HELP FILE

How do I confirm that my custom attribute is listed in my Active Directory?

When setting up Active Directory Federation Services (AD FS) for LastPass Enterprise, it is required that you create a custom attribute field in your Active Directory (both non-production and live environments) and set it as confidential as one of the preliminary steps.

Once your custom attribute has been created and set accordingly, you can confirm that it is listed in your Active Directory as follows:

  1. Log in to your Active Directory server.
  2. Open the Active Directory Users and Computers manager tool.
  3. Go to View and ensure Advanced Features is enabled, or click the Advanced Features menu option to enable it.
  4. In the left navigation, go to Users.
  5. Right-click on a user, then click Properties.
  6. Click the Attribute Editor tab, then confirm that the custom attribute you created is listed in the "Attribute" column (e.g., LastPassK1).
  7. Note: The name of the custom attribute must be alphanumeric characters only (no special characters or spaces). It is also case-sensitive, and should be recorded exactly as it appears in the Active Directory Attribute Editor.

  8. Record the name of the custom attribute and enter it into a text editor application, which will be used when you set up the Active Directory Federated Login Service with your LastPass Enterprise account.

Attribute Editor displaying custom attribute

Next, make sure that the name of the custom attribute matches the name that you have set in the LastPass Admin Console as follows:

  1. Log in and access the Admin Console at https://lastpass.com/company/#!/dashboard.
  2. Go to SettingsFederated login in the left menu.
  3. Under Configure AD Connector, confirm that the custom attribute name matches exactly as it does in the Attribute Editor tab from Step #6 above.
  4. Note: The name of the custom attribute must be alphanumeric characters only (no special characters or spaces). It is also case-sensitive, and should be recorded exactly as it appears in the Active Directory Attribute Editor.

WARNING! If the name of the custom attribute in the LastPass Admin Console does not match, you will need to do the following:

  1. Stop the LastPass AD Connector service.
  2. Under Configure AD Connector (in the LastPass Admin Console), update the name of the custom attribute as it appears in your Attribute Editor and click Save.
  3. Go to Users in the left navigation and delete all users that were provisioned as federated users.
  4. Restart the LastPass AD Connector service to provision federated users. This is required.

Admin Console displaying custom attribute