Local Impersonation

While running a process language script as either the primary or secondary node, Connect:Direct impersonates (programmatically logs on) as the appropriate user, to gain access to the files specified in the script.

Connect:Direct® for Microsoft Windows programmatic logons traditionally require a password, leading to stored passwords in the following two contexts:

  • Secondary Node Proxying that is, a Local User in a Proxy record. For more information see, Managing no-password proxies for Domain Accounts.
  • When using AIJ-based programs to submit processes, use certificate-based authentication to authenticate itself to Connect:Direct and eliminate the need to store passwords. For more information see, Certificate Authentication for Client API Connections.
    Note: The Submitter, specified as the Common Name of the application’s certificate, will be impersonated and hence must be a Domain User.

Common requirements for using Local Impersonation

  • Connect:Direct’s host system must be a member of a Windows Domain.
  • The user being impersonated must be a member of the Domain Users group. UPN format is a convenient way to specify a domain user’s username to Connect:Direct Windows.
    Note: Connect:Direct does not permit impersonation of a member of the Domain Admins group.
  • If the Connect:Direct service is running under a custom account, rather than the Local System account, the custom account must be a member of the Domain Users group.