Installing Active Directory Authentication Service

Active Directory Authentication service(AD service) is required when you want Vine products to delegate user authentication to your domain. You need to install the service on a computer in the domain where the service can identify domain users requesting Vine connections.

The AD service must be able to connect to Vine Application Server since it uses VAS to connect to Vine. Please note that AD Service initiates connections to Vine from your company LAN and thus no ports have to be opened on the WAN side of your company firewall.

One possible configuration could be with AD Service located on a domain controller. Sometimes, if a VAS computer has to be located on a remote network (for example, on an Amazon instance) then AD service can be located directly on an additional domain controller (or VAS computer) so that it can verify users even if the connection to the main domain controller in a company premises could be temporarily down.

Configuring AD Service

To configure the AD service you need to edit the XML configuration file “ADService.exe.config” located in the folder where AD Service is installed. The file has to include a standard connection string with a VAS server name and special Vine account credentials. For example:

<add name="vine" providerName="System.Data.OleDb.OleDbConnection" connectionString="Provider=Vineyard.OLEDBProvider.1;Data Source=vas://vinevas.intra;Persist Security Info=True;Password=pass;User ID=AD_ROOT"/>

 

where:

  • name – Any name you want for this configuration option.
  • Data Source=vas: - name of a VAS server the service will use to connect to Vine.
  • Password – password for the AD_ROOT user.
    Please note that AD service uses the AD_ROOT account only to connect to Vine. AD service does not have access to Vine data through this account and cannot pass any other data to or from Vine except the data needed for user authentication).

The AD_ROOT user can be created using the following SQL:

create user AD_ROOT identified by password;

grant connect to AD_ROOT;

grant execute on VINEYARDDB.VS_AD_REQUESTAPI to AD_ROOT;

grant select on VINEYARDDB.VY_USERSETTING_VIEW to AD_ROOT;

In the ASP (MyVine) mode, instead of the AD_ROOT user there should be created a separate user for each organization: “AD_orgname”.

Requirements

  • Microsoft Server 2008/Server2012 or higher (32 bit or 64 bit editions)
  • Vine Application Server. Vine AD Authentication service must be able to connect to VAS.
  • To authorize domain users, Vine AD Authentication service must be installed on a computer included in the domain.