Skip to main content
Kofax

Deny Interactive Logon for Windows Service Account – KCS Link Impact

Article # 3041619 - Page views: 418

Issue

Client would like to disable Interactive Logon for the Windows Service Account that runs the following KCS Links:

  • TCDCLINK
  • TCLINKSM
  • TWS
  • Capture Connector
  • TCSTATUS
  • TCBACKUP
  • TCPROBE
  • TCREPORT_Report
  • TCREPORT_Fetch

Cause

Tightening security on windows service accounts

Solution

2 possible risks:

  1. Document converter: The KCS document converter, when using the conversion via MSOffice and "TOPCALL FAX to TCDC" has a DCOM mode as defined in reg. value TCDCLINK\UserMode. If this registry value is set to 1 (interactive user) you must be logged in interactively to get the document conversion working. And for this interactive login you should use the same Windows user as configured for the TCLINKs. The same Document converter mode setting also exists for the document converter used in TWS (as used e.g. for KCC) and in the DocConvServer (as it is used by TCWEB and KCSPortal). So this "Interactive mode" for TCDC will not work anymore.
  2. General Troubleshooting issues. If the Windows user, which is used by the TCLINKs is not allowed to log on locally or via RDP, it is more difficult to troubleshoot issues.

Examples:

  • it will be difficult to verify if the Windows user, used by TCLINKFI, has read- write- and delete permissions on a shared directory
  • if you use TC/LINK-LN, you must once run the TCLINK interactively in a cmd prompt to confirm the Execution control alert (ECL alert) which is shown by the Notes Client doing the RTF printing.
  • If there is a problem that prevented a specific DLL from updating correctly (e.g. using an old version of TCLIB32.DLL), the processes using this DLL will fail to start and there is no trace information available. If in this case you login with the same Windows user and start the process interactively within an administrative cmd prompt, you will get a popup message reporting which DLL entry point in which DLL is exactly missing.
  • Some KCS processes which use a 3rd party API, will only show trace information from this 3rd party API if the process is started interactively, e.g. TCLINKLN which is configured to run with a password protected Notes user, you will see the prompt to enter the password only if the process is started interactively.

If the rights change is implemented, it is also advised:

  • Fully test the restrictions on the Test systems before pushing a full change out through Active Directory
  • We may request to temporarily remove the restrictions for troubleshooting problems that may be related to the reduced permissions.
  • We may request to temporarily remove the restrictions for troubleshooting problems that would not be related to the reduced restrictions.

Level of Complexity 

Easy

 

Applies to  

Product Version Build Environment Hardware
Kofax Communication Server 10.3      

References

 

Article # 3041619
  • Was this article helpful?