(2019-02-08) Troubleshooting HTTPS/LDAPS

My ADFS environment has an attribute store configured to an ADLDS and for that I used the “ldapattributestore” that still is available in the codeplex archives (https://archive.codeplex.com/?p=ldapattributestore). Because that ADLDS instance was running on a DC with ADDS, I configured the ADLDS instance to use port 5389 for LDAP and port 5636 for LDAPS. The “connection" string” for that LDAP Attribute Store was configured to use a secure connection (i.e. LDAPS) over port 5636. As I was checking functionality of my test environment I also tested this part by targeting the “Show My Claims” app (https://jorgequestforknowledge.wordpress.com/2015/07/04/displaying-the-issued-claims-in-a-security-token-on-screen/) that dives into that LDAP Attribute Store and displays specific claims on screen.

As I did not use my test environment for some time, several certs were expired and needed replacement. I opened the Local Machine certificate store and replaced every certificate that was expired or was going to expire soon with a new certificate using the exact same subject and SANs. After updating all certificates I started configuring and testing every single application using a certificate. So as you can imagine at some point in time I ended up with ADFS, the Show My Claims web site and with that the LDAPS attribute.

As an initial test I accessed the Show My Claims web site and due to the Issuance Transform Rules ADFS needed to dive into the ADLDS attribute store to source claims being displayed on screen. Unfortunately that failed. Looking at the ADFS Admin Event Log, ADFS was having issues accessing the Attribute Store. Those issues were related to the usage of LDAPS.

In that case I needed to start the basic testing of LDAPS through the good old LDP and see what was going on.

–

So after starting LDP and entered the FQDN of the ADLDS instance and its configured LDAPS port   

Figure 1: Starting LDP And Connecting To The ADLDS Instance Using The FQDN, The LDAPS Port

–

After clicking OK I was not surprised about the error “cannot open connection”. The more interesting question was “WHY?”

Figure 2: Error When Connecting To The ADLDS Instance

–

For this ADLDS instance I had a certificate with a subject and SAN that contained “IDSTORE.IAMTEC.NL”. I also permissioned the corresponding private key with the service account being used by the ADLDS instance. So far so good, but even with that it did not work. That’s when I decided to check all the requirements of a certificate to be used for LDAPS and used the following Microsoft article:

• How to enable LDAP over SSL with a third-party certification authority

–

The certificate that I was using fulfilled all requirements and with that in mind it was time to enable debug logging for SCHANNEL when using HTTPS or LDAPS:

• How to enable Schannel event logging in IIS

–

To make sure I was not missing any information, I configured the following for debug logging of SCHANNEL:

• 0x0001 Log error messages
• 0x0002 Log warnings
• 0x0004 Log informational and success events

–

After enabling debug logging for SCHANNEL I tried it again with LDP and in the SYSTEM Event Log I saw the following error.   

Figure 3: Error When Accessing The Private Key

–

A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

–

I reconfirmed the certificate for IDSTORE.IAMTEC.NL had its private key configured for the service account in use by the ADLDS instance. It still did nit work

–

I also saw the following event in the SYSTEM Event Log

Figure 4: The Private Key Being Used By The ADLDS Instance

–

The TLS server credential’s private key has the following properties:

   CSP name: Microsoft RSA SChannel Cryptographic Provider
   CSP type: 12
   Key name: d40c17eadd0fb4c1e33541e54ebf55b1_c9c5687f-fc0b-4765-bc6d-2435ba59e1b2
   Key Type: key exchange
    Key Flags: 0x20

The attached data contains the certificate.

–

The event shown above mentioned the private key being used by the the ADLDS instance, but it still did not mention which certificate was being used. Switching to the details TAB, it told me more about the corresponding certificate that was being used. Going through the data I noticed it contained the SANs “*.IAMTEC.NET” and “*.IAMTEC.NL”. That was surprising to me as the certificate that envisioned for the ADLDS only contained “IDSTORE.IAMTEC.NL” as subject and as SAN.

