Configuring LDAP authentication on AD LDS
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
The following procedure describes how to configure LDAP server sets to enable Forefront TMG to authenticate domain users, even if Forefront TMG is not part of the domain. It performs authentication via the LDAP connection to the domain.
To configure LDAP server sets
In the Forefront TMG Management console, in the tree, click Web Access Policy.
On the Tasks tab, click Configure LDAP Server Settings.
Click Add to add a LDAP server set.
Provide a name for the LDAP server set.
Click Add to add each LDAP server name, description, and time-out. Time-out is the length of time (in seconds) that Forefront TMG tries to obtain responses from the LDAP server before trying the next LDAP server in the ordered list. Note that you can change the order in which the servers are accessed by using the UP ARROW and DOWN ARROW keys.
In Domain, provide the fully qualified domain name (FQDN) for Active Directory. Note that this is the domain in which the user accounts are defined, and not the domain to which Forefront TMG is joined.
Select Use Global Catalog (GC) if you are using a global catalog.
Select Connect LDAP servers over secure connection if you want to encrypt the LDAP communication (use the LDAPS protocol).
You can type the credentials used to connect to Active Directory for verifying user account status and changing account passwords. This provides you with password management functionality for HTML form authentication.
Click OK to close the Add LDAP Server Set dialog box.
In Login Expression, click New to add a login expression. A login expression allows you to assign an LDAP server set to a specific group of users. For example, you can assign one LDAP server set to the users FABRIKAM\*, and another LDAP server set to the users CONTOSO\*. The login expressions are queried by Forefront TMG in the ordered list. You can change the order using the UP ARROW and DOWN ARROW keys.