Skip to main content
This guide walks through installing TAMS and configuring the host so the service can serve unlock requests and reach both Active Directory and the TruU cloud.
Complete the Prerequisites & Requirements before starting. In particular, confirm the host OS is supported and the TRUU-HTTPS certificate is installed.

Installation

1

Install the MSI

Run the TAMS MSI installer on the target Windows Server. TAMS installs as a native Windows Service.
2

Assign the service account

Configure the service to run under the dedicated Windows service account that holds the minimum AD permissions. The account needs the Log on as a service right on the local machine.
3

Confirm the TLS certificate

Ensure the TRUU-HTTPS certificate is present in the Windows Certificate Store. Kestrel loads it at startup to serve HTTPS.
4

Apply registry configuration

Set the required values under HKLM\SOFTWARE\TruU\AccountManagement (see below), then start the service.

Registry Configuration

All TAMS configuration is stored in the Windows Registry under:
HKLM\SOFTWARE\TruU\AccountManagement
This includes the listening web server port and other runtime settings. Each instance in a high-availability deployment must be configured with the same registry settings.
Protect the HKLM\SOFTWARE\TruU\AccountManagement registry key with appropriate ACLs to prevent tampering by non-administrative users.

Listening Port

PortProtocolDirectionDescription
WebServerPort (configurable, stored in Registry)HTTPS (TLS)InboundKestrel web server — REST API for account operations

Network Calls

All network communication is outbound from TAMS except for the single inbound REST endpoint consumed by the Windows Authenticator.

Inbound Traffic

DirectionProtocolSourceDestinationPurpose
InboundHTTPSWindows AuthenticatorTAMS (:WebServerPort)Account unlock API requests
If this endpoint is resolved via local DNS only, then for Hybrid or domain-joined systems the device must be connected to the corporate network for the unlock to work.

Outbound Traffic

All outbound HTTP calls use a configurable 20-second request timeout. Identity Server calls use a 10-second cancellation timeout. The Directory Searcher server-side time limit is 10 seconds.
DirectionProtocolDestinationEndpointPurpose
OutboundHTTPSTruU Platform APIDomain lookup at service startup to resolve Identity Server URL
OutboundHTTPSTruU Identity Server (IDS)GET /api/v1/user/infoOAuth token validation for every unlock request
OutboundLDAPActive Directory (RootDSE)LDAP://RootDSEDiscover forest root naming context
OutboundLDAP/GCActive Directory (Global Catalog)GC://<forestRootDn>Forest-wide user lookup by UPN
OutboundLDAPActive Directory (Domain Controller)LDAP://<domainName>Bind to user’s domain to unlock account

Required Firewall Rules (Outbound from TAMS Host)

PortProtocolDestinationPurpose
443HTTPSTruU Platform / Identity ServerDomain lookup & OAuth token validation
389LDAPActive Directory DC(s)Directory queries and account unlock
636LDAPSActive Directory DC(s)LDAP over TLS (if enforced by AD policy)
3268LDAPGlobal Catalog server(s)Forest-wide user search
3269LDAPSGlobal Catalog server(s)Forest-wide user search over TLS
  • The LDAP/GC ports used depend on your Active Directory TLS policy. In hardened environments LDAPS (636/3269) may be required. TAMS uses Windows Integrated Authentication for all LDAP connections; no LDAP credentials are stored in the application.
  • Firewall rules are necessary if internal firewalls block inbound and outbound communication between the domain controller and the TAMS server.

Allowed URLs (TAMS → TruU Cloud)

The following URLs must be allowed from the TAMS server to the TruU cloud:
  • https://global.platform.truu.ai
  • https://[Customer].idp.id.truu.ai — replace [Customer] with your tenant domain.