Follow

Run ESM with AD User Account

This will outline the appropriate steps, in order, to get your server recording to a NAS with an AD account.

1. Open Active Directory and Create the desired User. In this test case, the “archive” user has been created.


2. Navigate to the server and open up the Services menu under administrative tools. Locate the following services:

-ipConfigure Archive Creation Service
-ipConfigure Recording Control Service

Right click on Archive Creation Service. Select Properties. Click the “Log On” tab.

Check the checkbox for “This account:” and enter the appropriate credentials. In this test case, the account will be “archive@ipconfigure.com”. Be sure to fully qualify the user here and not use ipconfigure\archive. Enter the password and confirm it. Press apply. You will get an automated message stating that the account you just added has been added the functionality of “Logging on as a service”

If it did not do that, here is a KB article on how to do so manually.
http://technet.microsoft.com/en-us/library/cc739424(v=ws.10).aspx

3. Authenticate the Store virtual directory in IIS with this account. (Version 5.4.54 and earlier)

Open internet Information Services under administrative tools on the server. Expand “Sites”, then “Cameras”. Find the Directory titled “StoreX”, where X represents a number. Click on it once to highlight. On the right side of the window under “actions” you will “Basic Settings.” Once in “Basic Settings”, make sure the NAS address is entered correctly, then click “Connect As”. Check “Specific User” then enter the the AD account and password and password confirmation.


4. Here are the permission sets that were required to allow for full functionality.

On the NAS Folder.

My NAS address was 192.168.101.20\Archive

All of the following were checked.

-Traverse folder / Execute file

-List folder / read data

-Read attributes

-Read extended attributes

-Create files / write data

-Create folders / append data

-Write attributes

-Write Extended Attributes

-Delete subfolders and files

-Delete

-Read Permissions


This AD account also needs to have access to the ipConfigure executables wherever you have that directory.

Example: Read/Write access to C:\Program Files\ipConfigure


5. The AD account also needs to be able to lookup tokens. There is an article about that here:

https://ipconfigure.zendesk.com/entries/80415126-When-using-Active-Directory-ESM-does-not-correctly-determine-a-user-s-permissions-

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk