Use these instructions when expect to have large numbers of single sign-on (SSO) users for AD Connect, and you want to use Microsoft® Network Load Balancing (NLB) as the load-balancing and clustering solution. NLB is an optional Windows Server feature.

Note: If you're using a load-balancing and clustering solution other than NLB, you can also apply these settings to your configuration by replacing the NLB-specific steps for those that match your solution.

You will configure NLB clustering for AD Connect, using the example configuration shown in the illustration as a guideline.

Although you can use this process for other configurations, these instructions are for a minimal configuration, one Active Directory domain controller (DC) and two Windows Server IIS hosts.

Note: The IIS hosts need two NICs, one for the static IP used by NLB (NLB requires static IPs), the other for the dynamic IP used by the DC. The NLB-dedicated NICs for all IIS hosts should be in the same subnet.
  1. Install AD Connect on the IIS hosts ( and
    One of the IIS hosts will supply the signing certificate to be used on all other IIS hosts. We will call this the master IIS host.
  2. On one of the IIS hosts (here we will use, use the Services MMC to disable ADConnect Provisioner Service. This will be the master IIS host.
  3. On the master IIS host (, export the signing certificate.
    1. Open MMC, and from the File menu, select Add/Remove Snap-in. The Add or Remove Snap-ins dialog box is displayed.
    2. Select Certificates and click Add. The Certificates Snap-in dialog box is displayed.
    3. Select Computer Account and click Next. The Select Computer dialog box is displayed.
    4. Select Local computer and click Finish, and OK. The Certificates snap-in is displayed in MMC.
    5. Expand Certificates (Local Computer) > Personal and select Certificates. The certificates for the Local Computer account are displayed.
    6. Right-click the signing certificate (the certificate name includes the full domain name of the host) and select All tasks > Export. The Certificate Export Wizard is displayed.
    7. Follow the Certificate Export Wizard to export the private key.
    The master IIS host signing certificate has been exported to the current user directory.
  4. On the other IIS hosts (, import this signing certificate.
    1. Follow the steps above to add the Certificates snap-in to MMC.
    2. Expand Certificates (Local Computer) > Trusted People. Right-click Certificates and select All tasks > Import. The Certificate Import Wizard is displayed.
    3. Follow the Certificate Import Wizard and select the signing certificate you exported from the master IIS host.
    The master IIS host signing certificate is now imported to the other IIS host.
  5. On the other IIS hosts (, grant the IIS process access to the signing keys.
    1. Open MMC and go to Certificates (Local Computer) > Personal > Certificates. Right-click the master IIS host certificate that you imported and select All tasks > Manage private private keys. The permissions dialog box is displayed.
    2. Click Add, and in the entry box, enter the object name "IIS_IUSRS". Click OK.
    3. Grant Full Control and Read permissions to IIS_IUSRS.
    The IIS host now has the necessary permissions to use the imported signing certificate.
  6. On the other IIS hosts (, update the AD Connect Web.config file to use the imported signing certificate.
    1. Edit the AD Connect file <installPath>\Ping Identity\ADConnect\SSO\Web.config.
    2. Change the saml.signing.cert value to the name of the imported signing certificate, and save the file.
    AD Connect will now use the imported signing certificate.
  7. On each IIS host ( and, install the Network Load Balancing feature. This is an optional feature for Windows Server.
  8. On each IIS host, configure network load balancing.
    1. Open Network Load Balancing Manager (in Administrative Tools) and choose to create a new cluster.
    2. Enter the static IP address (the NLB-dedicated NIC) of one of the IIS hosts.
    3. Select this interface, click Next, and assign a unique host ID.
    4. Click Add to create a virtual cluster IP address for this interface. Specify an address in the same subnet as the NLB-dedicated NICs of your IIS hosts.
      Note: The virtual cluster IP is the address you will use to access AD Connect. Do not use the IP addresses (static or dynamic) assigned to the IIS hosts.
    5. If you're deploying the IIS hosts in a VM (virtual machine), set the cluster operation mode to Multicast. Otherwise, set this mode to Unicast.
      Microsoft recommends using Unicast as the cluster operation mode. Unicast is compatible with all routers, switches and network devices. VMWare® recommends using Multicast if you're configuring NLB clusters on VMs.
    6. Optional: Set any port rules you consider necessary.
    7. When the information for the new cluster node (the IIS host) indicates the node is in a Converged state, right-click the node and select Add Host to Cluster.
      The IIS host is now configured for NLB.
  9. Repeat the above steps for each remaining IIS host (
You should now be able to power cycle a clustered IIS host, with automatic failover to another IIS host in the cluster. You also can add additional IIS hosts to the cluster as needed.