Keep your AD Connect configuration and data secure with the following tips and tools.
Encrypt configuration files
AD Connect stores configuration data in the following files:
- AuthenticationAgent.exe.config
- Provisioner.exe.config
- Softwareupdater.exe.config
These files contain sensitive data, such as the product key.
You can encrypt these files using the Windows Aspnet_config.exe utility.
Because of a limitation of Aspnet_config.exe, you must:
- Rename the configuration files to web.config.
- Run Aspnet_config.exe to encrypt the files.
- Rename the files back to their original filenames.
For more information, see Encrypting and Decrypting Configuration Sections in the Microsoft documentation.
Ping Identity does not test AD Connect with encrypted configuration files. Encrypting these files could cause unforeseen complications, and you do so at your own risk.
If encrypted configuration files do cause trouble, you can reinstall AD Connect.
Enable IWA
If you enable Integrated Windows Authentication (IWA), users within your organization's network will be authenticated through IWA. This improves security by reducing the need for user credentials to be communicated over the internet.
However, IWA has other limitations to consider. For example, your users will be unable to sign off of PingOne for Enterprise because IWA will automatically sign them back on.
For more information, see Using IWA with browser clients.
Use userPrincipalName as the subject attribute
AD Connect has two options for which attribute to use as the
subject attribute. While sAMAccountName is unique only within an
Active Directory (AD) domain, userPrincipalName is unique across
all AD domains.
If your user population contains multiple AD domains, select
userPrincipalName as the subject attribute to avoid the
potential of different users in different domains signing in using the same
username.
For more information, see AD Connect final setup.