MCE Standalone Configuration
MCE can be configured to run independently without the need for a Skype for Business (SfB) Topology. Deploying MCE without SfB means that only chat room based messaging will be available to users.
Please refer to the PowerShell Management section for more information on how to manage the MCE deployment, including how to add security contexts and users.
For all other configurations see MCE Configurations.
MindLink comes with many features, some of which are optional and require additional configuration that you may not need.
In this section we will explore the most common scenarios:
- Active Directory Only
- Active Directory + Attribute Service
Currently it is not possible to configure a deployment that does not depend on Active Directory.
Common configuration
Whether you're using Active Directory, or Active Directory with an Attribute Service, there are some common configuration steps.
1. Configure your license
Follow the guidance provided on Licence configuration.
MCE licensing is bundled with your MindLink Anywhere license. Don't have a license? Contact product@mindlinksoft.com to request a trial.
2. Disable instant messaging
As a standalone deployment is only capable of chat room messaging scenarios, we need to disable the instant messaging feature.
To disable instant messaging refer to General configuration.
3. Fill out dummy values for Skype for Business configuration
As a standalone deployment by definition does not integrate with Skype for Business, we don't actually need any Skype for Business configuration. Unfortunately, the management tool doesn't yet understand this and so requires that you fill in dummy values in the Skype for Business configuration.
You can enter any values that the Management Center considers valid input. These values will not be used by MCE but are required as the Management Center’s validation process does not yet support MCE standalone.
4. Configure Active Directory
Active Directory is currently a required integration, you should fill out the Active Directory configuration according to your resource and authenticating forest.
You must specify a default domain
in the Active Directory authentication options, while the management tool does not validate this setting there is a known bug that treats an empty value as invalid in the service.
You must ensure that the authentication search filter is able to find the user account using both the objectSid
and the linked authentication identity, e.g., if you're using a linked authentication identity of a user's email address then a valid search filter would be (|(&(objectCategory=person)(objectSid={0}))(&(objectCategory=person)(mail={0})))
.
When using a resource forest topology, MindLink only supports the objectSid
from the User forest as a mapped identity attribute synchronized to the Resource forest.
The default search filter for authentication assumes that either the User forest is also the Resource forest (and so the objectSid
is used to find the authenticating user), or the Resource forest user objects are mapped to the authenticating user via an msRTCSIP-OriginatorSID
field (or other target field containing the User forest objectSid
).
When using Windows or Password based authentication, this search filter is used to find the Active Directory object that contains an attribute whose value is the linked user authentication attribute configured for MCE.
When using Pre-Authenticated HTTP Header based authentication, this search filter is used to find the Active Directory object with the linked user authentication attribute. You must make sure that the linked user authentication attribute configured for MCE is the value provided in the HTTP Header.
You must make sure that the linked user authentication attribute is part of the search filter along with the mapped identity attribute, e.g., using the user's email address, and originatorSID
as the mapped identity attribute, then a valid search filter would be (|(&(objectCategory=person)(objectSid={0}))(&(objectCategory=person)(originatorSID={0}))(&(objectCategory=person)(mail={0})))
.
MCE will sync user metadata from a single forest, this should be your Resource forest, if you have one.
5. Disable unsupported features
Some features are only applicable to instant messaging, these must be disabled:
Disabling communities of interest does not impact MCE Security Contexts.
6. Configure MCE
You can configure the basic MCE connectivity and database as described here.
Only configure the MCE page and follow the database installation/upgrade guidance. Return here before any advanced configuration.
7. Configure MindLink Anywhere
You can configure the MindLink Anywhere feature as normal Configure MindLink Anywhere feature
8. Manually complete configuration
The configuration of MCE relies upon the advanced configuration section of the Management Center. This section does not perform validation, and it's important to get the configuration right.
MindLink wants to make the configuration experience much easier and we are working on uplifting all of these advanced keys to proper configuration pages with guidance in future releases.
