Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Starling CertAccess Hosted - Administration Guide for One Identity Active Roles Integration

About this guide Starling CertAccess basics The Starling CertAccess Agent architecture Setting up initial synchronization Starling CertAccess Agent system requirements Installing, updating, and uninstalling Starling CertAccess Agent components Working with the Starling CertAccess Agent

Setting up permissions for creating an HTTP server

The log files of the Starling CertAccess Service can be displayed using an HTTP server (http://<server name>:<port number>).

Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

netsh http add urlacl url=http://*:<port number>/ user=<domain>\<user name>

If the Starling CertAccess Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

You can check the result with the following command line call:

netsh http show urlacl

Communications ports and firewall configuration

Starling CertAccess Agent is made up of several components that can run in different network segments. In addition, Starling CertAccess Agent requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.

The following ports are required:

Table 3: Communications port
Default port Description

1433

Port for communicating with Starling CertAccess.

1880

Port for the HTTP protocol of Starling CertAccess Service.

88

Kerberos authentication system (if Kerberos authentication is implemented).

135

Microsoft End Point Mapper (EPMAP) (also, DCE/RPC Locator Service).

137

NetBIOS Name Service.

139

NetBIOS Session Service.

Starling CertAccess Agent users

Users with the following permissions are used for working with the Starling CertAccess Agent and for synchronizing with Active Roles:

Table 4: Starling CertAccess Agent users
User Entitlements

User for logging into the Starling CertAccess Agent

By default, the user that you used to initially register for One Identity Starling has administrative permissions for Starling CertAccess and the Starling CertAccess Agent. This user can grant other administrative users access to Starling CertAccess.

Users that login to the Starling CertAccess Launchpad are authenticated with OAuth 2.0.

User account for the Starling CertAccess Service

The user account for the Starling CertAccess Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the Starling CertAccess Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the Starling CertAccess Service installation directory in order to automatically update Starling CertAccess Agent.

In the default installation, Starling CertAccess Agent is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

Related topics

Permissions required for synchronizing with One Identity Active Roles

It is recommended to set up a separate user account to use for connecting to Active Directory through for Active Roles. Use Active Roles Access Templates for the configuration. By using access templates, you delegate administration-relevant permissions to an Active Directory user account but without issuing the permissions directly in Active Directory. For more information about Active Roles Access Templates, see your One Identity Active Roles documentation.

The following Access Templates are suggested for delegating permissions:

  • All Objects - Read All Properties

  • All Objects - Full Control

Starling CertAccess Agent works without controlling Active Roles workflows. To avoid any existing Active Roles workflows, you must add the user account to the Active Roles administrators group.

  • Up to and including Active Roles version 6.9, the administrative group is created during installation of Active Roles. The name of the group is saved in the registry database under:

    • Registration key: HKEY_Local_Machine\Software\Aelita\Enterprise Directory Manager

    • Value: DSAdministrators

  • As from Active Roles version 7.0, you edit the Active Roles Admins in the Active Roles Configuration Center. If a user account is entered in the Active Roles Configuration Center as an Active Roles Admin, this use account must be used. For more information about editing the group or the user account for administrative access, see your One Identity Active Roles documentation.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation