SecureLogin and multiple ADAM instances

  • 7940407
  • 19-Aug-2009
  • 12-Jan-2017

Environment

Novell SecureLogin
Microsoft S LDS / ADAM Mode


Situation

How does SecureLogin know which ADAM Instance contains Single Sign-on data?
How do ADAM instances advertise their presence?
Multiple ADAM instances running on the same server and how SecureLogin knows with which instance to contact.

Resolution

While most organizations that use AD install SecureLogin in AD Mode and leverage their existing infrastructure, some organizations are concerned about extending their Production AD Schema and Microsoft recommends using ADAM if this is the case.

To locate services, ADAM uses Service Connection Point objects (SCP) from Active Directory's Global Catalog. You can also give preference for certain ADAM instances by using the following registry value.

The registry entry can be edited to "force" the selection of the ADAM instance. Add or edit the following string value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Protocom\SecureLogin]

PreferredADAMInstances 

Set to  [adam-server-address]:[adam-port] For example: 127.0.0.1:5389
Port should be the "normal" ADAM port, not the SSL port.

Once successfully connected to a SecureLogin ADAM instance, the workstation uses that particular instance as the first option for subsequent connections by storing it for later retreival in   HKCU\Software\Protocom\SecureLogin\LastSuccessfulADAMConnection

When the ADAM instance is installed, it creates an SCP object for itself (but only if ADAM Service account has permission to do it, refer to ADAM installation guide, chapter 2 for more info).


Additional Information

NSL discovers and connects to ADAM instances in the following order:

  1. Last known good ADAM server stored in HKCU\Software\Protocom\SecureLogin\LastSuccessfulADAMConnection

  2. Preferred ADAM instances list

  3. Browse using the ADAMSCP list provided by the domain controller.    This search can be disabled by creating and setting to "1" the following registry key:    HKLM\Software\Protocom\SecureLogin   IgnoreADAMSCP  (DWORD)

The ADAM instance must satisfy these conditions, otherwise SecureLogin moves on to next ADAM candidate.
  • ADAM schema must have SSO schema extensions.
  • ADAM must contain userProxy object whose DN matches with current AD user.
  • User's objectSid in AD must match with userProxy's objectSid in ADAM.