Configure Shinydocs Pro Control Center access for File System/File Shares

What you are setting up

In this guide, you will be setting up a file system source in Shinydocs Pro (e.g. your file share) for analysis and setting up the connection for permission checking of Search results for your source.

Once complete:

• Your file system source will be analyzed by Shinydocs Pro

• Files are immediately searchable via Search, enforcing file system permissions on all search results.

Requirements

• Service account with at least read access to the file shares to be analyzed.

  • The service account must be a local administrator on the server Shinydocs Pro Control Center is installed on.

• Access to a domain controller OR the ability to run Get-ADComputer (Active Directory PowerShell module).

  • To install the AD PowerShell module, run (as administrator)

    CODE

    Get-WindowsCapability -Name RSAT.ActiveDirectory* -Online | Add-WindowsCapability -Online

• The server Shinydocs Pro is installed on is part of the same domain as the source file system/file shares

• UNC path(s) of the file share(s) you want to analyze (\\server\share). 

The service account requires interactive logon enabled (Group Policy dependent)

 Steps

Getting things ready

1. Set Shinydocs Control Center service to start as the service account

   1. In Windows, open Services

   2. Right-click on the Shinydocs Control Center service > Properties > Log On

   3. Select This account. Then browse for the Shinydocs service account and enter the password

      

   4. Click OK when complete

2. Give the service account local permissions to the default certificate that comes with Shinydocs Pro

   1. On the Shinydocs Pro server, open certlm.msc.

   2. In the left panel, expand Certificates (Local Computer).

   3. Navigate to Personal > Certificates.

   4. Right-click the certificate named localhost.localdomain.

   5. Choose All Tasks > Manage Private Keys.

   6. In the dialog, select Add.

   7. Find and select your service account.

   8. Under the Allow column, check Read.

   9. Click Apply, then OK to save.

3. Register SPNs to allow permission checking

   1. Open CMD as administrator

   2. Run the following command
      Replace <hostname> with your server’s hostname.
      Replace <domain>\<serviceAccount> with your domain and the name of the Shinydocs service account.

      CODE

      setspn -S HTTP/<hostname> <domain>\<serviceAccount>

   3. Verify that the SPNs were set correctly by running the command

      CODE

      setspn -l <domain>\<serviceAccount>

4. Authorize your file share for Kerberos double-hop. On one of your domain controllers or a computer with access to Active Directory Users and Computers:

   1. Open the computer account for your file share server(s)

   2. On the Delegation tab, select “Trust this computer for delegation to specified services only”

      1. Select Use Kerberos only

      2. Click Add…

         1. Click Users or Computer…

         2. Find the service account in your domain and click OK

         3. Under Available services, select http

         4. Click OK

   3. You configuration should look something like this

      

   4. Click OK

Adding your source

1. In Shinydocs Control Center (either in quick-start or + Add source)

   

2. Under Add new source, select the File system option and click Next.

3. You can give your source a specific name if you wish, otherwise, enter the details for the account you want to use to analyze your file system.

   1. This account is typically a service account that has read access to everything you want to analyze.

   2. If no username or password is given, Shinydocs Pro will attempt to analyze the given paths if it has permission to access them.

4. Under Search Authentication Type, select Protected - Negotiate/Kerberos

   

5. Click Next

6. Enter the path (UNC (\\server\share) preferred) you want to analyze. If you want to add multiple paths, you can click + Add to add an additional path or + Add multiple to add multiple paths at a time.
   We recommend starting with a small file share and expanding from there once you get a feel for how Shinydocs Pro works.

   

7. Click Start analysis to being analyzing your filesystem content!

Helpful tips

To remove an SPN, you can run the below commands (replacing each of the placeholder values similar to the above examples):

setspn -d HTTP/<hostname> <domain>\<serviceAccount>
setspn -d HTTP/<fqdn> <domain>\<serviceAccount>

Kerberos logging can be enabled by editing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value: LogLevel

Value Type: REG_DWORD

Value Data: 0x1

If the Parameters subkey does not exist, create it.

• Further details at:https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging

• The logging events will show in the System event log, in the Windows event viewer.

• Ensure the SPNs have been replicated through the domain.