Related Products

Encryption and data storage in ADSelfService Plus database

This article lists the encryption methods used to store data in the ADSelService Plus database, and the type of data stored.

Encryption in the ADSelfService Plus database

ADSelfService Plus' database uses the following encryption methods to store sensitive data:

Database	Encryption method
PostgreSQL	AES-256-CBC
Microsoft SQL	AES-256-CBC

The following sensitive information is encrypted and stored in the database:

Type of information	Encryption standard used for storage
MickeyLite framework*	AES-256 encryption
Standard username and password used to configure Active Directory domain	AES-256
Username and password used to configure email/SMS settings	AES-256
Username and password used to configure integration settings	AES-256
Username and password used to configure proxy settings	AES-256
Username and password of high availability settings	AES-256
Password used to configure external database	AES-256
Password of database backups	AES-256
Keystore password for SSL certificate configuration	AES-256
Default password of technicians	Hashed password BCRYPT Algorithm with SALT
Passwords used to configure applications for password sync	AES-256
Security questions and answers stored for MFA	MD5/SHA512 (Customers can choose the required encryption standard)
Passwords stored for the password history setting in the Password Policy Enforcer	Hashed password using SHA-512 algorithm with SALT

Note :

Users' domain credentials aren't stored in the database.
In Microsoft SQL, Transparent Data Encryption (TDE) and SSL can be enabled to encrypt data at rest and in transit.

Active Directory objects and attributes stored in the ADSelfService Plus database

The following objects are stored in the ADSelfService Plus database:

Account Expires (accountExpires)
City/Locale (I)
Common Name (cn)
Company (company)
Country/Region (c)
Department (department)
Description (description)
Display Name (displayName)
Distinguished Name (distinguishedName)
Email (mail)
Exchange Home Server (msExchHomeServerName)
Exchange Mailbox Database (homeMDB)
Fax (facsimileTelephoneNumber)
First Name (givenName)
Full Name (name)
Home (homeDirectory)
Initials (initials)
IP Phone (telephoneNumber)
Job Title (title)
Last Logoff Time (lastLogoff)
Last Logon Time (lastLogon)
Last Logon Time Stamp (lastLogonTimestamp)
Last Name (sn)
Last Password Set (pwdLastSet)
Logon Name (sAMAccountName)
Mail Alias (mailnickname)
Manager (manager)
Mobile (mobile)
Object Class (objectClass)
Object GUID (objectGUID)
Object SID (objectSID)
Office (physicaldeliveryOfficeName)
Other Mobile (otherMobile)
OU Name
Pager (pager)
Primary Group ID (primaryGroupID)
Profile Path (profilePath)
PSO Resultant (msDS-ResultantPSO)
State/Province (st)
Street (streetAddress)
User Account Control (userAccountControl)
User Logon Name (userPrincipalName)
When-Changed (whenChanged)
When-Created (whenCreated)
Zip/Postal Code (postalCode)

Group Object Attributes:

Object GUID (objectGUID)
Group Name (name)
Description (description)
Distinguished Name (distinguishedName)
E-mail (mail)
OU (organizational unit)
Object Class (objectClass)
Display Name (displayName)
Group Member Object GUID (objectGUID)
Object SID (objectSID) Common-Name (cn)
When-Created (whenCreated)
When-Changed (whenChanged)
Group Type (groupType)
Managed By (managedBy)
Member(member)
Display Name (displayName)
Primary Group Id (primaryGroupID)
Last Name (sn)
First Name (givenName)
Logon Name (sAMAccountName)
Info (info)

Domain Controller Object Attributes:

Domain Controller name (dNSHostName)
Domain Name (domainName)
Canonical Name (canonicalName)
Distinguished Name (distinguishedName)
Object GUID (objectGuid)
Domain DNA Name (dnsRoot)
Domain Flat Name (nETBIOSName)
Domain User Name
Domain Password
Domain Functional Level User

Domain Policy Object Attributes:

Minimum Password Age (minPwdAge)
Maximum Password Age (maxPwdAge)
Password History Length (pwdHistoryLength)
Lock Out Duration (lockoutDuration)
Lock Out Threshold (lockoutThreshold)
Password Complexity (pwdProperties)

Computer Object Attributes:

Object GUID (objectGUID)
DNS Name (dNSHostName)
OU Name (OU)
Machine Name (name)
OS (operatingSystem)
OS version (operatingSystemVersion)
Location (location)
Common Name (cn)
Distinguished Name (distinguishedName)
When-Created (whenCreated)
When-Changed (whenChanged)
Canonical Name (canonicalName)

OU Object Attributes:

Name (name)
Distinguished Name (distinguishedName)
Object Class (objectClass)
Object GUID (objectGUID)
Description (description)
Parent OU (ou)
When Created (whenCreated)
When Changed (whenChanged)
Managed By (managedBy)
Canonical Name (canonicalName)

PSO Object Attributes:

PSO Name (msDS-ResultantPSO)
Common Name (cn)
Minimum Password Age (msDS-MinimumPasswordAge)
Maximum Password Age (msDS-MaximumPasswordAge)
Minimum Password Length (msDS-MinimumPasswordLength)
Password History Length (msDS-PasswordHistoryLength)
Password Complexity (msDS-PasswordComplexityEnabled)
Lock Out Duration (msDS-LockoutDuration)
Lock Out Threshold (msDS-LockoutThreshold)

Domain Object and RootDSE Attributes:

Domain Functional Level (msDS-Behavior-Version) or (domainFunctionality)
Default Naming Context (defaultNamingContext)
Configuration Naming Context (configurationNamingContext)
Schema Naming Context (schemaNamingContext)
Root Naming Context (rootNamingContext)
Domain DNS Name (dnsHostName)
Domain Flat Name (Domain name)

Group Member Object Attributes:

Object GUID (objectGUID)
Object SID (objectSID)
Member (member)
Name (name)
Common-Name (cn)
When-Changed (whenChanged)

Contact Object Attributes (during employee search):

The selected display and search attributes will only be searched in AD during contact search.

Note: Custom attributes configured in ADSelfService Plus are also synchronized between AD to ADSelfService Plus and stored in the database.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

Knowledge Base