Complete the Prerequisites & Requirements before starting. In particular, confirm the host OS is supported and the
TRUU-HTTPS certificate is installed.Installation
Install the MSI
Run the TAMS MSI installer on the target Windows Server. TAMS installs as a native Windows Service.
Assign the service account
Configure the service to run under the dedicated Windows service account that holds the minimum AD permissions. The account needs the Log on as a service right on the local machine.
Confirm the TLS certificate
Ensure the
TRUU-HTTPS certificate is present in the Windows Certificate Store. Kestrel loads it at startup to serve HTTPS.Registry Configuration
All TAMS configuration is stored in the Windows Registry under:Listening Port
| Port | Protocol | Direction | Description |
|---|---|---|---|
| WebServerPort (configurable, stored in Registry) | HTTPS (TLS) | Inbound | Kestrel web server — REST API for account operations |
Network Calls
All network communication is outbound from TAMS except for the single inbound REST endpoint consumed by the Windows Authenticator.Inbound Traffic
| Direction | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| Inbound | HTTPS | Windows Authenticator | TAMS (:WebServerPort) | Account unlock API requests |
If this endpoint is resolved via local DNS only, then for Hybrid or domain-joined systems the device must be connected to the corporate network for the unlock to work.
Outbound Traffic
All outbound HTTP calls use a configurable 20-second request timeout. Identity Server calls use a 10-second cancellation timeout. The Directory Searcher server-side time limit is 10 seconds.| Direction | Protocol | Destination | Endpoint | Purpose |
|---|---|---|---|---|
| Outbound | HTTPS | TruU Platform API | Domain lookup at service startup to resolve Identity Server URL | |
| Outbound | HTTPS | TruU Identity Server (IDS) | GET /api/v1/user/info | OAuth token validation for every unlock request |
| Outbound | LDAP | Active Directory (RootDSE) | LDAP://RootDSE | Discover forest root naming context |
| Outbound | LDAP/GC | Active Directory (Global Catalog) | GC://<forestRootDn> | Forest-wide user lookup by UPN |
| Outbound | LDAP | Active Directory (Domain Controller) | LDAP://<domainName> | Bind to user’s domain to unlock account |
Required Firewall Rules (Outbound from TAMS Host)
| Port | Protocol | Destination | Purpose |
|---|---|---|---|
| 443 | HTTPS | TruU Platform / Identity Server | Domain lookup & OAuth token validation |
| 389 | LDAP | Active Directory DC(s) | Directory queries and account unlock |
| 636 | LDAPS | Active Directory DC(s) | LDAP over TLS (if enforced by AD policy) |
| 3268 | LDAP | Global Catalog server(s) | Forest-wide user search |
| 3269 | LDAPS | Global Catalog server(s) | Forest-wide user search over TLS |
- The LDAP/GC ports used depend on your Active Directory TLS policy. In hardened environments LDAPS (636/3269) may be required. TAMS uses Windows Integrated Authentication for all LDAP connections; no LDAP credentials are stored in the application.
- Firewall rules are necessary if internal firewalls block inbound and outbound communication between the domain controller and the TAMS server.
Allowed URLs (TAMS → TruU Cloud)
The following URLs must be allowed from the TAMS server to the TruU cloud:https://global.platform.truu.aihttps://[Customer].idp.id.truu.ai— replace[Customer]with your tenant domain.

