Skip to main content

ControlSuite: Security Framework credentials

Article # 3015384 - Page views: 818


How is a new Security Framework User Created when I have lost the password?


In ControlSuite, the Security Framework Service (SFS) credentials are used to enroll and unenrol services with the SSDS (Secure Service Discovery Service) amongst other things.  

This credential is in the form "domain\user" even though it need not be associated with any Windows domain or user, and an associated password.

These credentials are created in Configuration Assistant, on the "Authorization & Security" tab.  Once created, there is no way to recover them, so these must be kept in a secure place for future reference.  

If this information is lost or forgotten, certain actions requiring the SFS Credentials will be impacted.  So, action must be taken to avoid this.     [Kofax / NDI Internal Information]   This information can be use to perform recovery for a customer who has lost the credentials, however it should not be widely shared.  



  1. Back up the appsettings.json file (Default Path ->  C:\Program Files\Kofax\Shared Services\SecurityFrameworkService)
  2. Edit the appsettings.json file and set "LocalRecoveryMode": true (default is false).
  3. Open IIS > Application Pools and Recycle the SecurityFrameworkService application Pool on a server hosting the SecurityFramework (NDI Site - right click).  


  1. Run the following at an elevated CMD prompt
  2. Navigate to the C:\Program Files\Kofax\Shared Services\SecurityFrameworkService\NDISectool directory (NDISectool default folder)
  3. NDISecTool.exe -addbootstrapuser -domain -username -password -aasurl "https://localhost:8181/SecurityFrameworkService".   where is the arbitrary domain to be used for the SFS credential where  is the user name to be used for the SFS credential and  is the password to be used for the SFS credential  
  4. Restore the appsettings.json backed up in step 1 (or edit the file and set "LocalRecoveryMode": false)  
  5. Recycle the SecurityFrameworkService application Pool 
  6. You should now be able to enter the new credentials in Configuration manager to login to the Security Framework