Configuring for Active Directory

8 minute read Last updated on September 27, 2023

Dispatcher Phoenix allows you to scan to your personal home folder using Active Directory, browse through your subfolders, and create new folders – directly at the MFP. This means that you can log into the MFP through Active Directory and access your home folder from the MFP display panel, a functionality commonly referred to as “Scan to Home.”

Requirement: Dispatcher Phoenix must be installed on a machine that is part of the Active Directory domain.

To get started, do the following:

  1. Check whether Active Directory users are set up with Roaming Profiles or Home Folders:

    • Active Directory users with Roaming Profiles can log onto any computer on the Active Directory domain and access their profile.

    • Home Folders are private network locations where users can store their files.

  2. Create a “Scan to Home” workflow with a MFP Panel node and Output Folder.

    Scan to Home

  3. Add an Index Form to the MFP Panel node and set up the Index Form for folder browsing.

    Index Form

  4. Configure the Output Folder Browser data source in the Folder Browser Configuration window:

    Output Folder Browser

  5. In the Root Folder field, you will use variables that will automatically expand when the workflow runs.

    • If using a Roaming Profile, enter {user:profile}

    • If not using a Roaming Profile, enter {user:home}.

If not using a Roaming Profile, you must make use of existing variables to construct a path that will work for numerous users. As examples:

\\ad-server\Profiles\{user:home}\Desktop

{user:home}\Scans

Note: In older environments, when a user’s home folder is shared via Active Directory and has been accessed by multiple operating systems, a v1, v2, v3, etc. will be added to the profile folder to isolate the profile from profiles created by previous operating systems.

For Windows 7 and Windows Server 2008, their profiles will be stored on the server with a .V2 added after the username, as follows:

\\%server%\%share%\%Profiles%\%User%.v2\

For Windows 8 and Windows 2012, contact your IT administrator.

  1. Save and close the Folder Browser Configuration window, Index Form builder, MFP Panel node and Workflow Builder tool.

  2. In the main application screen, share the workflow by clicking on the Shared Status icon on the tool bar. The workflow should have a Shared Status icon next to it in the Workflow List, as in the following illustration:

    Shared Status

  3. Using the MFP Registration Tool, make sure that the MFP’s authentication options are set to option 1(“Prompt for username and password”).

    MFP Registration

  4. Run the workflow.

  5. At the MFP, log into Dispatcher Phoenix with your Active Directory credentials (i.e., username@domain name or domain name / username).

Workflow Services Manager

The Workflow Services Manager allows you to do the following:

  • Manage Workflow Services.

  • Configure LDAP support for CAC/PIV authentication.

This application can be accessed from the Windows Start Menu (All Programs > Konica Minolta). You can also perform a Windows search on “Workflow Services Manager” to find this application.

The Workflow Services Manager includes the following key features:

Windows Authentication

Windows Authentication

On this tab, an administrator can manage the KMBS Windows Authentication Service by doing the following:

  1. From the Startup Type pull-down list, specify how/when the KMBS Windows Authentication Service should start. Options are:

    • Automatic (Delayed Start) - The service starts shortly after all other services designated as Automatic have been started (typically 1-2 minutes after the system boots).

    • Automatic - The service starts when the system first starts.

    • Manual - In order to start the service, the user must the Start Service button on this window every time the PC starts.

    • Disabled - The user is prevented from starting the service at any point.

  2. Activate the service by selecting the Start Service button.

  3. Stop the service by selecting the Stop Service button.

  4. Enable support for LDAP (Lightweight Directory Access Protocol) by checking the Enable LDAP Lookup box. LDAP is a standard for user authentication and storage of user profile data. Dispatcher Phoenix must connect to LDAP to perform read-only queries to determine user attributes (for scanning to home directories {user:home} and email addresses {user:email}, etc.) Once enabled, connection, authentication, and search options must be entered to match the LDAP server, as follows:

    • Host - Enter the name of the server where the Active Directory (AD) server is hosted.

    • Port - Enter the AD server port. 

    • LDAP User Search Base - Enter your search starting point in the LDAP server tree structure.

    • Use SSL Secured Connection - Enable SSL connections to the LDAP server.

    • Simple or Anonymous Authentication - Specify the type of LDAP authentication (Anonymous, which specifies that the connection should be made without passing credentials, or Simple, which specifies that basic authentication should be used on the connection).

