Adaxes service account
Adaxes itself doesn't store the password for the Adaxes service account. Adaxes service is installed as a Windows system service that runs under the Adaxes service account. Credentials for the system service are provided during installation and are stored by Windows.
- Credentials for managed domains
- Credentials for Microsoft 365 tenants
- Credentials for external MS SQL logging database
- Credentials used in mail settings
- Credentials used to run PowerShell scripts (Run As)
Adaxes stores the above credentials in AD LDS on the computer where the Adaxes service is installed. The stored credentials are encrypted with an AES-256 master key. The master key is encrypted using RSA-2048 and is also stored in AD LDS. The private RSA key that can decrypt the master key is stored locally on the computer where the Adaxes service is installed and is never transferred over the network. The key is encrypted using the Data Protection API (DPAPI) provided by Windows and can be accessed only by the Adaxes service account. To read the stored credentials, the Adaxes service decrypts its private key with the credentials of the Adaxes service account, uses the private key to decrypt the master key, and, finally, uses the master key to decrypt the stored credentials. All the encryption keys are renewed every 14 days.
As the master key is required to decrypt the credentials, it must be securely exchanged between Adaxes services in a multi-server environment. To do this, the master key is encrypted separately for each Adaxes service using RSA. Here is how.
When the first Adaxes service is installed, it generates the master key and a public-private key pair. The public key is published to AD LDS and the private key is stored locally. The Adaxes service then uses its own public key to encrypt the master key, and stores the encrypted master key in AD LDS. When a new Adaxes service instance is added to the configuration set, it generates its own public-private key pair and publishes the public key to AD LDS. Adaxes can recognize that a legitimate service instance is being installed using the AD LDS metadata – the information about the new service instance can be added only by AD LDS and only during Adaxes installation. Moreover, the metadata can be accessed only by the Adaxes service account.
When Adaxes detects that a new service instance is added, it encypts the master key for the new service instance with its public key, and stores the encrypted master key in AD LDS. As a result, AD LDS will contain multiple copies of the master key, each encrypted with a different public key of the corresponding Adaxes service. Each service instance can access its copy of the master key and decrypt it locally with its own private key.