This article explains how to configure a full Windows (AD) authentication process for a Dalet site.
Purpose of Article
Initially, Active Directory integration could be done with Dalet Galaxy, but Microsoft SQL still used SQL Authentication. Now, also SQL/Dalet application servers can use Active Directory Windows authentication. A number of changes have been implemented throughout the system to enable this functionality, as explained in this article.
- MSSQL is installed with authentication method Mixed Mode.
- The subsequent SQL Windows services: SQL Server, SQL Full-text Filter Daemon, SQL Server Agent use LogIn mode the Dalet domain user. All connections to SQL server are secured using AD authentication.
- All servers run under a Dalet Service Windows account that has specified privileges based on AD configuration.
- Passwords/account names are not stored in any Server configuration files (DaletService.xml / DaletSoftware.xml / command line parameters/logs).
- Most Dalet administration tools use Windows AD authentication only: DaletRemoteAdmin, DaletAutoConfig, and DaletServiceAdmin.
- Dalet administration tool DatabaseUpgradeWizard uses SQL authentication.
- Single users can be added as Dalet users directly from Active Directory
- No SQL login is automatically created for Dalet users created from Active Directory
Pre-Requisites for using Active Directory Authentication for SQL
The installation and configuration of Microsoft Active Directory is detailed in the article Active Directory Installation and Configuration for Dalet Galaxy five.
For MSSQL installation, read Non-Cluster Microsoft SQL 2019 Installation for Dalet Galaxy Five.
Create Users in Active Directory
You must create users in Active Directory with the following minimum recommended roles and rights. This table is currently being validated and there maybe changes .
User Role
|
User Usage
|
Host requirements
|
Active Directory requirements
|
SQL requirements
|
Dalet requirements |
SQL services
|
Runs SQL services
|
Comply with Microsoft requirements
|
Normal AD user
|
None
|
None |
SQL SU (Super User)
|
Used to login to SQL
|
Comply with Microsoft requirements
|
Normal AD user
|
sysadmin rights in SQL -
|
None |
DIS (Dalet Installer)
|
Runs DIS Admin application
Runs DIS Agent |
Can install service
Can run service Can access Program Files\Dalet (Read&Execute) ProgramData/Dalet<xxx> (read\write\delete) Can register OCXs (for versions that required it) Can create System DSN Can create UNC Shares Registry read\write (HKLM\Software\Dalet) Access to %temp% |
Normal AD user
Access to all Dalet site’s resources (hosts & storages) |
None
|
None |
DS (DaletService)
|
Runs Dalet Service
Runs Dalet application servers |
Can run service
Can access registry Can access Program Files\Dalet (Read&Execute) ProgramData/Dalet<xxx> (read\write\delete) Can access all Storage Units (read\write\delete) Registry read\write (HKLM\Software\Dalet) [for Dalet Galaxy versions using the registry] |
Normal AD user
Access to all Dalet site’s resources (hosts & storages) ‘Logon as a service’ rights Part of DaletAdmins group in AD, synched with RemoteAdmin ADSI checkbox |
"sysadmin" on SQL
Belongs to a DALET GROUP in the Dalet DB- |
User running DS must be a user in Dalet
|
Dalet SU (Super User)
|
Dalet Administrators
Administration and maintenance of Dalet and Dalet hostsInstall fixes |
Can run DBUpgradeWizard (Note: SQL authentication)
Can run DPAutoConfig Can run RemoteAdmin Can run DaletServiceAdmin Can access system ODBC DSN Can query AD users / groups Can access Program Files (read\write\delete) ProgramData/Dalet<xxx> (read\write\delete) |
Normal AD user
Access to all Dalet site’s resources (hosts & storages) In order to be able to run RemoteAdmin, you need : - your user needs to be declared as a sysadmin login in the SQL Server. One way to do this is to create a dedicated AD group "DaletAdministrators" in the AD, and declare this group as sysadmin of the SQL Server. - the DaletAdministrators group must by synchronized with AD - your user needs special rights on the local machine where you run RemoteAdmin by adding the user to the Domain admins. |
sysadmin rights at server level- A Dalet User is created for each member (by UW)
|
Belong to Administrators Dalet Group Can run RemoteAdmin Can run UpgradeWizard Can run DPAutoConfig Can run DaletServiceAdmin |
Dalet WKS user
|
Used by end users to login to Windows on workstations, and to Dalet (‘Login as current user’)
|
Can run client application (Galaxy)
Can connect to Webspace using Windows authentication (in web browser) Can access Program Files\Dalet (Read&Execute) ProgramData/Dalet<xxx> (read\write\delete\modify\execute rights) Access %temp% Registry read\write (HKLM\Software\Dalet) [for Dalet Galaxy versions using the registry] |
Normal AD user
Access to all Dalet site’s resources (hosts & storages) |
No SQL requirements
|
Can login to Dalet Dalet Groups managed either in AD or in RemoteAdmin |
Screen Captures and Special Configuration
To work in full Windows authentication mode:
MSSQL Installation
When you install SQL server, Mixed Mode is still required. On a whole new database, the Dalet Tool "Dalet Database Upgrade Wizard" cannot connect without mixed mode.
