Setup/System Diagram
Short Summary:
System 1 - Active Directory
Setup Active Directory (AD)
Create domain controller
Create user groups
Create users
(Single-Sign On) Create service user → Sense authorization
(Single-Sign On) Create shared folder. i.e: c:\files\<SenseClient.ini>
System 2 - Sense Server
Sense Server+ Client installed
Web configuration setup
Add system to domain system (DNS) *
(Single-Sign On) Change Sense Authorization service login → service user
(Single-Sign On) Start Client (to create SenseClient.ini for SSO)
(Single-Sign On) Edit SenseClient.ini and add the Computer name of the Server system to the following parameters:
[OpenApiWebSocketHost]
[OpenApiHttpHost]
[ActiveDirectoryNetbiosName]\
(Single-Sign On) Place the edited SenseClient.ini in the shared folder created on System 1 (Step 6)
System 3 - Sense Client
Sense Client installed
(Single-Sign On) Set client to auto startup
Add system to domain system (DNS) *
Detailed setup guide
System 1 - Setting up Active Directory Administrative Center
In case the Domain Controller is already created you can continue from here on.
Current used AD system IP 172.21.240.159
IMPORTANT :
Make sure all systems have synced time settings.
Restart system after setting up AD System
Add firewall exceptions (ports) NetBIOS
Active Directory Administrative Center
Go to AD and open the users directory as high-lighted in the image under.
Create new usergroup for example : i.e: SenseUsers
Create the users that need access to VDG Sense and make them a member of the group → (SenseUsers)
Fill in the user details and set the password policy.
Click on 'Member Of' → Add → Check Names → assign the user to the group. i.e (SenseUsers).
Create “Service user” (Single-Sign On)
This step is to create a service user for the Sense Authorization service which is necessary for SSO.
Open the Active Directory Administrative center on the Domain Controller
Create a user like a normal user
After the "Service User" has been created, save it! IMPORTANT
Then double click to edit it
Go to 'Extentions' > 'Attribute Editor'.
Navigate to the property 'servicePrincipleName'
Add the following value http/<computername>.<domain>. This is the computer name of the VDG Sense server followed by the domain. (e.g. 'http/VDG_SenseServer.makessense.com')
Important: Repeat step 7 - 16 for every Sense (Slave) server.
8. Save the user
9. Open the user again by double clicking on it.
10. Go to 'Delegation'
11. Check 'Trust this user for delegation to specific services only'.
12. Click on “Add” service → See screenshot below
13. Click on “Add Users or Computers“ → See screenshot below
14. Click on “Advanced“ then “find now” and Select the Sense Server (System 2) in the list and click OK.
15. Use the filter to search for http and select the Service principle with the full domain name → (e.g. 'http/VDG_SenseServer.makessense.com'). Click OK
16. Save Sense Auth dialog by clicking ‘'OK’' an you are ready.
Create “shared folder” (Single-Sign On)
This step is needed for the SSO to work properly, here you will later put the SenseClient.ini to setup in ..
Navigate to a location and create a folder (e.g. : C:\files)
Right click the folder and open the Properties
Open the subtab “Sharing”
Click the button “Share…”
Add administrator user with Read/Write permission level
Add Domain Computers with with Read permissions
Setting up Group Policy Object (Single-Sign On)
In order to support Single Sign On (SSO), each client needs to be configured once on which server it should automatically login. As the Sense Client settings are stored in the roaming profile of the Windows user, you need to do this for each domain user. The domain controller can be used to push the appropriate settings automatically to the roaming profile by configuring a Group Policy Object (GPO). This saves time and manually configuration for each domain user which has access to the VDG Sense system.
NOTE: To configure a GPO which pushes the appropriate settings to the Sense Client, can only be completed if you already copied the SenseClient.ini into the shared folder. As described here: Configuration SenseClient.ini (Single-Sign On).
Open the Group Policy Management Console (GPMC.MSC) on your domain controller.
Create a new Group Policy Object
3. Right-click on your domain and click on "Link an Existing GPO..." to link the just created GPO
4. Right-click the new created GPO
5. Click Edit and browse to: User Configuration\Preferences\Windows Settings\Folders\
6. Create a new folder in the following path: %appdata%\VDG Security\SenseClient\settings
7. Once the configuration folder in the user profile is created, we should also push the SenseClient.ini file to this folder. This can be done in the same GPO by adding a file like this:
8. Configure the desired SenseClient.ini file as source file by browsing to the network share and set the destination file to the following location: %appdata%\VDG Security\SenseClient\settings\SenseClient.ini
9. In order to test this GPO you can run the following command at the command prompt on clients where you want the settings to apply or wait for the group policy background refresh:
gpupdate /force
If the changes are not pushed, from the gpupdate you need to logout and re-login with the user on the Client system.
