1

Enabling Windows Integrated Authentication for ShareScan Database Access

1. Overview ShareScan services access the configuration database with SQL Server Authentication (username / password).

While the password is always encrypted, in some organizations the IT security policy does not allow to use

username / password based authentication methods. In these setups only Windows Integrated Authentication is

possible to use for an SQL connection.

This guide explains what actions need to be done to enable Windows Integrated Authentication for ShareScan.

2. Checklist Standard ShareScan installation, specifying an existing (corporate) SQL Server to host the ShareScan

configuration database

Create service accounts (domain users) for the ShareScan services

Create database logins/ users for the service accounts, set database access rights

Grant the necessary local directory and registry access permissions for the service accounts

Modify the ShareScan database connection string in the registry

Modify ShareScan services to use the configured service accounts

3. Configuring service accounts (users) In the ShareScan system, two Windows services require database access:

ShareScan Manager service

ShareScan Agent Service

2

As these services have different roles, they require different permissions granted on the server.

The account running the ShareScan Manager (from now on, Account ‘M’) requires the same or higher permissions as the

rights of the built-in NETWORK SERVICE account (for details, see https://msdn.microsoft.com/en-

us/library/windows/desktop/ms684272(v=vs.85).aspx, namely the following ones:

Bypass traverse checking

Create global objects

Impersonate a client after authentication

Log on as a service

To configure user permissions, perform the following steps:

1. Launch Microsoft Management Console as an Administrator, type mmc and hit ENTER

2. Click File menu > Add/Remove Snap-in

3. Select Group Policy Object Editor and add Local Computer Policy to the selected snap-ins:

4. Click Finish and then click OK:

3

5. Select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights

assignment.

Here you can see the list of policies applicable to the accounts. Configure the required permissions for Account

‘M’ (see the list of user rights mentioned above).

The account running the ShareScan Agent (from now on, Account ‘A’) requires the same permissions as a built-in

Local System account. (For details, see http://msdn.microsoft.com/en-

us/library/windows/desktop/ms684190(v=vs.85).aspx).

The following permissions should be granted to Account ‘A’:

Generate security audits

Bypass traverse checking

Create global objects

Create page file

Create permanent shared objects

Impersonate a client after authentication

Increase scheduling priority

Adjust memory quotas for a process

Lock pages in memory

Act as part of the operating system

Log on as service

Specifically, this service requires rights to start / stop other ShareScan services, such as:

Apache Tomcat (installed by ShareScan installer – this component is optional; it is required if there are Web-browser based MFPs in the system)

4

ShareScan Manager

NOTE

By default, only the members of the Administrator group have rights to start/stop services. To grant this specific

permission, you need to use the Security Configuration and Analysis MMC Snap-in as it is detailed in Appendix A

of this document.

Configure two domain accounts for the above purposes, with the above described rights granted.

4. Database login and user creation Add the user accounts created in step #3 to the SQL Server users in the SQL Management Studio:

4.1 Connect to the eCopyShareScan database which was created during the ShareScan installation. 4.2 Go to the Object Explorer and expand the Security / Logins node 4.3 Right click the Logins node and select New Login… 4.4 Create a new login for Account A, as shown in the sample screenshots below. Use the menu on the left

to access these screens. When you are done, click OK.

5

4.5 Ensure that you create Logins for both account Agent and account Manager.

6

4.6 After you have successfully created the database users, the necessary database rights need to be granted. To do this, open the following SQL script (part of the installed ShareScan file set):

[ShareScan installation folder]\Server\Tools\Database\SQL\Post-Deployment\005CreateUserRights.sql

4.7 In the SQL Manager query editor, replace all the instances of the $(Username) macro with the login you have just created. (This screenshot is an illustration, it contains a sample Replace with string)

Important: the domain\username string needs to be enclosed in square brackets; otherwise SQL Server

Management Studio does not accept it as a valid script, because of the backslash character.

4.8 Ensure that the database selected for the open query is the eCopyShareScan database. (Verify this in the upper-left dropdown list above Object Explorer.)

