Active Directory With .NET Connector (OBSOLETE)

Last modified 07 Sep 2022 03:49 +02:00
This functionality is obsolete. It is no longer supported or maintained. Please use the replacement functionality instead.

Install .NET Connector Server

Install .NET Connector Server on a "gateway" machine. This can be almost any Windows machine that will be used as an intermediary between midPoint and Active Directory.

Installation instructions are on .NET Connector Server page.

Deploy Active Directory Connector

Deploy Active Directory to the .NET Connector Server.

Active Directory connector information and download links are on Legacy Active Directory Connector (.NET) page.

Deploy the connector by copying files to the .NET Connector Server directory. The details are here: .NET Connector Server.

Configure Connector Host in midPoint

Create a connector host definition and import it in midPoint. See here: Connector Server.

You can import the sample XML configuration mentioned above by clicking the Configuration tab, then Import object tab. Select "Get objects from …​ Embedded editor" and paste the content of the connector host sample mentioned above. Please modify the following attributes before clicking Import Object:

  • name: rename it to contain your connector server name instead of "", e.g. "ICF Connector server on server:8759"

  • hostname: enter your connector server hostname, e.g.

  • port: enter your connector server port if you have changed it, or keep default "8759"

  • sharedSecret: enter your connector server key into the "sharedSecret" element instead of "secret"

Then click Import Object button.

Detailed description of connector object is here: ConnectorHostType.

If you have configured SSL on the connector server you should also install the appropriate CA certificate to a midPoint keystore as described on Connector Server page.

Discover the Connectors

The connector host should appear in midPoint GUI under a Resources tab. Check the checkbox next to it and click Discovery button. Green success message should appear.

Look at the Connector objects in the repository (in the GUI Configuration tab, Repository objects, object type Connector). A new connector should appear there. Look for a name similar to ICF Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector @ICF Connector server on medusa:8759.

Configure Active Directory

To actually use Active Directory connector, you need to create an administrative account in Active Directory. Do not use "administrator" account as it has unrestricted rights!

To create the administrative account for provisioning:

  1. Open "Server Manager" on the Active Directory machine.

  2. Select Roles, then Active Directory Domain Services. Alternatively, open "Active Directory Users and Computers".

  3. Unexpand your domain (e.g. and right click on the Users container.

  4. Select New User.

  5. Enter required information to create your administrative user for midPoint. Do not forget to fill in sAMAccountName (e.g. "midpoint") and userPrincipalName (e.g. "") attributes, and user’s password. We recommend to uncheck "User must change password at next logon" and check "Password never expires".

Powershell - username: midpoint; password: qwe.123 ; Password never expires : set ; domain:
New-ADUser `
 -AccountPassword ( "qwe.123" | ConvertTo-SecureString -AsPlainText -Force) `
 -DisplayName "MidPoint" -Enabled $true -Name "MidPoint" `
 -PasswordNeverExpires $true -SamAccountName midpoint `
 -Surname MidPoint -UserPrincipalName "" `
 -Path "CN=Users,DC=domain,DC=example,DC=com"

To assign the administrative privileges in Active Directory to the administrative account:

  1. Open "Server Manager" on the Active Directory machine.

  2. Select Roles, then Active Directory Domain Services. Alternatively, open "Active Directory Users and Computers".

  3. Select your domain (e.g. or a part of it where you will manage accounts with midPoint. Select Actions from menu. Alternatively, right click on your domain (e.g._ domain.example.com_).

  4. Select Delegate Control...

  5. Click Next.

  6. Click Add to search for your administrative user, e.g. "midpoint".

  7. Click Next.

  8. Check the following checkboxes in "Delegate the following common tasks" area (default):

    1. Create, delete, and manage user accounts

    2. Reset user passwords and force password change at next logon

    3. Read all user information

    4. Create, delete and manage groups

    5. Modify the membership of a group

  9. Click Next.

  10. Click Finish.

Please note that the Delegate control wizard cannot be used to modify existing delegated tasks.

Import Resource Definition

After you have installed all the required components and created your administrative account in Active Directory, you can create Active Directory resource definition.

There are three sample resource definitions that can be used to connect to a Active Directory server. They can be found in our samples/ad directory accessible here:

Current Development Snapshot (master)

Latest Release (3.1.1)

The resource definition XML file is full of in-line comments that explain individual configuration items used in the file. The ad-resource-simple.xml file in the samples directory is a basic, readable and understandable definition of an AD resource. The ad-resource-advanced-nosync.xml file in the samples directory contains provisioning-only configuration of the resource. And` ad-resource-advanced-sync.xml` file contains provisioning and synchronization configuration of the resource.

The resource definition must be updated for your environment. Especially:

  • DirectoryAdminName: the name of the administrative account (e.g. "", this is an example of using userPrincipalName format)

  • DirectoryAdminPassword: the administrative account password (do not confuse this with the Connector Server key)

  • Container: the container where the connector will "see" accounts in Active Directory

  • DomainName: the Active Directory domain name (e.g. "domain", it seems that you can also use the "long" name as in "")

  • SyncGlobalCatalogServer: null (if you are synchronizing, use "localhost"!)

  • SyncDomainController: null (if you are synchronizing, use "localhost"!)

  • SearchChildDomains: false (if you are synchronizing, use "true"!)

Import the resource definition by clicking the Configuration tab, then Import object tab. Select Use embedded editor and Copy&paste the content of ad-resource-advanced-nosync.xml file into the text area. Press the "Import object" button. You should see green message "Operation successful".