System 2 - Setting up Sense system
On this system you should have Sense Client+Server installed
IMPORTANT :
Make sure all systems have synced time settings.
Restart system after setting up Sense System
Add firewall exceptions (ports) NetBIOS
Setup Active Directory to the Sense Web Configuration
IMPORTANT: Repeat this Chapter on every Sense (master and slave) server system
Go to the machine on which VDG Sense Server is installed.
Open the web configuration by browsing to https://localhost/config
Login as administrator user
Navigate to Active Directory settings.
Enter the IP address of the domain server
make sure it is prepended with "ldap://" .
Enter the base distinguished name (dn).
Enter the username and password of the administrator user of the domain.
The password will be cleared upon entering, but the password is saved. This is a known issue.
Enter the user group you created earlier.
Fill in the service principle name of the Sense (server) you are on
IMPORTANT: Every (slave) server will have its own system-name put here.Required for SSO enter the following value : http://<computername>.<domain>. This is the computer name of the VDG Sense server followed by the domain. (e.g. 'http/VDG_SenseServer.makessense.com')
Only check the import users checkbox on the master SenseServer.
Click on "Identity Service" tab
Change the identity provider to 'Active Directory'
Switch between the “Default” and “Active Directory” to apply the changes (This is a known issue)
Go to the Users tab/page and observe or the AD users are added.
Adding system/computer to domain
Important: Add Master and slave Sense servers on to the domain.
Go to the machine on which VDG Sense Servers are installed.
Go to the adapter settings of you primary network adapter.
Change the primary DNS address tot the IP address of the domain server. This will add the machine to that domain.
4. Go to the properties of 'This PC' and set the domain to your domain (eg. 'makessense.com')
NOTE: Remember or write down the computer name, you will need this in one of the following steps.
5. Repeat this step for every client which requires the Single Sign On functionality. To verify if these steps went successful, logout and login with your Windows credentials.
Create Sense Authorization Service (Single-Sign On)
The next step is to run the Sense Authorization service as the "Service User" that we created in 1.2 Create “Service user” (Required for SSO).
Important: Perform step 1-5 on both Master and slave Sense servers.
Go to the machines on which VDG Sense Servers are installed
Login as administrator.
Go to 'Services'
Open the properties of Sense Authorization.
Enter the credentials of the service user and click OK
Restart the Sense Authorization service
Configuration SenseClient.ini (Single-Sign On)
Start a Sense Client application (does not matter which machine) in this case we do this on system 2.
Navigate to the following configuration directory: %appdata%/Roaming/VDG Security/SenseClient/settings.
Open the SenseClient.ini
Configure the netbios name of the server (system 2), on which the client should login too, for the following parameters:
[OpenApiWebSocketHost]
[OpenApiHttpHost]
[ActiveDirectoryNetbiosName]
5. Move/copy this SenseClient.ini file available in a shared folder on your domain controller (system 1) which created in chapter Create “shared folder” (Required for SSO) Or any another fileshare and make sure your clients have access to this network share.
System 3 - Setting up Sense Client
IMPORTANT :
Make sure all systems have synced time settings.
Restart system after setting up Sense System.
Add firewall exceptions (ports) NetBIOS
For this step you need to have Sense Client installed on the system
Repeat paragraph Adding system/computer to domain
Make sure to login onto the domain as e.g MAKESSENSE\<USERNAME>
KNOWN ISSUES
Suggestion: To enable auto start of the client, you will need to login manually on first logon of each user to set the option for this. Now this option is placed in divaclientsettings.ini which is encrypted.. Is it an idea to move this ini option to senseclient.ini so this setting can be set there, hence this file is pushed to every client on userlogon. And prevents the user to first login manually then logout and enable the option auto login.
When performing an Sense Update, the service user “SenseAuthorization“ will need be re-setup, thus a new install overwrites all current services settings.
After leaving a AD you wont be able to remove the AD users from Sense systems.
Every time that you import new AD users, you will need to assign them to the usergroups in sense client.
Sometimes the mouse cursor will stay a circle (loading) after login.. just re-login in that case.
Using a (slave/master)server in combination with a AD user is not possible, in this case the server will not be able to authenticate.
When trying to save AD settings you sometimes receive the message ->
Make sure all systems have synced time settings.
(Non admin) User with all rights (functions available) seems to have no rights
Unable to make a non AD user an administrator without a critical error message
Takes some time for the client to startup after windows user logged in.
Unable to add the administrator privileges onto a AD user.
IMPORTANT : IF you want your Firewall enabled, you need to add these ports on all systems, In windows Firewall ruleset. you have to add these rules onto incoming and outgoing connections.
NetBIOS name service: port 137 TCP, UDP
NetBIOS datagram service: port 138 UDP
NetBIOS session service: port 139 TCP
https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+27+-+Active+Directory+Ports/7468