サポートと今すぐチャット
サポートとのチャット

Starling CertAccess Hosted - Administration Guide for One Identity Active Roles Integration

About this guide Starling CertAccess basics The Starling CertAccess Agent architecture Setting up initial synchronization Starling CertAccess Agent system requirements Installing, updating, and uninstalling Starling CertAccess Agent components Working with the Starling CertAccess Agent

Minimum system requirements for the Job server

The following system prerequisites must be fulfilled to install the Starling CertAccess Service on a server.

Table 2: Minimum system requirements - Job server

Processor

8 physical cores 2.5 GHz+

Memory

16 GB RAM

Hard drive storage

40 GB

Operating system

Windows operating systems

The following versions are supported:

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2

  • Windows Server 2012

Additional software

  • Microsoft .NET Framework Version 4.7.2 or later

    NOTE: When connecting the target system, refer to the target system manufacturer's recommendations.

  • One Identity Active Roles Management Shell for Active Directory (x64)

    On 32-bit operating systems, use the Active Roles Management Shell for Active Directory (x86) package.

    For installation instructions, refer to your One Identity Active Roles documentation.

  • The following packages must be subsequently installed from the Active Roles installation medium:

    On 32-bit systems:

    • <source>\Redistributables\vc_redist.x86.exe

    • <source>\Components\ActiveRoles ADSI Provider\ADSI_x86.msi

    On 64-bit systems:

    • <source>\Redistributables\vc_redist.x64.exe

    • <source>\Components\ActiveRoles ADSI Provider\ADSI_x64.msi

Furthermore, it is necessary that connections can be established from the Job server to the Active Roles server over the 15172 port. If necessary, a firewall rule must be set up on the Active Roles server.

To remotely install the Starling CertAccess Service, you must have an administrative workstation on which the Starling CertAccess Agent components are installed.

Related topics

Setting up permissions for creating an HTTP server

The log files of the Starling CertAccess Service can be displayed using an HTTP server (http://<server name>:<port number>).

Users require permission to open an HTTP server. The administrator must grant URL approval to the user to do this. This can be run with the following command line call:

netsh http add urlacl url=http://*:<port number>/ user=<domain>\<user name>

If the Starling CertAccess Service has to run under the Network Service's user account (NT Authority\NetworkService), explicit permissions for the internal web service must be granted. This can be run with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

You can check the result with the following command line call:

netsh http show urlacl

Communications ports and firewall configuration

Starling CertAccess Agent is made up of several components that can run in different network segments. In addition, Starling CertAccess Agent requires access to various network services, which can also be installed in different network segments. You must open various ports depending on which components and services you want to install behind the firewall.

The following ports are required:

Table 3: Communications port
Default port Description

1433

Port for communicating with Starling CertAccess.

1880

Port for the HTTP protocol of Starling CertAccess Service.

88

Kerberos authentication system (if Kerberos authentication is implemented).

135

Microsoft End Point Mapper (EPMAP) (also, DCE/RPC Locator Service).

137

NetBIOS Name Service.

139

NetBIOS Session Service.

Starling CertAccess Agent users

Users with the following permissions are used for working with the Starling CertAccess Agent and for synchronizing with Active Roles:

Table 4: Starling CertAccess Agent users
User Entitlements

User for logging into the Starling CertAccess Agent

By default, the user that you used to initially register for One Identity Starling has administrative permissions for Starling CertAccess and the Starling CertAccess Agent. This user can grant other administrative users access to Starling CertAccess.

Users that login to the Starling CertAccess Launchpad are authenticated with OAuth 2.0.

User account for the Starling CertAccess Service

The user account for the Starling CertAccess Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the Starling CertAccess Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the Starling CertAccess Service installation directory in order to automatically update Starling CertAccess Agent.

In the default installation, Starling CertAccess Agent is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

Related topics
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択