7.6. Addressing Modes¶
This entire chapter is only relevant for environments running the professional edition of IDERI note. So if your environment is running the lite edition of IDERI note or the standard edition, you can skip this entire chapter.
Prior to version 3 of IDERI note, the IDERI note client only had the ability to authenticate against its IDERI note server as the Active Directory® user that is running the IDERI note client. As a consequence, only messages destined to the user or a group that the user is a member of, would eventually be shown on the user’s desktop. While this user-centric scheme worked fine for many organizations using IDERI note, it had the disadvantage, that the person creating an IDERI note message needed a-priori knowledge about the users that are logged in on the computers to be notified, if users should be notified based on their computer’s location or group membership or in shift operation environments.
Consider the case where the person creating a message wants to notify any user who is logged in on a certain computer or a group of computers, regardless of the actual user logged in on such a computer. An example might be an alert message to be sent to all computers on the third floor of the organization’s building. Even if all computers of all floors are neatly organized in Active Directory® groups, there was no means in all versions of IDERI note prior to version 3 to address these computers individually via their Active Directory® computer names or groups. Instead, the person creating the IDERI note message required a-priori knowledge about the Active Directory® users that are logged in on the computers on the third floor in order for the message to appear on those computers. Enter IDERI note version 3 professional edition: Starting with this edition, the IDERI note client (inotecln.exe) has the ability to authenticate against its IDERI note server in both identities: The Active Directory® user account that inotecln.exe is running with, and the Active Directory® computer account of the computer on which the IDERI note client is installed. Authenticating against the IDERI note server using the Active Directory® computer account is accomplished via the inclmgmt service, running as NetworkService, that associates per-user client connections to the IDERI note server with the Active Directory® computer account of the computer where the user is logged on.
This capability allows the IDERI note client to receive messages that are destined to both the logged in user and the computer that the user is logged on.
7.6.1. Overview¶
In order to allow for the creation of messages destined to both users and computers, beginning with version 3 of IDERI note, each message has a new property, its addressing mode. Before diving into the implementation details and limitations, we will first give a quick overview of these addressing modes and a short explanation of their effects on message distribution from the point of view of the IDERI note server and message reception from the point of view of the IDERI note client. Interested readers might then continue with the remainder of this chapter in order to understand the motivation behind the introduction of addressing modes and the limitations that come with each of them.
The following three addressing modes are available for messages created with IDERI note professional, each IDERI note message implicitly must have one of them selected as its addressing mode:
- Send message to users only: Messages created with this mode are never sent by the IDERI note server to an IDERI note client as a result of an access check against the Active Directory® computer account identity of the client connection. Likewise, when using message excludes in this addressing mode, make sure you do not add computer accounts or groups with computer accounts only to the message reception exclude list. They will not have any effect on the reception of the message.
- Send message to users and computers: When using this addressing mode, the client receives messages that are destined to the user or to the computer account where the user is logged on. Likewise, when using message excludes in this addressing mode, reception of a message is denied if either the user is denied message reception or the computer that the user is logged on to.
- Send message to computers only: Messages created with this mode are never sent by the IDERI note server to an IDERI note client as a result of an access check against the Active Directory® user account identity of the client connection. Likewise, when using message excludes in this addressing mode, make sure you do not add user accounts or groups with user accounts only to the message reception exclude list. They will not have any effect on the reception of the message.
7.6.2. Technical Background¶
In order to simultaneously authenticate both a user’s identity and the identity of the Active Directory® computer, where the user is logged on, against the security descriptor auf messages, the identity of the Active Directory® computer is associated with the user connection during its establishment in a cryptographically secure manner. So after successful establishment of a user connection to an IDERI note server running in professional licensing mode, the server can do an access check against the security descriptor for new or updated messages for both identities at the same time for messages with addressing mode set to “Send message to users and computers”. For messages with addressing mode set to “Send message to computers only”, only the Active Directory® computer account information associated with a user connection is evaluated in order to perform an access check. For messages with addressing mode set to “Send message to users only”, only the user-specific connection information of a client connection is evaluated during an access check for a new or updated message. Using this scheme makes it now possible to send messages to Active Directory® computers or computer groups, not only to Active Directory® users or user groups.
