01-10-2019 01:54 PM
Hi,
Does anyone have an idea on the minimal AD permissions needed by OnBase's impersonation account? We currently have it set to Domain Admin, which I find odd as I thought it was only used to read the AD. Is it also used for any other roles?
Sorry I'm not too familiar with the product, but from my understanding we are running OnBase 13 deployed via Unity Client deployed via Click Once. Users also gets auto logged (possibly single sign on).
Thanks,
Edwin
01-10-2019 02:02 PM
Hi Edwin.
The answer partially requires knowing how you are using the software, but I agree the a Domain Admin is overkill. Typically the impersonation account being used by the Application Server would require READ/WRITE access to the share/folder hosting the Disk Groups and then READ access to users and users groups who are authenticating into OnBase when configured for Single Sign On authentication with Active Directory.
Best wishes.
01-10-2019 02:07 PM
The Application Server MRG recommends the following reading:
For full details on custom service account configuration, see the Microsoft article: “How To: Create a Service Account for ASP.net
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649309(v=pandp.10)
• For file and folder permissions required with .NET 4.x, see the ACL Technology Overview:
https://docs.microsoft.com/en-us/previous-versions/ms229742(v=vs.110)
See also the article on ASP.NET Required Access Control Lists (ACLs):
https://docs.microsoft.com/en-us/previous-versions/kwzs111e(v=vs.140)
01-10-2019 02:02 PM
Hi Edwin.
The answer partially requires knowing how you are using the software, but I agree the a Domain Admin is overkill. Typically the impersonation account being used by the Application Server would require READ/WRITE access to the share/folder hosting the Disk Groups and then READ access to users and users groups who are authenticating into OnBase when configured for Single Sign On authentication with Active Directory.
Best wishes.
01-10-2019 03:57 PM
Thanks Adam, that is what I suspected. In that case, we should be good to grant READ/WRITE access to the OnBase shares and simple Domain User level permission to READ AD groups?
11-29-2022 08:38 AM
Yes, we run this with an impersonation user who's only in the Domain Users group. You definitely don't want to grant this user Domain Admin. Just need to grant the impersonation user or the IIS_IUSRS read/write to the disk group folders.
We did need to grant the impersonation user Read permissions to HKEY_USERS\S-1-5-20\Software\Microsoft\Avalon.Graphics. This is the NetworkService SID as our AppPool runs as NetworkService. Adding this permission fixed several issues related to reporting dashboards and opening Unity Forms.
01-10-2019 02:07 PM
The Application Server MRG recommends the following reading:
For full details on custom service account configuration, see the Microsoft article: “How To: Create a Service Account for ASP.net
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649309(v=pandp.10)
• For file and folder permissions required with .NET 4.x, see the ACL Technology Overview:
https://docs.microsoft.com/en-us/previous-versions/ms229742(v=vs.110)
See also the article on ASP.NET Required Access Control Lists (ACLs):
https://docs.microsoft.com/en-us/previous-versions/kwzs111e(v=vs.140)
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.