Softerra Adaxes is a distributed application that consists of the server component (Adaxes service) and client components, intended to work in Microsoft Windows-based environments. Client and server components interact with one another using the Adaxes ADSI Provider. The ADSI provider connects to Adaxes services via Microsoft .NET Remoting using an encrypted TCP channel. The Adaxes service in its turn uses the LDAP protocol to communicate with Active Directory.

Figure 1: Adaxes components

Adaxes Service

Adaxes Service is a server-side component that acts as a proxy between Adaxes clients and the Active Directory environment. When a client is trying to perform an operation, the Adaxes Service checks whether the client has sufficient privileges, adds the information about the operation to the logging database, checks that the operation does not violate the defined enterprise standards, schedules additional operations that should be performed before or after the execution of the requested operation, and checks whether the operation requires an approval. After all these steps, the Adaxes service executes the operation on the target directory server.

All operations in Active Directory are performed using the administrative credentials specified for the Active Directory domains managed by an Adaxes service. The credentials of the user who performs an operation are only used to authenticate this user to the Adaxes service. To determine whether a user is allowed to perform an operation, the Adaxes service checks the permissions delegated to this user by Security Roles.

The service configuration is stored in a dedicated Configuration Storage server based on Microsoft ADAM or Microsoft AD LDS (depending on the OS where the service is installed). The Configuration Storage server is also responsible for the data replication between several Adaxes services that share their configuration.

The logging information is stored in a local SQLite database that is never replicated with other Adaxes services and contains information about operations performed via one Adaxes service only.

The Adaxes system service runs under the account of the default service administrator specified during the service installation. This account has full administrative privileges in the service Configuration Storage server and is used by the service to access and update its configuration.

Service Administration Console

Service Administration Console is a Windows-based administrative tool meant for cross-domain Active Directory management and administration of Adaxes services. Administration Console provides a user-friendly interface for local or remote management of one or several Adaxes services and Active Directory domains managed by these services.

Using Administration Console, administrators of Adaxes services are allowed to register managed domains, create and assign Security Roles, Business Rules and Property Patterns, create Business Units, manage client sessions, configure service settings, etc.

Apart from administration of Adaxes services, the Administration Console provides a wide variety of tools for centralized Active Directory management. The application enables directory administrators to manage user accounts, groups, contacts, OUs, computers and other objects, taking advantages of automating and streamlining facilities provided by Adaxes services.

Web Interface

Adaxes Web Interface is an ASP.NET-based web application that provides controlled access to the Active Directory resources via a standard web browser. The Web interface enables users to update their own information, change their passwords, search the directory or even perform complex Active Directory administrative tasks provided that the users have sufficient privileges.

Adaxes Web Interface uses Microsoft Internet Information Server (IIS) as the Web server platform. Since Microsoft IIS has a limited number of connections if installed on a workstation, it is highly recommended to install Adaxes Web Interface on the server editions of Windows. Taking into account that a single user, when browsing a web site, requires multiple connections, the connection limit in this case can be reached even if two or three persons are using the Web Interface at the same time.

Although other web browsers may also work, Adaxes Web Interface has successfully passed testing on the following browsers:

Adaxes ADSI Provider

The Adaxes ADSI Provider is a common COM-based API for communicating between Adaxes clients and services. The ADSI provider allows using the features of Softerra Adaxes to develop custom functionality that meets specific company needs. ADSI provider can be used by VBScript, JScript, VB, VB.Net, C++, C#, or any other programming language that can interact with COM. All Adaxes client components, including Web Interface and Service Administration Console, also use the ADSI provider to communicate with Adaxes services.

Softerra Adaxes can be integrated into heterogeneous environments with the help of the SPML protocol (SPML 2.0 DSML profile). For this purpose, Adaxes includes SPML Provider, a web service that allows third-party provisioning applications to access Active Directory resources via SPML.

Adaxes SPML Provider (Provisioning Service Point)

Softerra Adaxes SPML Provider is a web service running by Internet Information Server (IIS). When SPML Provider receives an SPML request, it uses either Adaxes ADSI provider or LDAP ADSI provider to modify and retrieve Active Directory data. When the LDAP ADSI provider is used, Active Directory is accessed directly bypassing the Adaxes service. In this case, Security Roles, Business Rules, Property Patterns, Logging and other features of Softerra Adaxes are not available.

Figure 2: Adaxes SPML Provider

To authenticate to Active Directory or to the Adaxes service, Adaxes SPML provider uses the integrated IIS authentication. By default, the Windows Integrated Authentication method is used, however you can change it using the IIS Management Console.

For more information on the Adaxes SPML Provider, see Adaxes SPML Provider.

To provide fault tolerance and load balancing, Softerra Adaxes allows installation of several Adaxes services that share their configuration. Such services form a logical grouping called a configuration set. Service configuration is shared by means of data replication implemented by the Configuration Storage server. The Configuration Storage server based on Microsoft ADAM/AD LDS uses a type of replication called multimaster replication. The following illustration shows an example of multimaster replication.

Figure 3: Multimaster replication

When the configuration of one service is modified, the configuration of other services in the configuration set becomes inconsistent with the most up-to-date configuration (the configuration of the service where the changes were made). As the changes get replicated through the configuration set, all service configurations become identical once again.