The SQL Super User created in AD will have sysadmin rights to the SQL database engine, as indicated in the above table.
The subsequent SQL Windows services: SQL Server, SQL Full-text Filter Daemon, SQL Server Agent the Dalet domain user in the Login tab of their properties.
When you logon to your SQL server, select Windows Authentication.
Configuring the ODBC Connection
To connect to the database you need to create a Data Source name (DSN) and connect it to your SQL database. You will then be able to use the various Dalet configuration tools:
- Database Upgrade Wizard (to initialize a new database or database and to upgrade the database after a Dalet software update, so that database revision and software revision match.
- Dalet Auto Config (this tool is intended for a new and initialized, but otherwise empty database and must never be run over an existing database)
- Dalet Admin module aka Remote Admin. This is used to configure the Dalet site/system
- Any Dalet application server that connects to the database (DBserver, DaletPlus Server, PatternSchedulerAgent
- You must use an SQL Server Native Client 11.0 to connect to SQL. Full information, including which Native client 11 revision to use and an issue with Dalet Galaxy 5, versions 352 and 383 and ODBC 18.1, read Permissible MSSQL Versions per Dalet Version and Revision.
To create an ODBC connection:
1. Open the ODBC Data Source Administrator on the System DSN tab.
2. Click Configure and create a DSN and select the SQL server you have created your database on.
3. Click Next and select the With Windows NT authentication using the network login ID option.
4. Click next to continue the configuration.
Database Upgrade Wizard
The AD user used to run the Dalet Services must be a user in the Dalet database. Use the Database Upgrade Wizard to import the Dalet Service user from Active Directory. Due to a possible Microsoft bug, do you not use the default SVC user as a Service Runner for Dalet Service.
A current known issue is that the user used to run Upgrade Wizard, Dalet Automatic Configuration and RemoteAdmin, must be a Dalet user and associated to the ADMINISTRATORS group - this will be covered by a feature, but for now the workaround is to run UW, DPAC, login to RemoteAdmin as dalet_admin, associate the user to the ADMINISTRATORS group, and then go on.
To import users from Database Upgrade Wizard:
1. Run the Database Upgrade Wizard.
2. Select Windows user/ Current Windows User (whichever is relevant) and login with the Dalet SU created in AD or a windows user from the predefined AD administrators group who has sysadmin rights to SQL.
3. In the first screens in the Upgrade Wizard, add the location for Scripts on site, add Wire Agencies and configure the path to the Agency dlls and add additional Scripts.
4. Click Next; a new screen has been added to the Database Upgrade Wizard, the Add User to Dalet screen. In the Add User to Dalet screen, import a user the Dalet Service (DS) user from the Windows Active Directory. Click Add user/group; the Select User or Group dialog opens.
After the third "Next" you get to the Add users to Dalet screen.
5. Click the Locations button and select the domain from which the user will be added.
6. Type in the name of the user in the Enter the object name box and click OK to finish. The system will check that the imported user is part of the Administrators group in Active Directory and will mirror this and create the user in the Dalet Administrators group. If the user is not in the AD Administrators group, a message will be displayed and the user will not be imported. Add more users as required.