Figure 5: The Certificate Data That Belong To The Private Key

–

After seeing this I remembered the following listed in the first MSFT article:

Multiple SSL certificates

Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate

–

What I never realized was that my wildcard certificate was going to be used first before even considering the usage of the certificate that contained the more specific subject and SAN.

As displayed below I permissioned the private key that belonged to the wildcard certificate ….

Figure 6: Permissioning The Private Key Of The Wildcard Certificate

–

Retried my test with LDP as shown below….

Figure 7: Retrying The LDAPS Test With DP

–

….and now it worked. You can see at the top it is connecting securely through LDAPS and that it is using a cipher strength of 256 bits

–

After this I check the LDAP Attribute Store configuration to make sure everything was configured correctly. And it was. Retrying accessing the Show My Claims site I was able to the claims that were sourced from the ADLDS instance

Check!

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2018-10-11) Configuring A New Identity Store As A Local Claims Provider In ADFS

In ADFS v1.0 and ADFS v1.1 it was possible to use both AD and ADLDS/ADAM as an identity store. One of the very common scenarios is to use the AD identity store for internal users and use the ADLDS/ADAM identity store for external users (e.g. partners, customers, vendors, etc.). After ADFS v1.x Microsoft released ADFS v2.0 (separate download for W2K8 and W2K8R2), ADFS v2.1 in W2K12 and ADFS v3.0 in W2K12R2. All the ADFS versions starting with ADFS v2.0 and higher only supported AD as the identity store and nothing else. That could be one of the reasons why some companies remained using ADFS v1.1 and did not move one.

If you would like to support a similar scenario, where you would like to have a separate identity store for externals, you would need to:

1. Configure a separate AD with its own ADFS infrastructure and configure federation between (also see: (2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens)
   OR
2. Use Azure AD to store those identities and configure federation

–

The biggest advantage of using [2] instead of [1] is that you do not need a complete new infrastructure just to support externals. The basic Azure AD features are free, but as soon as you need something special from the Azure AD Premium list, you need to pay licensing.

–

With the release of the Windows Server 2016, a third option has become available as already mentioned in the blog post (2014-10-03) ADFS In vNext To Support Other Identity Stores Than AD Only. YES! YES! YES! Finally!

–

For the passive federation protocols (e.g. SAML, WS-Federation and Oauth) and the active federation protocols (e.g. WS-Trust), ADFS v4.0 (ADFS in Windows Server 2016) and higher will support the following identity stores:

• Identity Stores As Claim Providers:◦Active Directory (Trusted AD forests)
• Identity Stores As Local Claim Providers:◦Active Directory (NON-Trusted AD forests)
• ADLDS/ADAM
• Apache DS
• IBM Tivoli DS
• Novell DS
• Open LDAP
• Open DJ
• Open DS
• Radiant Logic Virtual DS
• Sun ONE v6, v7, v11

–

The local claims providers can only be configured through PowerShell and authentication through ADFS against those local claims providers can only be done by using forms-based authentication. One last thing to note is that you can only configure local claims providers when the Farm Behavior/Level is higher than Win2012R2. Also see: (2014-10-12) Migrating Or Upgrading To A New ADFS Version.

–

For more information also see:

• https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories
• https://docs.microsoft.com/en-us/powershell/module/adfs/add-adfslocalclaimsprovidertrust

–

I have the following Identity (ID) Store:

• Type: ADLDS (LDAP)
• Node Server (1): R1FSRWDC1.IAMTEC.NET

• LDAP Port: 5389
• LDAPS Port: 5636

• Node Server (2): R1FSRWDC2.IAMTEC.NET

• LDAP Port: 5389
• LDAPS Port: 5636

• Account UserName For ADFS To Access data In The IDStore: SVC_R1_LDAPQuery@CORP

–

# Define The Credentials For ADFS To Use When Connecting To The ID Store

$idStoreAccountUserName = ‘SVC_R1_LDAPQuery@CORP’

$idStoreAccountPassword = ‘pwd’ | ConvertTo-SecureString -asPlainText -Force

$idStoreAccountCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName,$idStoreAccountPassword