4.9 Click the Execute (!) button to run the script.

7

4.10 Repeat steps 4.7-4.9 with the Account Manager.

5. Grant local folder and registry access for the service accounts Grant the following folder and registry access permissions for both Account A and Account M:

5.1 Read-only access for the ShareScan installation folder (Program Files (x86)\Nuance\ShareScan5.3\ ) 5.2 Full control to the Program Data\Nuance\ShareScan folder (usually on drive C:\) 5.3 Full control to the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nuance

If the ShareScan Web Client component is installed (when using Web browser based MFPs):

5.4 Full control to the C:\Program Files (x86)\Nuance\Tomcat 7.0 folder (or the folder specified as the Tomcat folder during a custom installation) for Account ‘A’

6. Modify the ShareScan database connection string in the registry 6.1 Start regedit.exe 6.2 Navigate to hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nuance\ShareScan\ShareScanAdmin 6.3 Edit the string value name DBConnStr and change it to contain:

Data Source=<SQLSERVERNAME>;Initial Catalog=eCopyShareScan;Integrated security=SSPI;Connect Timeout=30 Replace the highlighted section with your SQL Server name / IP (and optionally the port, if a non-standard port is used) and the instance name, if the database is hosted in a named instance. Examples:

8

Data Source=SQLServ-1;Initial Catalog=eCopyShareScan;Integrated security=SSPI;Connect Timeout=30 Data Source=SQLServ-1,1552;Initial Catalog=eCopyShareScan;Integrated security=SSPI;Connect Timeout=30 Data Source=SQLServ-1\ShareScan;Initial Catalog=eCopyShareScan;Integrated security=SSPI;Connect Timeout=30 Data Source=10.140.26.45;Initial Catalog=eCopyShareScan;Integrated security=SSPI;Connect Timeout=30

7. Change the default service accounts to Account A and Account M 7.1 Open Windows Service Control Manager 7.2 Double-click the ShareScan Agent service 7.3 Click on the Log On tab, and change the settings use Account ‘A’ for this service:

7.4 Click OK 7.5 Do the same for the ShareScan Manager, with Account ‘M’

NOTE

If you install / use the ShareScan Web Client (running as Apache Tomcat service) – which is necessary if you use

any web-based MFP devices with ShareScan -, then you need to use Account ‘A’ as the service account of the

Apache Tomcat 7.0 service. See also 5.4.

8. Grant rights for the Agent service account to use specific TCP ports To allow proper functionality of the Agent and the Manager services, you need to grant them rights to open TCP

ports on the server, for specific WCF endpoints. The following commands need to be executed, from a command

console, opened as an Administrator: (DOMAIN\user should be replaced by Account ‘A’)

netsh http add urlacl url=http://+:9900/ClientConfiguration user=DOMAIN\user

9

9. Restart the services 9.1 After completing the above steps successfully, restart all ShareScan services. 9.2 Start the ShareScan Administration Console application. If the above steps have been completed

properly, the application starts without any errors. 9.3 Verify different operations, such as license import, connector profile creation, service restart, Simulator,

etc. 9.4 Check the Windows Event log for potential errors.

10. Limitations Windows Integrated Authentication is not supported if the eCopy Address Book feature is used (Some of

the email and fax connectors). See the ShareScan documentation where this feature can be enabled / disabled. This feature uses hardcoded SQL Server authentication connection methods to reach SQL Server with another account named eCopyAddressBookAdministrator, so if Windows Integrated Authentication is enabled according to this guide, this feature cannot function correctly.

Please note that if the Database connection is edited / changed via the ShareScan Administration Console, then the connection string (see #6) in the registry is overwritten with the SQL Server Authentication connection string. In such a case, it may be necessary to edit it again manually. (If the newly connected database also uses Windows Integrated Authentication).

For this reason we recommend not to use the Database connection editing in the Administration Console (Advanced ribbon / Database / Database Configuration), but change the connection string manually, if necessary.

