnet_config.exe to encrypt the files.
  3. Rename the files back to their original filenames.

For more information, see Encrypting and Decrypting Configuration Sections in the Microsoft documentation.


Ping Identity does not test AD Connect with encrypted configuration files. Encrypting these files could cause unforeseen complications, and you do so at your own risk.

If encrypted configuration files do cause trouble, you can reinstall AD Connect.

Enable IWA

If you enable Integrated Windows Authentication (IWA), users within your organization's network will be authenticated through IWA. This improves security by reducing the need for user credentials to be communicated over the internet.

However, IWA has other limitations to consider. For example, your users will be unable to sign off of PingOne for Enterprise because IWA will automatically sign them back on.

For more information, see Using IWA with browser clients.

Use userPrincipalName as the subject attribute

AD Connect has two options for which attribute to use as the subject attribute. While sAMAccountName is unique only within an Active Directory (AD) domain, userPrincipalName is unique across all AD domains.

If your user population contains multiple AD domains, select userPrincipalName as the subject attribute to avoid the potential of different users in different domains signing in using the same username.

For more information, see AD Connect final setup.