Admin Group Permissions on Application Machines

Creation of Administrator Groups

This section contains steps performed on LUCS Server, SfB Server and AD Server. Make sure to hold the according connections / admin credentials ready.

On LUCS Application Server

On the application machines where LUCS will be installed, you need to add the Network Service account to the RTC Local Read-only Administrators group:

1. On Windows Server 2008, go to Start> Run.
   On Windows Server 2012, press the Windows key + r.
2. Type lusrmgr.msc and then open it. (Local Users and Groups)
3. Select Groups
4. Add Network Service user to RTC Local Read-only Administrators group:
   1. Open the Propertiesof the RTC Local Read-only Administrators
   2. Click Add
   3. In the Enter the object names to selectfield enter the NETWORK SERVICE object and confirm the changes.

On Skype for Business Server

On SfB server machine where SMD will be run add the Network Service account to RTC Server Applications group:

1. On Windows Server 2008, go to Start> Run.
   On Windows Server 2012, press the Windows key + r.
2. Type lusrmgr.msc and open it.  (Local Users and Groups)
3. Select Groups
4. Add Network Serviceuser to RTC Server Applications group:
5. Open the Propertiesof the RTC Server Applications
6. Click Add
7. In the Enter the object names to select field enter the NETWORK SERVICE object and confirm the changes.

On Active Directory Server

In Active Directory, create a user for CIC service and add it to the CS Administrator group:

1. On Windows Server 2008, go to Start> Run.
   On Windows Server 2012, press the Windows key + r.
2. Find and open Active Directory Users and Computers.
3. Expand the folder tree and select Service Accounts
4. Create a new user using Context Menu of the Service Accounts folder or
5. Add the rights to the created user:
   1. Open Properties of the created user and choose Member Of tab
   2. Click Add button
   3. In the Enter the object names to select field enter the CS Administrator object and confirm the changes.

Adding Roles and Features on Application Machines

LUCS-FE needs some additional server roles to function correctly. Open Server Manager on the LUCS application machine and select the following roles:

1. Add roles and features -> Server Roles -> Web Server (IIS) (Installed) -> Web Server (Installed) -> Application Development (Installed) -> select WebSocket protocol (Installed) if using IIS8.

   

   Server Manager - Add Roles and Features Wizard - Web Socket Protocol

2.   There are known issues with slow performance when a website is hit for the first time after the IIS worker process has been recycled. To avoid the issue and warm-up the application automatically after the application pool was recycled the following role has to be selected :
   
   Add roles and features -> Server Roles -> Web Server (IIS) (Installed) -> Web Server (Installed) -> Application Development (Installed) -> select Application initialization if using IIS8.

   

   Server Manager - Add Roles and Features - Application Initialization setting

    
   

   
   

3. Add roles and features -> Web Server (IIS) (Installed) -> Web Server (Installed) -> Security (Installed) and select the following items:
   1. Basic Authentication (Installed)

   2. Windows Authentication (Installed)

      

      Server Manager - Adding Security Authentication Roles

   3. Install all your previously selected settings by clicking ‘Install’ button.

After all necessary roles and features were installed, make sure that the Windows Authentication is switched on. Perform the following steps:

1. Locate and open ‘applicationHost.config’ system file located under c:\Windows\System32\inetsrv\config\
2. Located the section group: ‘system.webServer > security > authentication’.
3. Locate 2 sections ‘anonymousAuthentication’ and ‘windowsAuthentication’ 
4. Check that property ‘overrideModeDefault’, is set to ‘Allow’ for these sections.

System Administrators AD-Group Parameter

The “SystemAdministratorGroup” parameter lets you configure the System Administrators for LUCS Frontend using AD, so that there is no need to add each admin separately. After the AD-Group is defined, all the members of this group can log in to LUCS FE as System Administrators.

SystemAdminustratorGroup Configuration

To set the “SystemAdministratorGroup” value, open the AppSettings.config file (Luware AG Program folder -> LUCS-Frontend)

1. In “SystemAdministratorGroup” the settings of the FE’s, an AD-Group (Primary forest or resource forest) can be defined which members should be considered SystemAdministrator in the respective FE (distinguishedName of group).

2. The AD Security Group needs to be added using it’s Distinguished Name (DN) in the config file.

   Object Class	Naming Attribute Display Name	Naming Attribute LDAP Name
   user	Common-Name	cn
   organizationalUnit	Organizational-Unit-Name	ou
   domain	Domain-Component	dc

   

   The ‘Active Directory‘ Domains and Container Objects.

3. The ‘Active Directory‘ domains according to a hierarchical path and each level of container objects.
   
   The example of AD-Group Domain value in the AppSettings.config file:
   

   <add key="SystemAdministratorDomain" value="DC=dev-user-forest,DC=local"/>

   CODE

4. The path can be entered manually or use the ADSI Edit – Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest.

5. 

   LDAP Editor - Distinguished Name Edit
6. If there are groups in this group (nested groups), the members of such groups should be considered System Administrators. By default, the“SystemAdministratorGroup” value is empty.

SystemAdminustratorDomain Configuration

The “SystemAdministratorDomain” parameter allows configuring cross domain users as System Administrators for the LUCS Frontend.

To set the “SystemAdministratorDomain” parameter, open the AppSettings.config file (Luware AG Program folder -> LUCS-Frontend)

1. In “SystemAdministratorDomain” the settings of the FE’s, a domain (Primary forest or resource forest) can be defined which members should be considered System Administrator in the respective FE.

2. Objects are located within Active Directory domains according to a hierarchical path that includes the labels of the Active Directory domain name.
   
   The example of AD-Domain value in the AppSettings.config file:
   

   <add key="SystemAdministratorDomain" value="DC=dev-user-forest,DC=local"/>

   CODE

   Which looks as follows in the user properties:

   

   The ‘Properties tab’ of domain in AD

Tenant ID Feature for CIC

If using the Tenant ID feature (enabled during the installation of the CIC -Customer Infrastructure Connector service – you will need to add the LUCS Servers’ computer accounts to the right AD Security Groups, which grant them the correct permissions in Lync/Skype for Business.

1. Run Active Directory Users and Computers

2. Select ‘Users’ Groups

   

   AD Users and Computers with selected Groups
3. Add your computer to ‘RTCUniversalGlobalReadOnlyGroup’ and ‘RTCUniversalGlobalReadonlyGroup’:
   1. Double click on the group to open ‘Properties’ pop up

   2. Go to ‘Members’ tab and click ‘Add…’ button

      

      RTC - Properties window with Members tab open

4. In ‘Select Users, Contacts, Computers, Service Account, or Group’ window click ‘Object Types…’ button and set Object Type = ‘Computers‘
   

   

   RTC Assign Object Types

5. After that, search for the computer name and press ‘OK’ to add the computer to the group
   

   

   RTC - Add computer as object type