Page History

For

Axidian CertiFlow system to operate properly, you must have certain access rights to

Active Directory objects and certification authorities

. Depending on your company's security policy, you can distribute

privileges between several accounts, or create one service account with maximum rights for system management

.

Create a

service account (

e.g. cfServiceAD) and grant it the necessary permissions to work with an object (domain, container, organizational unit) that contains Axidian CertiFlow users. This account will be used to read and write user attributes.

Go through these steps:

1. Open 

1. Security property of the object (domain, container or organizational unit) that contains

1. Axidian CertiFlow users.

1. Click Advanced→Add→Select a principal.
2. In the Enter the object name to select text box, enter the name of the service account (

1. cfServiceAD) and

1. click

1. OK.

1. In the Applies to list box, select Descendant User objects

1. .

1. In the Permissions list, activate:
   • List contents

   • Read all properties

     Info
     By default, permission to read all user properties is granted to all accounts in the

1. • domain.

1. • 
     

   • Reset password - required to be able to Reset user's password via the system interface.
2. In the Properties list, set the following permissions:
   • Write pwdLastSet - required to be able to reset user's password.
   • Write thumbnailPhoto or Write jpegPhoto - required to be able to Upload a photo to a user in Active Directory via the system interface.
   • Write userAccountControl - required to enable Enforce smart card logon option.
3. Click ОК and

1. Apply.

In case the domain security policies forbid reading all user properties, you can specify that the service account has permissions to only read the necessary user attributes (Table 3) and object attributes (domain, container,

or organizational unit) that contains

Axidian CertiFlow users.

Go through these steps:

1. In the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains Axidian CertiFlow users.
2. Set the following in This object and all descendant objects field:
   • In Permissions check the List contents box.
   • In Properties check the following boxes:
     • Read сanonicalName
     • Read Distinguished Name
     • Read objectClass
     • Read objectGuid
     • Read showInAdvancedViewOnly
3. Set the following in Descendant user objects: User objects field:
   • In Permissions check the List contents box.
   • In Properties select read/write the following sets of properties and attributes (Table 3):
     • Read personal Information
     • Read general Information
     • Read account restrictions
     • Read public Information
     • Write pwdLastSet
     • Write thumbnailPhoto or Write jpegPhoto
     • Write userAccountControl

Table 3

. Attributes used by

Axidian CertiFlow to work with

users catalog

Table auto