Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 48 Next »

Overview:

Velocity by default uses specific Windows User Groups and User names for application and SQL authentication. The two Active Directory group names it uses are: “Velocity Users” and “Velocity Services”. There is also one Active Directory user: “VelocityServices”. Depending on the installation, these users and groups will either be in Active Directory on your domain controller, or they will be local to your Velocity server. Where the user and groups reside depends on whether:

  • Velocity and SQL are installed on the same computer, or

  • Velocity and SQL are installed on separate computers

When Velocity and SQL are installed on the same computer, the only group that is created on the domain controller is the Velocity Users group. The Velocity Services group and the VelocityServices user are local to the Velocity server.

When Velocity and SQL are installed on separate computers, both groups and the user are all located on the domain controller.
There are instances when you will not want to use the default Velocity Users group, Velocity Services group, or VelocityServices user names. Government organizations in particular often require the assignment of unique user group names for every unit or department within the organization.
To do this, you need to choose the Advanced Authentication option on the Application Network and Security screen while performing a Server installation in an Active Directory domain.

The purpose of custom user and groups is to replace the defaults. Making sure the new groups work before deleting the defaults is strongly recommended. Because every installation is different, make sure you review your existing default accounts to guarantee that the new accounts have equivalent rights and permissions.

This procedure should be performed by an IT professional thoroughly familiar with the intricacies of SQL Server database management and Windows Active Directory.


Based on your requirement follow the steps mentioned in either of the sections

 New installation of Velocity with Custom Users & Groups
  1. Add Users, Groups & Services in Active Directory

  2. Add Velocity DB in DB server

  3. Create SQL Login Permission for newly created custom groups

  4. Install Velocity in Velocity Server machine with a Custom User and Service Groups

  5. Restart all the Velocity related services, SQL Server Service, close Velocity Service Control Manager (VSCM) and again restart all services and VSCM


Configuration Details:

 Creating a new Users Group, Service Group, Service User and assigning members on the Domain

This section explains how to create a new users group, service group, service user, and assigning members on the domain.

To create custom users and service groups for managing users and services

  1. Need to create two different groups, one for managing the custom users & another one for managing the custom services.

  2. Open Active Directory Users and Computers. Expand your local domain
    The Active Directory Users and Computers window appears:

  3. Right-click the Users folder (in the left pane) and select New ►Group.
    The New Object - Group dialog box appears:

  4. Enter the name of the group you want to use (instead of the Velocity Users Group), then click:

    • Group scope: Global

    • Group type: Security
      The dialog box now resembles this example:

  5. Click OK.
    The new users group appears in the Users folder.

  6. Follow steps 3 to 5 for creating another group for managing services (CustomVelServicesGrp).

  7. Right-click the new users group and select Properties, then click the Members tab.
    The Members tab is displayed. Add the Domain Administrator, Users who have access to Velocity, as a member by following the steps below.

  8. Click the Add button.
    The Select Users, Contacts, Computers, Service Accounts, or Groups dialog box appears:

  9. Click Locations and select this domain server’s location.

  10. Do one of these:

    • Enter the name of the object you are seeking and click Check Names. If the name is correctly entered, the name is underlined.

    • Click Advanced and in the Common Queues section, select a text string to find the required members. Click Find Now. All relevant users appear in the search results. Select one or more users.

  11. Click OK twice.
    The new users group with associated users appears in the Users folder.

To create a non-Velocity named user account for managing Velocity services:

  1. Open Active Directory Users and Computers. Expand your local domain
    The Active Directory Users and Computers window appears:

  2. Right-click the Users folder (in the left pane) and select New ►Users.
    The New Object - User dialog box appears:

  3. Enter the first name and last name and then a user logon name for the User and click next

  4. Type Password and Confirm Password, click Next.

  5. Click Finish.
    The new user appears in the Users folder.

  6. Right-click the new user services and select Properties, then click the Members tab
    The Members tab is displayed. Add the Domain Users and newly created service group (CustomVelServicesGrp) as members by following the steps below.

