product icon
How do I confirm that my custom attribute is listed in my Active Directory?

How do I confirm that my custom attribute is listed in my Active Directory?

    When setting up Active Directory Federation Services (AD FS) for LastPass Business, it is required that you create a custom attribute field in your Active Directory (both non-production and live environments) and set it as confidential as one of the preliminary steps.

    About this task:

    Once your custom attribute has been created do the following:

      Confirm that your custom attribute is listed in your Active Directory.

      1. Log in to your Active Directory server.
      2. Open the Active Directory Users and Computers manager tool.
      3. Go to View and ensure Advanced Features is enabled, or click the Advanced Features menu option to enable it.
      4. In the left navigation, go to Users.
      5. Right-click on a user, then click Properties.
      6. Click the Attribute Editor tab, then confirm that the custom attribute you created is listed in the "Attribute" column (e.g., LastPassK1).

        Note: The name of the custom attribute must be alphanumeric characters only (no special characters or spaces). It is also case-sensitive, and should be recorded exactly as it appears in the Active Directory Attribute Editor.

      7. Record the name of the custom attribute and enter it into a text editor application, which will be used when you set up the Active Directory Federated Login Service with your LastPass Business account.
        Attribute Editor displaying custom attribute

      Verify the name of the custom attribute matches the name you have set in the LastPass Admin Console.

      1. Log in and access the Admin Console at https://admin.lastpass.com/.
      2. Go to Users > Federated login.
      3. Under Configure AD Connector, confirm that the custom attribute name matches exactly as it does in the Attribute Editor tab from Step #6 above.

        Note: The name of the custom attribute must be alphanumeric characters only (no special characters or spaces). It is also case-sensitive, and should be recorded exactly as it appears in the Active Directory Attribute Editor.

        Troubleshooting:

        If the name of the custom attribute in the Admin Console does not match, you will need to do the following:
        1. Stop the LastPass AD Connector service.
        2. Under Configure AD Connector (in the LastPass Admin Console), update the name of the custom attribute as it appears in your Attribute Editor and click Save.
        3. Go to Users in the left navigation and delete all users that were provisioned as federated users.
        4. Restart the LastPass AD Connector service to provision federated users. This is required.