StifleR
2.10
2.10
  • Start Here - StifleR 2.10
  • Introduction
    • StifleR Overview
      • The StifleR Solution
      • Managing Microsoft Data Transfer Services
    • Technical Overview
      • 2Pint BranchCache Administrator Guide
    • Features Overview
      • Control
      • Monitor
      • Automate
      • Other Features
      • StifleR Feature Details
    • Release Notes
  • Proof of Concept
    • Objectives and Prerequisites
    • Configure Microsoft Peer-to-Peer Components
    • Install and Configure StifleR
    • Testing and Validation
    • StifleR POC Quick Checklist
  • Planning
    • StifleR Server Considerations
    • StifleR Client Considerations
    • Firewall Ports
    • Permissions
    • Antivirus Exclusions
    • Network Topology
    • StifleR Generic Concepts
      • Client Leader Roles
        • Red Leader
        • Blue Leader
        • Green Leader
        • Examples of Leader Selection
      • Templates
      • Beacons
  • Installation
    • Overview
    • Server
      • StifleR Server Installation
      • StifleR Dashboard Installation
      • StifleR Beacon Installation
    • Client
      • StifleR Client Installation
      • Post Installation Checks
  • Configuration
    • Configuration Files
      • StifleR Server Configuration File
        • Using the AppSettings Override File
      • StifleR Client Configuration File
      • StifleR Dashboard Configuration File
    • Configuring BranchCache on Windows Server
    • Configuring Delivery Optimization
    • Configuring LEDBAT on CM DPs
    • Configuring a Beacon Server
    • Configuring StifleR SQL History
    • StifleR Network Locations
      • Automatic linking of Location, Network Groups and Networks
      • Network Topology Automation
      • Location Fields
        • Network Group Fields
          • Network Fields
    • StifleRulez.xml Configuration Guide
      • The Match – TypeData
        • When the Job Title Isn’t Suitable
        • ConfigMgr Specific Rules
      • The Setting - DownloadTypes
        • Delivery Optimization Jobs
      • Sample StifleRulez.xml
    • Securing StifleR Operations with SSL
      • Prerequisites
      • Using a Web Server Certificate
        • Requesting a Web Server Certificate
      • Using a Self-Signed Certificate
      • Preparing the StifleR Dashboard Web Site for SSL
      • Configuring StifleR to Use SSL
      • Finding the Certificate Thumbprint
    • StifleR Client Access Control Options
  • Operations
    • Dashboard
      • Overview & Navigation
        • Home Page
        • Traffic & Downloads
          • Transfers & Downloads
            • How to use query hosts search?
          • Running Sequences
          • Weekly Downloads Activity
          • History
        • Devices
          • Clients
            • Client Details
              • How to use an extended search?
          • Servers
          • StifleR Server
            • Templates Detail
        • Cache Management
        • System Resource Usage
        • Network Topology
          • Maps
          • Countries
          • Locations
            • Bandwidth Allocations and Locations
          • Network Groups
          • Networks
        • Reporting & Diagrams
    • Client Management & Remote Tools
      • Remote PowerShell Session
      • Remote Performance Counter
      • Remote WMI Browsing
      • Remote Event Log Viewer
      • Remote Netmon Session
    • Monitoring
      • StifleR server health
      • StifleR client health
      • BranchCache Testing and Monitoring
    • Maintenance tasks
    • Bandwidth Management and Allocation
      • Bandwidth Tuning Monitoring and Control
    • Backup and Recovery
      • Moving the StifleR Server Databases to a New Drive on the Same Server
    • Troubleshooting
      • StifleR Client Command Line Options
      • BranchCache across Subnets
    • StifleR WMI Provider
Powered by GitBook
On this page
  • Client AD Group Membership
  • Client Certificates
  • Client Token
  1. Configuration

StifleR Client Access Control Options

PreviousFinding the Certificate ThumbprintNextDashboard

Last updated 4 months ago

This page provides options on how to control StifleR Client access to the StifleR Server. These options are not referring to securing communications such as HTTPS.

Client AD Group Membership

The StifleR client runs as Local System (NT AUTHORITY\System).

If the client and the server are both in the same domain (or a trusted domain), then the client's Local System account uses the computer account credentials to access to the StifleR server. If an administrator wants to further limit client access to the StifleR server, an AD group can be used in which clients who are members of the group will be permitted access.

This is configured using the following settings in the :

RequireAgentGroupMembership = "1"

If the above is set, a second setting, AgentGroupMembership must be configured to define the AD group name. As an example: AgentGroupMembership = "2PINT\StifleRClientAccess"

Note: If the client or the server is not in a domain, or a trusted domain, then the Local System account attempts to use ANONYMOUS LOGON. This cannot be verified against a group, and would fail if the setting RequireAgentGroupMembership is configured.

Client Certificates

If the client population is spread across a number of different domains, or are not domain joined, you can use certificates to control access.

To require a client certificate, the setting: RequireAgentClientCertificate must be defined in the . If enabled, the settings: CertificateClientThumbprint and CertificateRootThumbprint must also be defined in the configuration file. The values to be configured (added) with a thumbprint of a local certificate which is then present in the personal (MY) store in the local machine store location of the client. The first certificate in the store chain from that thumbprint is used.

The server will then verify the certificate. Failing to verify the certificates will return a 403 error to the requesting client.

NOTE: Client certificates are not related to web based communication or HTTPS. They are separate entities and HTTPS does not verify that the client can authenticate as client certificates do.

Client Token

There is a further (less secure) method that can be used if you are unable to use Group membership or Client Certificates. This requires a client ‘token’ value to be configured on the server and client. The setting for the is: RequestAgentToken which should be configured with a string that will then be used by clients to connect (and should be treated like a password).

StifleR Server Configuration File
StifleR Server Config file
StifleR Server configuration file