0 votes

Adaxes service account

Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the Adaxes service account. Credentials for the system service are provided during installation and are stored by Windows.


Other credentials

  • Credentials for managed domains
  • Credentials for Microsoft 365 tenants
  • Credentials for external MS SQL logging database
  • Credentials used in mail settings
  • Credentials used to run PowerShell scripts (Run As)

Adaxes stores the above credentials in AD LDS on the computer where the Adaxes service is installed. The stored credentials are encrypted with an AES-256 master key. The master key is encrypted using RSA-2048 and is also stored in AD LDS. The private RSA key that can decrypt the master key is stored locally on the computer where the Adaxes service is installed and is never transferred over the network. The key is encrypted using the Data Protection API (DPAPI) provided by Windows and can be accessed only by the Adaxes service account. To read the stored credentials, the Adaxes service decrypts its private key with the credentials of the Adaxes service account, uses the private key to decrypt the master key, and, finally, uses the master key to decrypt the stored credentials. All the encryption keys are renewed every 14 days.

As the master key is required to decrypt the credentials, it must be securely exchanged between Adaxes services in a multi-server environment. To do this, the master key is encrypted separately for each Adaxes service using RSA. Here is how.

When the first Adaxes service is installed, it generates the master key and a public-private key pair. The public key is published to AD LDS and the private key is stored locally. The Adaxes service then uses its own public key to encrypt the master key, and stores the encrypted master key in AD LDS. When a new Adaxes service instance is added to the configuration set, it generates its own public-private key pair and publishes the public key to AD LDS. Adaxes can recognize that a legitimate service instance is being installed using the AD LDS metadata – the information about the new service instance can be added only by AD LDS and only during Adaxes installation. Moreover, the metadata can be accessed only by the Adaxes service account.

When Adaxes detects that a new service instance is added, it encypts the master key for the new service instance with its public key, and stores the encrypted master key in AD LDS. As a result, AD LDS will contain multiple copies of the master key, each encrypted with a different public key of the corresponding Adaxes service. Each service instance can access its copy of the master key and decrypt it locally with its own private key.

by (550 points)
reshown by

Please log in or register to answer this question.

Related questions

0 votes
0 answers

Adaxes Service To enable communication between Adaxes service and Active Directory, the following ports (TCP and UDP) must be open for outgoing connections on the ... Restricting Active Directory replication traffic and client RPC traffic to a specific port

asked Nov 18, 2010 by Adaxes (550 points)
0 votes
0 answers

Softerra Adaxes does not extend the AD schema. Moreover, Softerra Adaxes does not store its data in Active Directory and doesn't modify the native permissions assigned in ... Adaxes, you can use Active Directory just as you did before the product installation.

asked Jun 17, 2009 by Adaxes (550 points)
0 votes
1 answer

We have edited our custom action description in a custom command so that in the log and when the user gets an email, it is more clear about what it is doing. This option in the custom command action does not seem to be doing anything. Where does this show up?

asked Dec 17, 2019 by mark.it.admin (2.3k points)
0 votes
1 answer

The Adaxes Script Repository used to have two related scripts "Get custom value stored in Adaxes configuration" and "Store data in Adaxes configuration". These scripts ... /https://www.adaxes.com/script-repository/store-data-in-adaxes-configuration-s430.htm

asked Sep 1, 2023 by Carl Bruinsma (120 points)
0 votes
1 answer

So I need an approval process before adaxes executes a custom command to create a user. Basicaly an HR group and a Privacy group have to approve. what i have is set up like this ... the first one has been approved. I want them to go out at the same time.

asked Apr 14, 2023 by mightycabal (1.0k points)
3,326 questions
3,025 answers
7,724 comments
544,675 users