How do ADAM instances advertise their presence?
Multiple ADAM instances running on the same server and how SecureLogin knows with which instance to contact.
To locate services, ADAM uses Service Connection Point objects (SCP) from Active Directory's Global Catalog. You can also give preference for certain ADAM instances by using the following registry value.
The registry entry can be edited to "force" the selection of the ADAM instance. Add or edit the following string value:
Set to [adam-server-address]:[adam-port] For example: 127.0.0.1:5389
Port should be the "normal" ADAM port, not the SSL port.
Once successfully connected to a SecureLogin ADAM instance, the workstation uses that particular instance as the first option for subsequent connections by storing it for later retreival in HKCU\Software\Protocom\SecureLogin\LastSuccessfulADAMConnection
When the ADAM instance is installed, it creates an SCP object for itself (but only if ADAM Service account has permission to do it, refer to ADAM installation guide, chapter 2 for more info).
NSL discovers and connects to ADAM instances in the following order:
Last known good ADAM server stored in HKCU\Software\Protocom\SecureLogin\LastSuccessfulADAMConnection
Preferred ADAM instances list
Browse using the ADAMSCP list provided by the domain controller. This search can be disabled by creating and setting to "1" the following registry key: HKLM\Software\Protocom\SecureLogin IgnoreADAMSCP (DWORD)
- ADAM schema must have SSO schema extensions.
- ADAM must contain userProxy object whose DN matches with current AD user.
- User's objectSid in AD must match with userProxy's objectSid in ADAM.