We have a customer who is interested in deploying the ESSO solution using ADLDS.
They have a couple of queries regarding this:
1. If we are using ADLDS as the ESSO store and AD for authentication, what are the minimum privileges required for the AD service account.
2. Is it necessary for the ESSO controller to run on a domain joined machine? Will it be possible to run the entire ESSO setup with ADLDS on an isolated network with the necessary ports opened to the domain controller?
1. Assuming the customer is just using ESSO then it would only require a basic user that can read AD. No special write permissions required. So a user with Domain Users access would be fine.
2. The machine does not need to be connected to the domain. As long as ports 3644, 389 (AD) & 55000 (ADLDS) are open and the machine can connect to the domain then this will be enough.