Install AD\AM, the Secure Windows LDAP Service

Install AD\AM, the Secure Windows LDAP Service

AD\AM is a very simple, yet powerful, LDAP service you can use to handle authentication for your online applications, without requiring a full-blown NOS directory. Get a step-by-step demonstration of the AD\AM installation process.
by Rob Hawthorne
ust about everyone implements a roll-your-own security mechanism for his or her software applications. I've done it, many software companies have done it, and I am sure you have as well. But guess what: you don't have to! With the release of Windows Server 2003, Microsoft introduced a portable, scalable, and secure Lightweight Directory Access Protocol (LDAP) database based on their Network Operating System (NOS) Active Directory (AD). This service is called Active Directory [surprise, surprise] Application Mode, or AD\AM for short.

Although AD\AM and AD share the same code base (and general purposes) and even are developed by the same MS development team, a couple of major differences allow AD\AM the flexibility to be used in online architectures that just can't be afforded to a full blown NOS.

This article demonstrates the AD\AM installation process. It isn't intended to be a features list or sales pitch for AD\AM, but without an understanding of the reasons to implement it, you wouldn't have much incentive to go any further. So it begins with a brief—and I mean brief—introduction to AD\AM.

Why Use AD\AM?
AD\AM is a LDAP database that is primarily used to store users, groups, and other objects that represent organizations or other associations. It allows you to easily implement security within your applications, without having to write a huge amount of validation or user management code.

AD\AM provides the following capabilities, which separate it from AD:

* Simple backup and recovery – AD\AM uses a single .dit file, which contains all the database information.
* Easy installation and clean uninstall – It doesn't require you to have DNS working nor to install additional components on a server.
* Extended support for X.500 directory naming rather than just DNS directory-style naming.
* Effortless schema extensions without impacting on production Active Directory environments.
* Free download from Microsoft – AD\AM itself does not have a license cost associated with it.
* Can run multiple instances on the same machine (similar in concept to multiple instances of SQL Server 2000).

AD\AM has a number of great features that make it perfect for an online authentication system:

* Password Policies – AD\AM provides the ability to ensure that a user's password meets certain complexity requirements (e.g., number of characters, case, alpha-numeric, etc.). Have you ever tried to write that code? What a pain!
* Encrypted password store – AD\AM uses the same password encryption store as Active Directory, and as such, passwords cannot be reverse-engineered (unless you store them in reversible encryption).
* Ability to use Active Directory authentication for internal users – AD\AM can pass off the authentication to Active Directory, allowing AD to authorize internal users to use the online application.

AD\AM has the ability to scale out in proportions similar to Active Directory. So given all the great things about AD\AM, what are its limitations?

* AD\AM installs only on Windows XP (SP1 or above), Windows Server 2003 Standard, Enterprise, and Data Center Editions, but not on Windows 2000 (any edition) or Windows Server 2003 Web Edition.
* For Windows XP, the AD\AM install is a limited release. You are limited to 10,000 objects within the AD\AM instance.
* AD\AM currently does not have complete integration with Microsoft's Authentication Manager (nick-named AZMan). However, this is reportedly cleaned up in SP1 for Windows 2003 (no promises though!).
* AD\AM has no capabilities for Kerberos. If you wish to use Kerberos, you need to implement Active Directory (and probably not over the Web!).
* Pass-through (or user-proxy) authentication requires domain membership.

Which Version of AD\AM?
AD\AM comes in six different flavors. When you download AD\AM, be sure to select the correct version for your requirements.

AD\AM provides support for both 32- and 64-bit Windows platforms, as well as providing the following specific download versions:

* Retail: This is the most common version for use within a business environment. It is subject to the standard Retail End User Licence Agreement (EULA). Use the ADAMretailIA64.exe and ADAMretailX86.exe files.
* Redistributable: Application developers use this version to package AD\AM with their applications for redistribution to their users. These versions are subject to the Redistribution EULA. Use the ADAMredistIA64.exe and ADAMredistX86.exe files.
* MUI: The Multilingual User Interface (MUI) pack for AD\AM allows for multiple-language support. Before installing the AD\AM MUI pack, the Windows MUI pack and a retail or redistributable version of AD\AM must be installed on the computer. Additionally, Hotfix 828745 must be installed. Use the AdamMUIia64.msi and AdamMUIx86.msi files.

Table 1 shows the file packages that are available for download.

File Name Platform Download Link File Size (Bytes)
AdamMUIia64.msi 64-bit AdamMUIia64.msi 3,574
AdamMUIx86.msi 32-bit AdamMUIx86.msi 9,880
ADAMredistIA64.exe 64-bit ADAMredistIA64.exe 10,895
ADAMredistX86.exe 32-bit ADAMredistX86.exe 8,467
ADAMretailIA64.exe 64-bit ADAMretailIA64.exe 10,891
ADAMretailX86.exe 32-bit ADAMretailX86.exe 8,463
Table 1. AD\AM Comes in Six Different Flavors

You can review the information about the individual downloads from the Microsoft AD\AM download site.

This article does not demonstrate redistributing an application and uses the ADAMretailX86.exe version. Ensure that you select the correct version for the OS you are running.