–

# Define All The Server Instances Hosting The Identity Store

$idStoreInstance1 = New-AdfsLdapServerConnection -HostName R1FSRWDC1.IAMTEC.NET -Port 5389 -SslMode None -Credential $idStoreAccountCreds -AuthenticationMethod Basic

$idStoreInstance2 = New-AdfsLdapServerConnection -HostName R1FSRWDC2.IAMTEC.NET -Port 5389 -SslMode None -Credential $idStoreAccountCreds -AuthenticationMethod Basic

PS: If you have a load balanced ADLDS farm than you would only need to define one connection instance as the load balancer would figure out which node to use. For more information about load balancing ADLDS please see: https://www.itprotoday.com/management-mobility/load-balance-ad-lds-microsoft-nlb-6-steps. If you do not have a load balanced ADLDS farm you need to define all connection instances so that ADFS can figure out which one to use. In the connection above I’m using the custom LDAP port (5389) configured by me. I did this as I was too lazy for this post to get an SSL certificate for LDAPS. For production systems I do suggest you use LDAPS!. For more information please see: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725767(v=ws.10)

–

# Define All The Attribute-To-ClaimType Mappings For Which You Want ADFS To Automatically Retrieve From The ID Store

# (These are the attributes and their values, if any, automatically retrieved from the ID store and stored in claims, whether or not these are issued later on in a security token)

$mappingGivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

$mappingSurname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

$mappingDisplayName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute displayName -ClaimType "http://temp.org/identity/claims/displayName"

$mappingEmployeeID = New-AdfsLdapAttributeToClaimMapping -LdapAttribute employeeID -ClaimType "http://temp.org/identity/claims/employeeID"

$mappingDescription = New-AdfsLdapAttributeToClaimMapping -LdapAttribute description -ClaimType "http://temp.org/identity/claims/description"

–

# Create The Local Claims Provider Trust To Appear In The HRD Screen Through A List Of Claims Providers

Add-AdfsLocalClaimsProviderTrust -Name "External ID Store" -Identifier "urn:adlds:external:idstore" -Type Ldap -LdapServerConnection @($idStoreInstance1,$idStoreInstance2) -UserObjectClass user -UserContainer "OU=People,O=CORP" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($mappingGivenName, $mappingSurname, $mappingDisplayName, $mappingEmployeeID, $mappingDescription) -Enabled $true -AcceptanceTransformRules "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);"

OR

# Create The Local Claims Provider Trust To Appear In The HRD Screen Through UPN Suffix

Add-AdfsLocalClaimsProviderTrust -Name "External ID Store" -Identifier "urn:adlds:external:idstore" -Type Ldap -LdapServerConnection @($idStoreInstance1,$idStoreInstance2) -UserObjectClass user -UserContainer "OU=People,O=CORP" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($mappingGivenName, $mappingSurname, $mappingDisplayName, $mappingEmployeeID, $mappingDescription) -Enabled $true -AcceptanceTransformRules "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);"

–

Now when running either of the “Add-AdfsLocalClaimsProviderTrust” CMDlets you may see the following error at the end. It is really vague and does not tell you anything about what is really wrong. At first I thought something was wrong with the database.

Figure 1: Creating The Local Claims Provider Trust Fails With An Error

–

When things go wrong, the first thing I look at is the event log of the specific application/system. In this case it was the ADFS Admin Event Log. It did not say anything about this error. Knowing that I thought it would took me hours to figure this out. Au contraire!. Looking at the ADFS Debug Event Log, I saw the following message. It was referencing the Certificate Sharing Container.

Figure 2: Error Message In The ADFS Debug Event Log

–

An error occurred while trying to add an object:
Message: MSIS0013: Encrypted property ‘AccountStoreData’ cannot be set when a certificate sharing container is not configured in AD FS properties.

–

It was a weird error, because my ADFS farm is NOT using automatic certificate rollover and therefore it does not need the Certificate Sharing Container. You can see in the figure below that is the case. My farm is using CA issued certificates for the Token Signing Certificate and the Token Encryption Certificate.