    • Bind DN - Enter the user on the external AD server permitted to search the LDAP directory within the defined search base. Note that the {user}@{domain} variables will be replaced with information coming from the MFP and are necessary to perform the search.

    • Password - Enter the bind password.

    • Filter - Enables you to define a search criterion to identify entries in a search requests. For example, (objectClass=person) is used for retrieving sub-sets of users across your LDAP directory.

    • Default Search - Configure the search attributes.

    • Fallback Search - Enter additional search strings.

  5. Test the search setting by selecting the Test LDAP Connection button.

  6. Update the Windows Authentication Service by selecting the Save Settings button.

Notes:

  • LDAP changes will not take effect until the KMBS Windows Authentication Service is stopped and started again.

  • When a user first logs into Dispatcher Phoenix at the MFP, Active Directory and LDAP information is cached until the user logs out of Dispatcher Phoenix (by exiting the app on the MFP). The next time the user logs in, LDAP information will be obtained again from the Active Directory and/or LDAP.

Workflow Service

Workflow Service

On this tab, an administrator can manage the SEC Workflow Services by doing the following:

  1. From the Startup Type pull-down list, specify how/when the SEC Workflow Services should start. Options are:

    • Automatic (Delayed Start) - The service starts shortly after all other services designated as Automatic have been started (typically 1-2 minutes after the system boots).

    • Automatic - The service starts when the system first starts.

    • Manual - In order to start the service, the user must the Start Service button on this window every time the PC starts.

    • Disabled - The user is prevented from starting the service at any point.

  2. Activate the service by selecting the Start Service button.

  3. Stop the service by selecting the Stop Service button.

  4. Select whether or not to Broadcast to Cluster. This setting enables your server to be public so that they are accessible for cluster set up.

Workflow Cluster Service

Workflow Cluster Service

On this tab, an administrator can manage the KMBS Workflow XMPP Cluster Service, one of the main workflow services that IT administrators can configure to run as an NT Service virtual account for CAC/PIV authentication and other security purposes. Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:

  • No password management is required.

  • The ability to access network destinations (e.g., network shares, home folders, etc.) with a computer identity in a domain environment.

Do the following:

  1. From the Startup Type pull-down list, specify how/when the XMPP Cluster Service s should start. Options are:

    • Automatic (Delayed Start) - The service starts shortly after all other services designated as Automatic have been started (typically 1-2 minutes after the system boots).
    • Automatic - The service starts when the system first starts.
    • Manual - In order to start the service, the user must the Start Service button on this window every time the PC starts.
    • Disabled - The user is prevented from starting the service at any point.
  2. Activate the service by selecting the Start Service button.

  3. Stop the service by selecting the Stop Service button.

  4. Modify the Log on type of the service:

    • Select the Local System Account radio button if you do not want to run on a domain.

    • Select the This Account radio button and specify the NT virtual service account and password to have full permissions to write to the domain server.

Note: Service Log On Account changes will not take effect until the Workflow Cluster Service is stopped and started again.

Scan To Home with LDAP Lookup using Windows NT Service Logon

To configure a “Scan to Home” workflow with LDAP lookup using Windows NT Service Logon*, do the following:

These instructions assume that a Windows NT Virtual Service account with access and full permissions to all users' home and profile paths has already been created and that the computer is joined to a domain.

  1. Launch the Workflow Services Manager application.

  2. On the Workflow Cluster Service tab, change the Service Log On information to use the Windows NT Virtual Service account.

  3. Select the Stop Service button; then select the Start Service button.

  4. On the Windows Authentication tab, check the Enable LDAP Lookup button.

  5. Enter LDAP configuration details in the provided fields.

  6. Select the Save Settings button.

  7. Select the Stop Service button; then select the Start Service button.

  8. In the Dispatcher Phoenix main application, open the MFP Registration Tool. Edit the MFP that you want to use; then select the Authentication tab.

  9. Choose the single sign on option in the Authentication tab, as in the following illustration:

    Authentication Options

  10. When setting up the Index Form in your workflow for folder browsing, use the {user:home} variable, as in the following illustration:

    Index Form

  11. Network credentials are not necessary. Clear any network credentials by clicking on the Network Credentials icon; then selecting the Clear Network Credentials option, as in the following illustration:

    Index Form

  12. On the Dispatcher Phoenix main application screen, ensure that the workflow is shared.

  13. At the MFP, log in with your domain user account.