NOTE: This user has the same rights as dalet_admin and can now be used instead of dalet_admin. Dalet Administrators are automatically assigned an SQL login.9000
NOTE: The login screen to the modules which connect to the database, Database Upgrade Wizard, Dalet Auto Config, Remote Admin, have changed to allow you to choose your authentication method. If you are working in Mixed Mode, you should select SQL and login. If you are working in Windows Authentication Mode, select Windows User and login with any Active Directory who has SQL login credentials. If the Current Windows user has SQL login credentials, you can click Current Windows user to directly login to the module without typing in additional credentials. Users created from Active Directory will not be able to connect to the database using the SQL option and this message will be displayed.
Dalet Auto Config
On an initialized but othewise empty database ONLY, use the Dalet Automatic Configuration tool to configure the Authentication Mode for your site.
Otherwise, use the Remote Admin module to configure the Authentication Mode for your site, as described in the section below.
To set the authentication mode for a site:
1. Open the Dalet Automatic Configuration tool. The login options have changed. Select Windows or Current user, (whichever is relevant), and login with the user you have just created in the Database Upgrade Wizard.
2. In the General Settings screen, a new option, Authentication Mode, has been added. Select Active Directory to use Windows Authentication.
3. Complete the site configuration.
Dalet Admin Module, aka Remote Admin
If you have not used the Automatic configuration tool, because you want to adapt a fully configured Dalet database and using this tool may reset it if not used correctly, you can configure the integration yourself.
Run Dalet admin module and connect via SQL mixed mode.
Now switch the system to Active Directory or Okta integration.
Go to Site Configuration > General>Settings, check the radio box next to the Active Directory option.
Tick the synchronize users from these groups box.
Make sure the Active Directory users are checked.
Click Apply to switch.
Create the application server to interact with AD/Okta.
Site Configuration>Inventory>Application Servers, create an instance of the ADSIntegration server and fill in the required details, either for an Active Directory or Okta integration.
Restart all application servers/site.
Unless you use SQL mixed mode authentication, In order to be able to run RemoteAdmin, remember that:
- your user needs to be declared as a sysadmin login in the SQL Server. One way to do this is to create a dedicated AD group "DaletAdministrators" in the AD, and declare this group as sysadmin of the SQL Server.
- the DaletAdministrators group must by synchronized with AD
- your user needs special rights on the local machine where you run RemoteAdmin by adding the user to the Domain admins.
Integrating Dalet with Active Directory Service
You must create an instance of the ADSI and create the two mandatory groups ‘ADS_Deleted’ and ‘ADS_Disabled’ (case sensitive).
All AD users will be synched to the ‘PUBLIC’ group by default, and will be joined to the corresponding group in Dalet, if the group name has been created identical to the AD group name (case sensitive)..
Administrators, and the user that is used to run the DaletService (and thus all application servers), must:
- Have "sysadmin" role in MSSQL on the server level
- Be synched to Dalet from a "DaletAdmins" group in AD to the Dalet Administrators group - these are not AD admins, but must be SQL admins.
- In case of an upgrade from an older AD integration, make sure admin users are part of the dalet_group in the Dalet DB level
Importing Individual Users from Active Directory
In the Dalet Admin module, do the following:
1. At User Management > Users, click Add user (1) and then click Manage Users (2); the Manage Users dialog opens.
2. In the Manage Users dialog, select Add User from Active Directory. Select a location, search for a user and click OK to import the user.
NOTE: Users created from the Active Directory do not automatically have SQL login rights. They only have rights to login to the Client. SQL login rights are given when a user is added to the Dalet Administrators group.
Creating Application Servers in a Windows Authentication Site
When you create application servers in a site which uses Windows Authentication, you do not need to give logon credentials in the activation dialog. All servers run under a Dalet Service Windows account that has specified privileges based on AD configuration.
At Site Configuration > Application Servers, create a new application server. In the Activation tab, there is no place to add credentials.
For additional security, in Dalet Service Admin, if you check the server properties, NOUSER and NOPASSWORD credentials are displayed in the Command line. Similarly, these credentials are not displayed in the logs of the server.
Comments
0 comments
Please sign in to leave a comment.