AnsweredAssumed Answered

admin source with AD global catalog

Question asked by Armin Kraus on Dec 6, 2017
Latest reply on Dec 6, 2017 by Edward Davis

I have many domains with many DCs and want to use this as external source for searching users and assign tokens.

Best solution would be using the global catalog.


I found the following informations about admin sources.


In Active Directory, identity sources that are not Global Catalogs are used for administrative operations. Basically this Presentation has been discussing Administrative Identity Sources so far. When you assign tokens, enable ODA or RBA within Authentication Manager, you are using an Administrative Identity Source.
An Admin Identity Source is required. If you do not have a Global Catalog Identity Source, then AM will also use the Admin Identity Source when users login to authenticate with SecurID
If you want to administer Active Directory domain users in Authentication Manager, you must add an identity source for each domain that contains users who will authenticate with Authentication Manager.
For example, if an Active Directory forest has three domains and one Global Catalog, and you want to authenticate users in two of the domains, you must add an identity source for each of the two domains.


If you have an Active Directory forest, and you configure multiple identity sources within it, you can optionally configure an Active Directory Global Catalog as an identity source that the other Active Directory identity sources can use for finding and authenticating users, and resolving group membership within the forest.
You must create the Admin Identity Source(s) 1st


The GC is searched only during Authentication


When using the AM Security console to do Administration work on a User, you would be using an Admin Source Identity Source. Optionally you can add a Global Catalog, which is only used to speed up Authentication lookups when users log in with SecurID. If you do not have a Global Catalog, authentications are done against the Admin source external Identity Source.

So is it not possible to search users and assign tokens with global catalog? There is a limit of 30 admin identity stores, right? What is the solution for more than 30 identity stores?