> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# TAMS Overview

> What the TruU Account Management Service (TAMS) is, how it is architected, and how it fits into your environment.

The **TruU Account Management Service (TAMS)** is a Windows Service installed in your on-premises environment. It exposes a lightweight HTTPS REST API that allows the TruU Windows Authenticator to trigger Active Directory (AD) account operations — currently, unlocking a locked-out user account.

TAMS acts as a secure bridge between the TruU platform and your Active Directory infrastructure. All account operations run under a dedicated Windows service account, and no AD credentials are ever stored in the application.

<Note>
  TAMS does not connect to any password store or hold AD credentials. It performs AD operations using the Windows service account identity it runs as, and it trusts the TruU Identity Server as the authoritative source of user identity.
</Note>

## Architecture

### Component Overview

A TAMS deployment is made up of the following logical components:

* **Web server** — hosts the REST API (ASP.NET Core) that the Windows Authenticator calls to request an account unlock.
* **Token validation layer** — validates the OAuth2 Bearer token on every request against the TruU Identity Server.
* **Active Directory integration layer** — locates the user by UPN and performs the unlock via `System.DirectoryServices` and `System.DirectoryServices.AccountManagement`.
* **Configuration store** — settings are read from the Windows Registry under `HKLM\SOFTWARE\TruU\AccountManagement`.
* **Observability** — health checks, structured logging (NLog), and event reporting (Sentry).

### Deployment Model

* Installed as a native Windows Service via an MSI installer.
* Runs on a Windows Server joined to, or with access to, your Active Directory domain/forest.
* Configuration is stored in the Windows Registry under `HKLM\SOFTWARE\TruU\AccountManagement`.
* The service process identity is a Windows service account with the minimum AD permissions required.
* Compiled for **x64 only** — ARM64 and x86 hosts are not supported.

<Info>
  TAMS is stateless — no session or in-memory state is shared between instances. This makes it straightforward to run multiple instances for high availability. See [High Availability & Load Balancing](/docs/tams-high-availability).
</Info>

<img src="https://mintcdn.com/truu-2/oUVNMOp0X8IEcmRy/images/image-(9)-1.png?fit=max&auto=format&n=oUVNMOp0X8IEcmRy&q=85&s=0f7eeddb78befc5d9edcd278a2d66c38" alt="Image (9) 1" style={{ width:"66%" }} width="2314" height="1380" data-path="images/image-(9)-1.png" />

## Technology Stack

| Component      | Technology                                                            |
| -------------- | --------------------------------------------------------------------- |
| Runtime        | .NET 10 (Windows)                                                     |
| Web server     | ASP.NET Core on Kestrel                                               |
| AD integration | System.DirectoryServices & System.DirectoryServices.AccountManagement |
| Installer      | WiX Toolset (MSI)                                                     |
| Monitoring     | Sentry, NLog                                                          |
| Configuration  | Windows Registry                                                      |
