Encryption and data storage in ADSelfService Plus database
Encryption in the ADSelfService Plus database
ADSelfService Plus' database uses the following encryption methods to store sensitive data:
Database | Encryption method |
PostgreSQL | AES-256-CBC |
Microsoft SQL | AES-256-CBC |
The following sensitive information is encrypted and stored in the database:
Type of information | Encryption standard used for storage |
MickeyLite framework* | AES-256 encryption |
Standard username and password used to configure Active Directory domain | AES-256 |
Username and password used to configure email/SMS settings | AES-256 |
Username and password used to configure integration settings | AES-256 |
Username and password used to configure proxy settings | AES-256 |
Username and password of high availability settings | AES-256 |
Password used to configure external database | AES-256 |
Password of database backups | AES-256 |
Keystore password for SSL certificate configuration | AES-256 |
Default password of technicians | Hashed password BCRYPT Algorithm with SALT |
Passwords used to configure applications for password sync | AES-256 |
Security questions and answers stored for MFA | MD5/SHA512 (Customers can choose the required encryption standard) |
Passwords stored for the password history setting in the Password Policy Enforcer | Hashed password using SHA-512 algorithm with SALT |
Note:
Users' domain credentials aren't stored in the database.
In Microsoft SQL, Transparent Data Encryption (TDE) and SSL can be enabled to encrypt data at rest and in transit.
Active Directory (AD) objects and attributes stored in the ADSelfService Plus database
Account Expires (accountExpires)
City/Locale (I)
Common Name (cn)
Company (company)
Country/Region (c)
Department (department)
Description (description)
Display Name (displayName)
Distinguished Name (distinguishedName)
Email (mail)
Exchange Home Server (msExchHomeServerName)
Exchange Mailbox Database (homeMDB)
Fax (facsimileTelephoneNumber)
First Name (givenName)
Full Name (name)
Home (homeDirectory)
Initials (initials)
IP Phone (telephoneNumber)
Job Title (title)
Last Logoff Time (lastLogoff)
Last Logon Time (lastLogon)
Last Logon Time Stamp (lastLogonTimestamp)
Last Name (sn)
Last Password Set (pwdLastSet)
Logon Name (sAMAccountName)
Mail Alias (mailnickname)
Manager (manager)
Mobile (mobile)
Object Class (objectClass)
Object GUID (objectGUID)
Object SID (objectSID)
Office (physicaldeliveryOfficeName)
Other Mobile (otherMobile)
OU Name
Pager (pager)
Primary Group ID (primaryGroupID)
Profile Path (profilePath)
PSO Resultant (msDS-ResultantPSO)
State/Province (st)
Street (streetAddress)
User Account Control (userAccountControl)
User Logon Name (userPrincipalName)
When-Changed (whenChanged)
When-Created (whenCreated)
Zip/Postal Code (postalCode)
Group Object Attributes:
Object GUID (objectGUID)
Group Name (name)
Description (description)
Distinguished Name (distinguishedName)
E-mail (mail)
OU (organizational unit)
Object Class (objectClass)
Display Name (displayName)
Group Member Object GUID (objectGUID)
Object SID (objectSID) Common-Name (cn)
When-Created (whenCreated)
When-Changed (whenChanged)
Group Type (groupType)
Managed By (managedBy)
Member (member)
Display Name (displayName)
Primary Group Id (primaryGroupID)
Last Name (sn)
First Name (givenName)
Logon Name (sAMAccountName)
Info (info)
Domain Controller Object Attributes:
Domain Controller name (dNSHostName)
Domain Name (domainName)
Canonical Name (canonicalName)
Distinguished Name (distinguishedName)
Object GUID (objectGuid)
Domain DNA Name (dnsRoot)
Domain Flat Name (nETBIOSName)
Domain User Name
Domain Password
Domain Functional Level User
Domain Policy Object Attributes:
Minimum Password Age (minPwdAge)
Maximum Password Age (maxPwdAge)
Password History Length (pwdHistoryLength)
Lock Out Duration (lockoutDuration)
Lock Out Threshold (lockoutThreshold)
Password Complexity (pwdProperties)
Computer Object Attributes:
Object GUID (objectGUID)
DNS Name (dNSHostName)
OU Name (OU)
Machine Name (name)
OS (operatingSystem)
OS version (operatingSystemVersion)
Location (location)
Common Name (cn)
Distinguished Name (distinguishedName)
When-Created (whenCreated)
When-Changed (whenChanged)
Canonical Name (canonicalName)
OU Object Attributes:
Name (name)
Distinguished Name (distinguishedName)
Object Class (objectClass)
Object GUID (objectGUID)
Description (description)
Parent OU (ou)
When Created (whenCreated)
When Changed (whenChanged)
Managed By (managedBy)
Canonical Name (canonicalName)
PSO Object Attributes:
PSO Name (msDS-ResultantPSO)
Common Name (cn)
Minimum Password Age (msDS-MinimumPasswordAge)
Maximum Password Age (msDS-MaximumPasswordAge)
Minimum Password Length (msDS-MinimumPasswordLength)
Password History Length (msDS-PasswordHistoryLength)
Password Complexity (msDS-PasswordComplexityEnabled)
Lock Out Duration (msDS-LockoutDuration)
Lock Out Threshold (msDS-LockoutThreshold)
Domain Object and RootDSE Attributes:
Domain Functional Level (msDS-Behavior-Version) or (domainFunctionality)
Default Naming Context (defaultNamingContext)
Configuration Naming Context (configurationNamingContext)
Schema Naming Context (schemaNamingContext)
Root Naming Context (rootNamingContext)
Domain DNS Name (dnsHostName)
Domain Flat Name (Domain name)
Group Member Object Attributes:
Object GUID (objectGUID)
Object SID (objectSID)
Member (member)
Name (name)
Common-Name (cn)
When-Changed (whenChanged)
Contact Object Attributes (during employee search):
The selected display and search attributes will only be searched in AD during contact search.
New to ADSelfService Plus?
Related Articles
Automatically backup the ADSelfService Plus database
Description The database used in ADSelfService Plus houses some important information that is crucial for the proper functioning of the tool. As a proactive measure against the loss of data, the ADSelfService Plus application provides you Automatic ...Configuring high availability in ADSelfService Plus
ADSelfService Plus utilizes automatic failover to support high availability in case of system and product failures. Essentially, this means that when the ADSelfService Plus service on one machine fails, another instance of ADSelfService Plus running ...How to manually backup and restore the database in ADSelfService Plus?
Description You can manually backup and restore the database in ADSelfService Plus by executing certain commands. Resolution Steps to backup the database: Start the Command Prompt as an administrator (right-click Command Prompt and select Run as ...ADSelfService Plus product startup issues
What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...How to automatically enroll users with ADSelfService Plus using an external database?
Privileges The ADSelfService Plus server should have permission to access the external database server. SELECT privilege over the database table(s) for the user account that will be querying the external database. This should be an account in the ...