Figure 3: Certificate Rollover NOT Being Enabled And The Certificate Sharing Container Not Being Configured

–

The Certificate Sharing Container is related to ADFS using ADFS Managed Self-Signed Certificates for the Token Signing Certificate and the Token Encryption Certificate. When the “AutoCertificateRollover” is set to TRUE, the “CertificateSharingContainer” property MUST specify the DN of the Certificate Sharing Container in AD. The ADFS servers and the Certificate Sharing Container must be in the same AD domain. When the “AutoCertificateRollover” is set to FALSE, the “CertificateSharingContainer” property CAN have a DN specified but in that case it is not being and can be removed if needed (but only when you are not going to use it in the future!).

–

Well, because the error was mentioning the Certificate Sharing Container and I did not have a Certificate Sharing Container, I decided to create one. When doing so you need to specify the service account in use by ADFS. I did that by reading the account from the ADFS service. Please be aware that by configuring the Certificate Sharing Container in ADFS, it will also be created in AD. Because of that you need to have Domain Admin equivalent permissions to be able to successfully do this!

$adfsService = Get-WmiObject win32_service -filter "name=’ADFSSRV’"
$adfsServiceAccount = $adfsService.StartName
Set-AdfsCertSharingContainer -ServiceAccount $adfsServiceAccount

Figure 4: Configuring The Certificate Sharing Container For ADFS

–

Now looking at the ADFS properties you can see the Certificate Sharing Container is configured in ADFS.

Figure 5: The Certificate Sharing Container Being Configured For ADFS

–

Before the configuration in ADFS you can see AD did not have a Certificate Sharing Container.

Figure 6: The AD Domain The ADFS Servers Are In With NO Certificate Sharing Container

–

After the configuration in ADFS you can see AD now does have a Certificate Sharing Container.

Figure 7: The AD Domain The ADFS Servers Are In With Certificate Sharing Container

–

Now when running either of the “Add-AdfsLocalClaimsProviderTrust” CMDlets above succeeds!

Figure 8: Creating The Local Claims Provider Trust Now Succeeds

–

Below you can see the properties of the Local Claims Provider trust that was created.

Figure 9: The Configuration Of The Local Claims Provider Trust That Was Just Created

–

And now you also see the local Claims Provider Trust is displayed and therefore available in the HRD page in ADFS.

Figure 10: The HRD Page In ADFS Showing The Newly Created Local Claims Provider Trust

–

Choosing the IdP “External ID Store” and logging on with an account from the ADLDS based ID Store through Forms Based Authentication, show amongst others the claims as displayed in the figure below.

Figure 11: My Show My Claims Application Displaying The Claims That Were Retrieved From The ID Store Based Upon ADLDS

–

You can see the values for the following claims that were configured above:

• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
• http://temp.org/identity/claims/displayName
• http://temp.org/identity/claims/employeeID
• http://temp.org/identity/claims/description

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2016-11-16) New Replica Of ADLDS Fails When Functional Level Is Too High (Error 0x80072177)

On one of my DCs I also have one instance of ADLDS running. As I have a second DC running, I wanted to also install an ADLDS replica instance of the configuration set running on the first DC. The servers are running W2K12R2 and the FFL of the configuration set is W2K12R2 (level 6).

–

I used a scripted installation of the replica instance and it ended up with the following error

Figure 1: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

–

To see if there would be any different or additional information I tried the manual setup, but it ended with the following error

Figure 2: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

–

Looking at the error it might even look like a permission error as it mentions not being able to create the NTDS Settings object. However, when you look at the ADLDS Instance Event Log of the existing ADLDS instance that is being used as the replication source, you will see that apparently the new ADLDS replica instance running W2K12R2 presents itself as a W2K8R2 server (level 4).

Figure 3: Error About OS Level Not Matching The Required Level Of The Configuration Set

–

This looks like a bug!

–

The solution (make sure to provide the ADLDS host and Ldap port!):

• View the current level of the Configuration Set

Get-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -SearchBase $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -SearchScope Base -Filter * -Properties "msDS-Behavior-Version" | FL

• Lower the Configuration Set Level to level 4

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=4}

• Add the new replica instance

Figure 4: Installing The New ADLDS Replica Instance While The Level Is Set To 4

–

• If you try to increase the Configuration Set Level to level 6 again, you will see….