Key | Value | Description |
---|---|---|
global.service.modules | Web,Mce,MceAdmin | Enables Web, MCE and the MCE administration services respectively. |
debug.mce.file.server.path.<mce file server identifier> | C:\mindlink\mce\files | The path to where file uploads should be stored when the specified <file server identifier> is configured as the active file server, this should be a network path accessible to all MLA hosts. This key allows for recording multiple file paths onto which files have been uploaded, the currently "active" path (onto which new files will be uploaded) can be switched with the debug.mce.file.server.activeid key |
debug.mce.file.server.activeid | mcefileserver1 | The desired mce file server identifier, defined via using the debug.mce.file.server.path.<mce file server identifier> debug flag |
debug.connector.types.enabled | mce | Specifies the enabled connectors, accepted values are "mce" and "ucma". MCE is required for a standalone deployment with the omission of UCMA. |
debug.connector.mce.groupclassificationrequired | false | Enforces that a classification must be specified when creating a group |
mce.attributesynchronization.issuers.directoryservice.id | AD | Determines the issuer ID for the directory service. |
mce.attributesynchronization.validissuers | AD | Specifies the issuers that can be used to specify COI attributes. Use the values specified for mce.attributesynchronization.issuers.directoryservice.id . |
mce.attributesynchronization.user.defaultissuer | AD | Specifies the default attribute issuer to use for user attribute synchronization, use the value specified for mce.attributesynchronization.issuers.directoryservice.id . |
mce.attributesynchronization.user.linkedauthenticationidentity.issuer | AD | Specifies the attribute issuer to use as the linked authentication identity for users, use the value specified for mce.attributesynchronization.issuers.directoryservice.id . |
mce.attributesynchronization.user.linkedauthenticationidentity.name | Specifies the attribute to synchronize as the linked authentication identity. This is the property defined in the attribute issuer used to link users, and must be used in the Active Directory search filter. | |
mce.attributesynchronization.user.displayname.name | displayName | Specifies the attribute name used to synchronize the user display name. |
mce.attributesynchronization.user.emailaddress.name | Specifies the attribute name used to synchronize the user email address. | |
mce.attributesynchronization.user.instantmessagingaddress.name | Specifies the attribute name used to synchronize the user instant messaging address. | |
mce.attributesynchronization.user.country.name | c | Specifies the attribute name used to synchronize the user country. |
mce.attributesynchronization.user.countrydivision.name | st | Specifies the attribute name used to synchronize the user country division or state. |
mce.attributesynchronization.user.city.name | l | Specifies the attribute name used to synchronize the user city. |
mce.attributesynchronization.user.street.name | streetAddress | Specifies the attribute name used to synchronize the user street. |
mce.attributesynchronization.activedirectory.synchronizationreminderminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the Active Directory attributes. We recommend a value between 4-6 hours. |
mce.attributesynchronization.user.activedirectory.properties | s, st, displayName, distinguishedName, mail | Specifies the active directory properties to synchronize for users (ensure the distinguished name and whatever you use for the linkedauthenticationidentity are synchronized). Only string type AD properties are supported. |
mce.attributesynchronization.activedirectory.groupsandous.enabled | true | Enables Active Directory Groups and OUs for synchronization. |
debug.mceadmin.admin.upn | user@domain.com | The UPN of an administrator account, used to connect with the Powershell and manage MCE. |
debug.connector.mce.management.environmentname | MCE | The name of the environment to show to users in the application. |
debug.mce.enableinappmcegroupmanagement | true | Enables users to manage MCE chat rooms within MindLink Anywhere. |
connector.ucma.custompreferencesrepository | C:\mindlink | Specifies the location for custom preferences, this should be a network path accessible to all MLA hosts. |
Setting 'mce.attributesynchronization.issuers.directoryservice.id' must not be changed once set. Updating once set may compromise security policies.
Optional configuration
Key | Value | Description |
---|---|---|
debug.mce.fileupload.disabled | true | Disabled file upload functionality in MCE groups |
debug.mceadmin.admin.adgroup | CN=MceAdministrators, DN=Groups, DC=company, DC=com | The Active Directory distinguished name of a Security Group for administrator accounts |
debug.mceadmin.admin.tokenexpirationminutes | 15 | The number of minutes an administrator access token is valid |
debug.mce.management.group.name.duplicationscope | None | The scope of validation against group name duplication. Can be "Global", "SecurityContext", "SecurityContextAndClassification", or "None". Will default to "None" if not provided. |
mce.contentretention.enabled | false | Determines whether global group chat content retention is enabled. Will default to 'false' if omitted. |
mce.contentretention.purge.interval.hours | 1 | Determines the interval at which messages are either soft or hard deleted. |
mce.contentretention.sync.interval.hours | 1 | Determines the interval at which hard or soft deletion policies are synchronized. |
mce.attributesynchronization.wellknown.attributes | [{"Issuer": "issuer ID", "Name": "attribute-name", "Value": "attribute-value"}] | Determines the list of well known attributes as a JSON. Each entry requires the issuer ID, the attribute name and value. |
debug.mce.database.logging.enabled | true | Enables detailed logging of all database operations. |
debug.mce.database.operationretry.enabled | true | Enables automatic retry of database operations when transient failures occur. Note: Many errors will be considered transient by default and will cause retries. |
debug.mce.database.operationretry.maxretries | 1 | Determines the maximum number of times a database operation can be retried under transient failure. Note: If not specified, and debug.mce.database.operationretry.enabled is set to true , a default value of 1 will be used. |
debug.mce.database.operationretry.maxdelayseconds | 1 | Determines the maximum delay (in seconds) between successive retries of failed database operations. The delay between successive retries follows a backoff pattern, limited by this maximum value. Note: If not specified, and debug.mce.database.operationretry.enabled is set to true , a default value of 5 will be used. |
debug.mce.database.operationretry.transienterrors | errorNumber1, errorNumber2, ... | Specifies any additional error numbers which should be considered transient for database operations, and should therefore cause retries. These are in addition to those already considered transient by default which do not need to be specified here. |
Active Directory Only
An Active Directory Only deployment does not leverage a separate Attribute Service, instead pulling all metadata and security attributes from Active Directory.