  7. Click the Add button.
    The Select Users, Contacts, Computers, Service Accounts, or Groups dialog box appears:

  8. Click Locations and select this domain server’s location.

  9. Do one of these:

    • Enter the name of the object you are seeking and click Check Names. If the name is correctly entered, the name is underlined.

    • Click Advanced and in the Common Queues section, select a text string to find the required members. Click Find Now. All relevant users appear in the search results. Select one or more users.

  10. Click OK twice.
    The new user services with associated users appear in the Users folder.

Back To Top

 Adding the new service account in the Local Velocity Server

This section explains how to create a new services account and assign permissions to it on the local Velocity server, where the Velocity application is installed.

To create a new services account on the local Velocity server

  1. Right-click on This PC and select Manage.
    The Server Management screen appears.

  2. Click Tools to go to the Computer Management Window.

  3. Expand the System Tools to explore the Local Users and Groups.

  4. Expand Groups to explore the list of all groups.

  5. Right-click Administrator, select properties.

  6. Properties window appears. Select Members tab.

  7. Click on Add button to add domain\newservice (TESTDOMAIN\CustomVelServicesAcct) as a member by following the steps below,

  8. Click on the Member of tab, then click the Add... button. Add newly created service account, (Eg: CustomVelServicesAcct).
    The Select Users, Computers, Service Accounts, and Groups dialog appears:

  9. Click Locations and specify the local server, then click OK.

  10. For the ‘Enter the object names to select’ field, do one of these:

    • Enter Administrators and click Check Names. If the name is correctly entered, the name is underlined. Click OK twice.

    • Click Advanced... and in the Common Queues section, select a text string to find the administrators group. Click Find Now. All relevant groups appear in the ‘Search results’ window. Select the user you require. Click OK twice.

Back To Top

 Assigning SQL Logins for the New Users and Service Group

This section explains how to assign the necessary SQL logins, from the computer on your system that contains SQL Server and the Velocity database.

To assign a login for this new users group

  1. Open SQL Server.
    The Microsoft SQL Server Management Studio appears.

  2. Expand the Security folder, then right-click the Login folder and select New Login...
    The Login - New dialog appears:

  3. For the Login name, click Search.
    The Select User or Group dialog box appears.

  4. Click Object Types, select the Groups check box, and then click OK.

  5. Click Locations and select the domain server where the newly defined users group resides, then click OK.

  6. Do one of these:

    • Enter the users group name you are seeking and click Check Names. If the name is correctly entered, the name is underlined. Click OK.

    • Click Advanced and in the Common Queues section, select a text string to find the required group. Click Find Now. All relevant users groups appear in the ‘Search results’ pane. Select the one you want. Click OK.


      The users group appears in the ‘Login name’ field.

  7. Click Server Roles in the left pane.
    The Server Roles page appears

  8. Select the dbcreator, public and sysadmin checkboxes, as shown in this example:

  9. Click User Mapping in the left pane.
    The User Mappings page appears.

  10. Select the Velocity , msdb, and master check box in the top pane.

  11. In the Database role membership pane, check these members:

    • For Master: db_backupoperator and public.

    • For Velocity: db_backupoperator and public.

    • For msdb: public, SQLAgentOperatorRole, SQLAgentReaderRole, and SQLAgentUserRole.

  12. Click OK.

  13. Now repeat step 3 to 8 for assigning SQL Login access for the Services group (CustomVelServicesGrp).

  14. Select the Velocity , msdb, check box under User Mapping section.

  15. On the User Mapping page, check these memberships under User Mapping.

    • For Velocity: db_backupoperator and public.

    • For msdb: public, SQLAgentOperatorRole, SQLAgentReaderRole, and SQLAgentUserRole.

  16. Click OK.

Back To Top

 Assigning the New Users Group and Services Group Permissions to Velocity

This section explains how to assign the new users group permissions to the Velocity directory.