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=6}

Figure 5: Error When Trying To Increase The Level Again After Installing The New ADLDS Replica Instance

–

UPDATE 2016-12-03: This issue does not exist in Windows Server 2016 where you will be able to increase the configuration set level to level 7

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2015-10-07) Realistic Random Data Set To Import Into Some Identity Store

Have you ever required to have a large and realistic random data set to test your application or system in some way? Well, look no further!

–

With testing, “performance/volume testing” and/or “logic testing” (either declarative or coded, against small and large data sets) is meant. Testing with correctly defined (custom) data is required to make sure the application/system behaves as you require it to behave. By using fake data you are sure you do not get into trouble due to privacy or security related issues. You also do not have to beg for and jump through all kinds of hoops to get the data. Depending, on your organization, you may also need to have a data set that includes special characters (e.g. apostrophes) and/or very special characters (e.g. unicode characters from other languages)

–

Most likely, there are more websites out there, but the following 2 websites can help you out in different scenarios:

1. https://www.mockaroo.com/
2. http://www.fakenamegenerator.com/order.php

–

[1] Mockaroo – Realistics Data Generator

This website allows you to use your own defined schema. You can do that by selecting/defining the field names and field types or by importing the field headers of some CSV file you have. After importing the CSV headers, you still need to define the field types. When done, you can preview the data or download it right away. The data can be downloaded in different formats, such as, but not limited to, CSV format. The only downsides are the limited number of objects (max. 1000) and that it only supports western characters for names. If you need more data, you need to pay a fee per year.

Figure 1: The Interface Of The Mockaroo Website To Define The Required Schema

–

[2] Fake Name Generator

However, if you do not have a strict schema, you want up to 50.000 objects and you also require non-western characters for names (e.g. japanese, chinese, arabic, etc.), then you might be interesting in using this website. You can generate data for a single object, or you can bulk generate (order for free!) a very large amount of data up to 50.000 objects. If you need more objects, you just request it multiple times.

First you need to select the format and compression type. Secondly you need to select the name set(s), countries, gender and age of that objects.

Figure 2a: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set

–

And last but not least, you need to select the required fields you want to include in the data set, define the required number of objects and the e-mail address where the bulk order is e-mailed to.

Figure 2b: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set

–

Every request file is made available after a few minutes and when done you will receive an e-mail with a time-limited link.

–

After receiving the data set you can import it, by first writing your own PowerShell script, into ADDS, ADLDS, Azure AD, FIM Portal/Sync, SQL database or anything similar

–

Have fun!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2012-03-27) Active Directory Lightweight Directory Services (ADLDS) On Windows “8”

Active Directory Lightweight Directory Services (ADLDS), or a.k.a. Active Directory Application Mode (ADAM), (you can find its logo here ) by default is available on the server OS as a Server Role.

Figure 1: The “Active Directory Lightweight Directory Services” On Windows Server “8” Beta As A Server Role

–

However, on the client OS, for Windows XP you needed to download it separately, for Windows Vista there was no ADLDS available and for Windows 7 you also had to download it separately. For Windows Client “8” Consumer Preview, there is not need to download anything separately as it is by default available as a Windows Feature. YES!!!!

Figure 2: The “Active Directory Lightweight Directory Services” On Windows Client “8” Consumer Preview As A Windows Feature

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2010-01-11) ADLDS (ADAM) For Windows 7

In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2009-04-16) ADLDS (ADAM) On Windows Client

At the moment you have ADLDS, a.k.a. ADAM, only on the server platform starting from Windows Server 2003 R2 and up. For both Windows Server 2003 RTM and Windows XP Professional you can download an out-of-band version of ADAM. Unfortunately there is no ADAM for Windows Vista or Windows 7. Developers, and others, using the last two are out of luck. But wait! That’s gonna change. Microsoft will release an out-of-band version of ADLDS for BOTH Windows Vista and Windows 7. Yes people, it’s going to happen, you just need to be a little more patient!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————