In an Active Directory Only deployment you cannot configure Content Classification, or attribute-based access control, which require an Attribute Service.
Disable features that require an Attribute Server
Since you are looking to deploy without an Attribute Server, you must disable the following features:
Active Directory + Attribute Service
With Active Directory and an Attribute Service you have more flexibility in how to authenticate, and where to source user attributes.
Enable content classification
Currently, content classification must be enabled in order for the Attribute Service to be used by MCE. In future versions we will look to remove this dependency and allow the Attribute Service to be enabled solely for sourcing user attributes.
Manually complete configuration
In addition to the common manual configuration, the following keys must be specified.
Key | Value | Description |
---|---|---|
mce.attributesynchronization.issuers.attributeservice.id | AS | Determines the issuer ID for the attribute service. |
mce.attributesynchronization.validissuers | AD,AS | Specifies the issuers that can be used to specify COI attributes. Use the values specified for mce.attributesynchronization.issuers.directoryservice.id and mce.attributesynchronization.issuers.attributeservice.id (or use only one of them if you want to restrict Security Context attributes). |
mce.attributesynchronization.attributeprovider.synchronizationreminderminutes | 240 | Specifies the reminder interval, in minutes, for synchronizing the user attribute provider attributes. We recommend a value between 4-6 hours. |
Setting 'mce.attributesynchronization.issuers.directoryservice.id' and 'mce.attributesynchronization.issuers.attributeservice.id' must not be changed once set. Updating once set may compromise security policies.
Optional configuration
Key | Value | Description |
---|---|---|
mce.attributesynchronization.user.emailaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user email address, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.displayname.issuer | AD | Specifies the attribute issuer used to synchronize the user display name, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.instantmessagingaddress.issuer | AD | Specifies the attribute issuer used to synchronize the user instant messaging address, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.country.issuer | AD | Specifies the attribute issuer used to synchronize the user country, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.countrydivision.issuer | AD | Specifies the attribute issuer used to synchronize the user country division or state, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.city.issuer | AD | Specifies the attribute issuer used to synchronize the user city, defaults to the specified default attribute issuer if omitted. |
mce.attributesynchronization.user.street.issuer | AD | Specifies the attribute issuer used to synchronize the user street, defaults to the specified default attribute issuer if omitted. |
debug.mceadmin.admin.attribute | cois=Admins | The security attribute name=value of administrator accounts |
Additional steps when turning on Attribute Server integration when users already exist
If you have already deployed MindLink with Active Directory and have added users, there are some additional steps that you need to take when turning on Attribute Server integration.
Firstly, existing Security Contexts and their Chat Rooms cannot be easily migrated to use attributes. Instead, you should create new Security Contexts and Chat Rooms using attributes and deprecate the use of previous rooms.
If you really do need to migrate chat rooms from Active Directory to Attribute Server attributes, reach out to product@mindlinksoft.com, and we can work with you to ensure a smooth migration using advanced tooling.
- Turn off the MindLink services to prevent interference during this process.
- Delete the event cursors created by the disabled attribute synchronizer
DELETE FROM [MCE].[dbo].[EventConsumerCursors] where [ConsumerId] like
'%AttributeProviderUserAttributeSynchronizer%'
- Trigger synchronizers to initialize
Get-MceUser -IsEnabled $True | Start-MceGrain -GrainType "MindLink.Core.MceAdmin.Contracts.Grains.IAttributeProviderUserAttributeSynchronizerGrain"
- Trigger a synchronization of attributes
Get-MceUser -IsEnabled $True | Sync-MceUserAttributes
If you do not perform these steps, then existing users will not have their attributes synchronized from the Attribute Server.
Next steps
Once you have deployed and configured the basic MindLink experience, you can enable additional functionality for MCE:
- Enable email notifications for new rooms or mentions
- Enable secure content export
- Enable content retention
- Enabled profile pictures
"Shadow account" setup for external users
Shadow accounts are only required to allow users external to the local AD access to MCE.
A shadow account is a contact or disabled user object in Active Directory that is used to provide a directory resource for a person who is not an authenticated member of the directory - e.g. an external user to a system.
The AD administrator creates a contact object containing attributes such as display name / email etc. The person represented by that this object cannot authenticate to the AD server, but can have attributes setup for accessing MCE groups.
Configure "pre-authenticated" header so it injects the email as the header value when the external users logs into MindLink, and they should be able to log in and interact with any groups according to the attributes configured on the AD object like a regular internal AD user.