StifleR Client Access Control Options

Client AD Group Membership

The StifleR client runs as Local System (NT AUTHORITY\System).

If the client and the server are both in the same domain (or a trusted domain), then the client's Local System account uses the computer account credentials to access to the StifleR server. If an administrator wants to further limit client access to the StifleR server, an AD group can be used in which clients who are members of the group will be permitted access.

This is configured using the following settings in the StifleR Server Configuration File:

RequireAgentGroupMembership = "1"

If the above is set, a second setting, AgentGroupMembership must be configured to define the AD group name. As an example: AgentGroupMembership = "2PINT\StifleRClientAccess"

Note: If the client or the server is not in a domain, or a trusted domain, then the Local System account attempts to use ANONYMOUS LOGON. This cannot be verified against a group, and would fail if the setting RequireAgentGroupMembership is configured.

Client Certificates

If the client population is spread across a number of different domains, or are not domain joined, you can use certificates to control access.

To require a client certificate, the setting: RequireAgentClientCertificate must be defined in the StifleR Server Config file. If enabled, the settings: CertificateClientThumbprint and CertificateRootThumbprint must also be defined in the configuration file. The values to be configured (added) with a thumbprint of a local certificate which is then present in the personal (MY) store in the local machine store location of the client. The first certificate in the store chain from that thumbprint is used.

The server will then verify the certificate. Failing to verify the certificates will return a 403 error to the requesting client.

NOTE: Client certificates and are not related to web based communication or HTTPS. They are separate entities and HTTPS does not verify that the client can authenticate as client certificates do.

Client Token

There is a further (less secure) method that can be used if you are unable to use Group membership or Client Certificates. This requires a client ‘token’ value to be configured on the server and client. The setting for the StifleR Server configuration file is: RequestAgentToken which should be configured with a string that will then be used by clients to connect (and should be treated like a password).

Last updated