7.6.3. Rationale for the introduction of addressing modes¶
This paragraph will explain, why the introduction of addressing modes when addressing Active Directory® computer objects with IDERI note messages is necessary. For that purpose we simply consider for a moment what would happen, if there were no such facility as adressing modes when addressing both computers and users. Simply fetching messages of any kind using the two identities outlined in the previous paragraph in such a naive manner will quickly reveal its own set of problems: Consider the case where a message has been sent in the past to an Active Directory® group that contains both users and computers. This message is now to be reactivated with the current time as the start time and some time in the future as the end time, but without any change in the set of recipients and excludes. So the same set of users should receive the message as the last time it was sent. Let’s assume that the user adam.sam is not member of this group, but the workstation where he logged on is a member of this group. Prior to version 3.0 of the IDERI note client, adam.sam would never receive this message, because the client would only authenticate using his user account and the IDERI note server would never send the message because adam.sam is not a member of the aforementioned group. Now, with version 3, an IDERI note client run by adam.sam would now receive this message when the IDERI note client authenticates as the computer account against the IDERI note server in the second step. Another case, this time with existing messages instead of reactivated messages would be a series of welcome messages for new employees. The first time a new employees logs in to his workstation, she receives a bunch of messages with further instructions or some greeting text. Those messages would be different ones for different Active Directory® groups. Now again consider the case where there are both Active Directory® user accounts and Active Directory® computer accounts in a group that is used as the message recipient for such a welcome message: If the Active Directory® computer account of the computer that a new employee is using is qualified for the reception of a message just because this computer account happens to be in a group that is now with version 3 of the IDERI note client is evalutated against the Active Directory® computer account that the new employee is using, the message will be shown to the user. Both examples show, that such a naive implementation would be an unexpected behavioural change in the product. This is one of a variety of reasons, why beginning with version 3 of IDERI note, each message has one of three addressing modes:
- Send message to users only
- Send message to users and computers
- Send message to computers only
In order to avoid the behavioural change mentioned before, all messages created on an IDERI note server prior to an update to version 3 implicitly have the first addressing mode: “Send message to users only”. Any message created with the standard edition of IDERI note has this addressing mode as well (in fact, the IDERI note server refuses to create messages in any other addressing mode when running with a standard edition license key). Acess to a message created with this addressing mode will only ever be evaluated against the Active Directory® user identity of a client connection, not against the Active Directory® computer account portion associated with a client connection. This way there is no behavioural change for old messages created prior to the version 3.0 update. Although at first glance this addressing mode looks like a legacy mode for IDERI note environments that have been updated from previous versions in order to avoid any behavioural change, there are other legitimate use cases which will be illustrated later in this chapter, apart from the standard edition licensing mode.
The third mode, “Send message to computers only” goes by the same token: Access to messages that have been created using this mode will only be evaluated against the Active Directory® computer account identity that is associated with a client connection.
The second mode, “Send message to users and computers”, is the one that makes the assignment of messages to both Active Directory® user and computer accounts possible and deserves closer examination: Access to messages created with this mode are evaluated both against the user identity and the Active Directory® computer identity in the client connection. If any of these identities is granted access and neither of them is explicitly denied access, message access will be granted.
When using deny semantics in order to exclude users or computers from reception of a message, you might want to keep the following in mind:
When creating a message with the “Send message to users only” addressing mode, adding a recipient or an exclude for an Active Directory® computer account or a group only consisting of Active Directory® computer accounts, has no effect on the message reception of the IDERI note client with the interactively logged in Active Directory® user account.
Conversely, when creating a message with the “Send message to computers only” addressing mode, adding a recipient or an exclude for an Active Directory® user account or a group only consisting of Active Directory® user accounts, has no effect on the message reception of the IDERI note client with the Active Directory® computer account.
7.6.4. Addressing clients running on the IDERI note server computer¶
Although it is an uncommon scenario, there is nothing that prevents you from running the IDERI note client on the same computer as the IDERI note server. However, when running the professional edition of IDERI note in such a configuration, special considerations have to be applied when adressing the Active Directory® computer account of the IDERI note server in order to address the users logged in on the IDERI note server. Consider the environment outlined in section 4 where we assumed that the IDERI note server is installed on an Active Directory® member server with the DNS name sv01.note.dev. In order to address the Active Directory® computer account of this server, we would naively assume that this is accomplished by adding the computer account name of this computer, SV01$, to the list of recipients. However this is not the case and the special case of the IDERI note server is an important exception when addressing Active Directory® computer accounts. The reason for this is the way, authentication works locally and across the network in the Windows family of operating systems: Any other computer’s inclmgmt service, running as part of the IDERI note client, will authenticate against the IDERI note service on the IDERI note server as the computer’s Active Directory® computer account. In contrast, the inclmgmt service that runs locally on the IDERI note server, performs a local authentication with its builtin account, which is NetworkService. The account name for NetworkService is localized for the operating system language in use, the English localization is “NT AUTHORITY\NETWORK SERVICE”, the German localization is “NT-AUTORITÄT\NETZWERKDIENST”.
Therefore, in order to address the Active Directory® computer account of the IDERI note server, the NetworkService account instead of the IDERI note server’s Active Directory® computer account has to be added to a message’s recipients or exclude list. GUI tools such as the IDERI note administrator apply heuristics in order to detect the addition of the IDERI note server’s Active Directory® computer account to the recipients or exclude list of a message and will try to automatically convert the Active Directory® computer account name to NetworkService while the user interacts with the GUI. However this still doesn’t cover another case where running the IDERI note client on the same computer as the IDERI note server has special implications: Resolving the Active Directory® computer account of the IDERI note server by means of an Active Directory® group that this computer is a member of, does not work for the exact same reason: The inclmgmt service that runs locally on the IDERI note server performs a local authentication with the NetworkService account which is not a member of any Active Directory® group. As a consequence, when addressing an Active Directory® group which the IDERI note server is a member of, the IDERI note server has to be addressed explicitly and via its local builtin account NetworkService. The same rule as for the message recipients list applies to the message exclude list.