To assign the new users group permissions to Velocity:

  1. On the Velocity server, open Windows Explorer.

  2. From the Program Files (x86) folder, select Identiv and then Velocity.

  3. Right-click the Velocity folder and select Properties.
    The Velocity Properties dialog box appears.

  4. Select the Security tab, then click Edit.

  5. In the ‘Permissions for Velocity’ dialog box, click Add.
    The ‘Select Users, Computers, Service Accounts, and Groups’ dialog box appears.

  6. If required, click Locations and select the domain server, then click OK.

  7. At the ‘Enter the object names to select’ dialog box, do one of these:

    • Enter the users group name you are seeking (CustomVelUsersGrp) and click Check Names. If the name is correctly entered, the name is underlined.

    • Click Advanced and in the ‘Common Queues’ section, select a text string to find the required group. Click Find Now. All relevant users groups appear in the search results.
      Select the previously-defined users group.

  8. Click OK.
    The ‘Permissions for Velocity’ dialog box reappears, with the selected users group highlighted.

  9. In the ‘Permissions’ area at the bottom of the page, select every ‘Allow’ check box except for the ‘Full control’ permission, as shown in this example:

  10. Click OK.

  11. Now repeat steps 3 to 7 to add permission for Services Group (CustomVelServicesAcct)

  12. Click OK.
    The ‘Permissions for Velocity’ dialog box reappears, with the selected Services Group highlighted.

  13. In the ‘Permissions’ area at the bottom of the page, select every ‘Allow’ check box except for the ‘Full control’ permission, as shown in this example:

  14. Click OK

Note: Starting from Velocity v3.8.4, some of the data files are moved to ProgramData. So please follow the steps to give permission to Velocity files under the ProgramData folder.

To assign the new users group and service groups permissions to Velocity (ProgramData)

  1. On the Velocity server, open Windows Explorer.

  2. Select View Show > Hidden items.

  3. From the ProgramData folder, select Identiv and then Velocity.

  4. Right-click the Velocity folder and select Properties.
    The Velocity Properties dialog box appears.

  5. Now follow step 4 to step 14 from the above topic.

Checking File and Folder Permissions

This section explains how to verify the permissions of the new account that starts the Velocity services. In particular, it enables access to the Velocity database archive files.

To check that the relevant files and folders include the required permissions:

  1. On the client computer, open Windows Explorer.

  2. Expand the root drive (normally C:) to reveal Program Files then Microsoft SQL Server then MSSQL15.IDENTIV then MSSQL then DATA.

  3. Identify those folders and files that the custom users account will employ. For each one, perform Steps 4 through 8.

  4. Right-click on a folder or file and select Properties.

  5. In the Properties dialog, click the Security tab.
    A dialog box like this example appears:

  6. Select to highlight each user and users group assigned to the custom users group. In the Permissions pane, inspect the permissions assigned to each user or group. All relevant entities should have all permissions except ‘Full control’ checked.

  7. If all permissions (except ‘Full control’) are not checked, Edit.
    A dialog box like this example appears:

  8. Select each check box (except ‘Full control’) in the Allow column of the Permissions pane, then click OK.
    Repeat Steps 4 through 8 for each required folder and file.

Back To Top

 Enabling Velocity Operators to Use the New Users Group

This section explains how to enable Velocity operators to use the new users group.


To enable Velocity operators to use the new users group:

  1. At the Velocity server’s desktop, right-click on the Velocity Service Control Manager icon in the tray and select Properties. The Velocity Settings dialog box appears.

  2. Select the Advanced option in the left pane, then select the ‘Custom Velocity Users Group Names’ check box:


    Note: This option is available only when your Velocity Server is part of an Active Directory domain; it is not available in a local workgroup.

    A warning message asks if you want to proceed.

  3. Click Yes, then click OK twice.

  4. Open Velocity.

  5. From the Administrator pane, select Velocity Configuration then Operators.
    Because you have ceded control for creating operators to Active Directory by selecting Custom Velocity User Group Names in the Velocity settings, you must use an existing operator previously created in Active Directory.

  6. In the right pane, double-click an existing operator name. This operator name must already be resident in Active Directory.
    The Operator Properties dialog box appears.

