Running ActivID CMS as a Standard User

Prerequisites: Before changing permissions for the user account under which ActivID CMS runs, it is imperative that you first test and successfully issue a smart card. The ability to complete this important task is an assurance that ActivID CMS is correctly configured. If you are unable to successfully issue a smart card, then ActivID CMS is not configured correctly.

This section describes the process that explains how to configure the IIS server, Microsoft Windows, and ActivID CMS to run under a non-administrator user account, and it defines exactly what rights are required.

ActivID CMS is generally installed using a user account with Local Administrator rights to the system upon which it runs. While being the recommended method of installation, following the installation of ActivID CMS you must ensure that this user account is modified to only grant it the necessary rights required to perform ActivID CMS functions.

It is recommended that rights be assigned to a user group rather than to an individual user. This allows a more granular and manageable assignment of rights and provides the ability to run each ActivID CMS instance or process under different user accounts. For purposes of explanation in this documentation, the following Users and Groups are used in the following listed examples.

ActivID CMS Users and Groups Example

User or Group Name

Local Group Name    

Related Group Name

User

CMS_USR1

Adm-CMS-LDAPUpdate

Active Directory Group

Adm-CMS-LDAPUpdate

L-adm-CMS-User

Local Machine Group

L-adm-CMS-User

 

 

To ensure that ActivID CMS can function correctly, it is required that Read rights are assigned to the ActivID CMS installation directory.

Note: Assigning Read rights allow ActivID CMS to function, but it does not allow other options of the ActivID CMS configuration to be modified (including Repositories). This is the main reason, why a user with local administrator rights needs to be used during the process of installing and configuring of ActivID CMS.

The rights in this instance need to be assigned to the L-adm-CMS-User group which should be created locally on the system running ActivID CMS. In addition, the Active Directory Group adm-CMS-LDAPUpdate needs to be a member of the L-adm-CMS-User group, as shown in the following example:

To assign the required rights to the ActivID CMS installation directory, perform the following tasks:

  1. Go to the directory where ActivID CMS is installed using Windows Explorer.

  2. Right-click and select Properties, and click the Security tab.

  3. Click Add, and enter the details for the local group you wish to assign Read rights to.

  4. Click OK twice.

To grant the ActivID CMS user Read access rights to the local machines certificate store, specific registry rights need to be granted to HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificates. To assign the rights to the registry, perform the following tasks:

  1. To run the Microsoft Registry Editor, click Start > Run > Regedit.

  2. Go to the HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificates key.

  3. Right-click SystemCertificates, and then click Permissions > Add.

  4. Enter the object name of the Local Group to which the rights should be assigned.

  5. Click OK.

  6. Click to select the Allow option for Full Control and Read rights.

  7. Click OK to continue and quit the Registry Editor.

ActivID CMS runs under the Microsoft web server. You need to complete the following tasks to be able to configure the website to run under a specific user.

  1. At the Internet Information Services (IIS) Manager, go to the ActivID CMS Web Site, right-click, and click Properties to display the Web Site Properties window.

  2. Click the Directory Security tab, and in the Authentication and access control panel, click Edit.

  3. Configure the Windows user account to allow anonymous access to use the pre-defined ActivID CMS user account by the settings you choose in the Authentication Methods window.

  4. Click OK, and enter the Password for a second time.

  5. Click OK and exit the Administration Tool.

  6. Restart the IIS server.