If you plan to use the Profile Import / Export tool (Administration Console, Advanced Tab, Tools menu button /

Profile Tool) when the system is configured to use Windows Integrated Authentication for database access

according to the instructions of this guide, then the following need to be ensured:

1. Make sure the eCopy database user installed by ShareScan (or an equivalent) exists on the SQL server. (So even if you want to disable the SQL Server authentication access, do not delete the eCopy user, just disable it, and enable it when you want to perform import / export via this feature.)

2. Install ShareScan to a PC other than the production servers with the default database access credentials (eCopy user).

3. Do NOT modify the settings (connection string and service accounts) on this PC.

With these, this dedicated PC can connect to the database and to perform the profile import and export to the

database.

10

Appendix A

1. Launch a Console Window as an Administrator, type mmc and hit ENTER

2. Click File menu / Add/Remove Snap-in:

3. Select the Security configuration item in the left-hand list and click the Add > button, select Security

Templates item in the left-hand list and click the Add > button. Click OK.

You see something like this:

11

4. You need to edit the policy settings in the Security Configuration and Analysis node, but if you do not have

a Security Configuration Database yet, then you need a security template before creating a new database.

You can do it in the way described in #5.

(If you have a Security database already to open, skip this step and go to Step 6)

5. If there is a node under the Security Templates node, representing a path where the security templates are

stored, then right click on it, and select New Template… menu item. Otherwise, right-click the Security

Templates node and select New Template Search Path… and browse to a folder where you want to store

the security template file. Then proceed with the New Template menu item as mentioned.

In the dialog that appears, specify a template name (e.g. Server1) and click OK. The new template appears in

the tree.

6. Right-click the Security Configuration node and select Open database…

12

Specify a name (e.g. Server1DB) on the dialog that appears, and click Open. (This creates a new database with the specified name). In the Import Template dialog you can browse to the template file you have (or to the file you have created in step 5) 7. Right click the Security Configuration and Analysis node, and select Analyze Computer Now…

A dialog pops up where you can specify a path for the log file to be created. Just click OK. 8. After a while, the Security Configuration and Analysis node is populated, as illustrated below. In the central

panel you can see the log file if you check the View Log File menu item in the Action menu.

13

9. To grant the necessary rights for the specific accounts, you need to edit the System Services node. Click the

System Services node, and in the central pane, locate and select the ShareScan Manager service, and

double click on it.

10. The property editor of the service appears. Click the Define this policy in the database checkbox. Then click

the Edit Security… button.

14

11. On the standard security editor dialog click the Add… button, and add the following (domain) accounts:

- The user account running the Agent Service (in our sample, it is qa\SSAgentService)

- The user account running the Manager Service (in our sample, it is qa\SSManagerService)

Click OK.

12. Select one of the newly edited accounts (in our sample, we have qa\SSAgentService and

qa\SSManagerService) , and check the Read and the Start, stop and pause checkboxes in the lower list:

15

Select the other account, and set the same permissions. Click OK.

Click OK in the service property editor (do not click Apply!)

13. If you have the ShareScan Web Client installed (which is needed when you have any web-based devices),

then you need to perform the steps of this point for the Apache Tomcat service, else you can skip this point.

Select the Apache Tomcat 7.0 service from the list of services, and double click on it:

Act similarly as described in point #10-12, but you need to grant the permissions only for the user account that runs the Agent service (and the Tomcat service, as they need to be the same) 14. To apply these policy settings, right click Security Configuration and Analysis, and select the Configure

Computer Now… menu item. Your settings take effect. (Make sure there were no issues during the

configuration by checking the log in the central pane or on the path where the log file is written)

15. To check if all of these were successful, you can perform a test:

a. Open a command console as Administrator

b. Type:

runas /USER:domain\user cmd

where you should specify the domain and the user name of the account you use as the account of the

Agent service. Hit ENTER, then type in the corresponding password. If successful, a new command

window opens, where the logged-in user is the one you specified. In this window, run the following

commands (taking into account whether the services are actually running):

net start “ShareScan Manager” net stop “ShareScan Manager” net start Tomcat7 net stop Tomcat7

In any case, you should not get Access denied message.