  7. In the ‘Name’ box, enter a name for this operator.

  8. In the ‘Domain’ list, select the domain where the newly-defined users group resides.

  9. Fill out all other fields and roles as required.

  10. Click OK.

  11. Add other operators to this domain as required.

Back To Top

 Updating Velocity and SQL Server service with newly created services

This section explains how to update the existing Velocity and SQL Server services with newly created custom service.

Note: Stop each of the Velocity-specific services running on Velocity server via VSCM, in the following order:

  1. Velocity Security Domain Service

  2. Velocity DigiTrac Network Service

  3. Velocity SQL Writer

  4. Velocity Extension Service

  5. Velocity CCTV Service

  6. Velocity Web Service

    To stop, right-click on the VSCM icon on the system tray and select the Stop option for each service.

Now to update with custom services, follow the steps provided below,

  1. Right-click This PC and select Manage.
    The Server Manager appears.

  2. Expand the Configuration object and highlight Services.
    The Services that are running on this computer appear:


    Depending on whether your Velocity system includes optional software components or integrations, the following Velocity-specific services could be running on this computer:

    • Velocity CCTV Service

    • Velocity DigiTrac Network Service

    • Velocity Extension Service

    • Velocity Security Domain Service

    • Velocity SQL Writer

    • Velocity Web Service

    • SQL Server (Identiv) (SQL server will be available in the DataBase machine if it is a split server environment)

  3. Right-click on the service and select Properties.
    The Service Properties dialog box for the specific service appears, like in this example:

  4. Click the Log On tab
    The Log On tab is displayed:

  5. Click This account, then click Browse.
    The Select User dialog box appears:

  6. For the ‘Enter object name to select’ field, do one of these:

    • Enter the user’s name you created and click Check Names.
      If the name is correctly entered, the name is underlined.

    • Click Advanced and in the ‘Common Queues’ section, select a text string to find the required user. Click Find Now. All relevant users appear in the ‘Search results’ pane. Select the new user.


      Only one user can start a service. You cannot define more than one user per service.

  7. Click OK.

  8. Enter and confirm the password for this account.

  9. Click Apply.
    A message may appear for the first service. If it does, simply click OK to proceed.

  10. For each Velocity-related service listed in Step 2, perform Steps 3 through 9 to make the same modification.

  11. Return to the Server Manager Services page.

  12. Restart each of the Velocity-specific services running on this computer.
    To restart each service, right-click on the stopped service and select the Start option.

  13. The services will now start with the new users group account.

Back To Top

 Adding Velocity DB in DB machine for split server installation

This section explains how to attach Velocity DB on a server machine for split server installation

To set up Custom AD, please make sure the machine where the Velocity is going to be installed should be a part of the AD server domain.

  1. On the server where DB needs to be attached, right-click on the Velocity_Installer_3.8.4(build-3.8.4.xxx).exe file and run as an administrator

  2. On the Install Options window, select “This computer will be used as a remote SQL server (attach database only)

  3. Then follow the regular Installation steps to complete the Velocity Installation on the split server environment.

  4. Now go to the DB server, Open Services.

  5. Right Click on the SQL Server (IDENTIV) and update the newly created services on the Log On tab → This account:

Back To Top

 Installing Velocity Application using Custom Users and Service Groups

This section explains how to install Velocity Application using Custom Users and Service Groups on split server installation.

  1. Follow steps 1 to 4 from Install Velocity Application

  2. On the Install Options window, select the option “This computer will be used as a Velocity server. Velocity services and SQL server will be installed in addition to the client application.”

  3. On the Application Network Security page, select, “Advanced Authentication [Custom Active Directory Users and Groups]” radio button.

  4. Use the browse button to choose the Services Account and User Group from the AD, that you’ve created, enter the password and click Next

  5. Follow the regular installation steps.

  6. At the final step, you will see a popup dialogue, Please enter the newly created custom user group and services group names.

  7. Click OK, proceed through installation to complete it.

Back To Top

  • No labels