Overview
ATS Bus 3.0 requires the following prerequisites:
ATS Security & Configuration Manager: Version 1.4 or newer. Please visit ATS-Help.com for installation instructions.
The minimum requirement for ATS Bus 3.0 is ATS Security Manager 1.4.
ATS Licensing: Version 3 or newer. Please visit ATS-Help.com for installation instructions.
The minimum requirement for ATS Bus 3.0 is ATS Licensing Manager 3.0. However, version 4.0 operates as a plugin for ATS Configuration Manager allowing licenses to be configured from anywhere on the network. For further information, please visit ATS-Help.com.
An SSL certificate for the REST API’s and Security Manager’s Access Rights URL.
Particular ServiceControl: Recommended version 4.20.2.
Particular ServiceInsight: (version 2.8.0 or newer).
Particular ServicePulse: (version 1.30.0 or newer).
Third party software such as OPC Servers, MTConnect agents and other services may be required by ATS Bus Cockpit to configure ATS Bus. Please refer to their product installation manuals for further details.
The SQL Server authentication should be set to SQL Server and Windows Authentication mode.
WARNING: Anti-malware and anti-virus software influence the performance of ATS Bus. The following directories MUST be excluded from on-access scanning:
- ATS Bus installation directory
- ATS Bus program data directory
- Particular ServiceControl program data directory
- Any directory used by the ATS Bus configuration
Bind/Configure certificates for TLS/SSL Connections
All ATS Bus versions higher or equal to 2.8 require certificates to secure their Web API’s. A self-signed certificate will work but it is recommended to use a production grade certificate.
The following Web API’s require a certificate to secure their endpoint:
ATS Bus data service. This channel uses the default certificate configured by the OT bus stop installer. This can be any certificate in the Personal folder of the local computer certificate store. The default certificate is stored in the Default Certificate section in the appsettings.json file.
OT WebService Server channel. This channel uses the default certificate configured by the OT bus stop installer. This can be any certificate in the Personal folder of the local computer certificate store. The default certificate is stored in the Default Certificate section in the appsettings.json file.
IT WebService Server channel. This channel uses the default certificate configured by the OT bus stop installer. This can be any certificate in the Personal folder of the local computer certificate store. The default certificate is stored in the Default Certificate section in the appsettings.json file.
ADOS Inspect Channel. This channel uses the default certificate configured by the ADOS bus stop installer. This can be any certificate in the Personal folder of the local computer certificate store. The default certificate is stored in the Default Certificate section in the appsettings.json file.
ADOS Inspect web API Channel. This channel uses the default certificate configured by the ADOS bus stop installer. This can be any certificate in the Personal folder of the local computer certificate store. The default certificate is stored in the Default Certificate section in the appsettings.json file.
Older versions of ATS Bus bound certificates to a port using the netsh tool and this binding should be removed when starting the bus stops or the data service. Failing to do so may lead to undefined behaviour.
The binding can be removed by the netsh tool:
netsh http remove sslcert ipport=0.0.0.0:9704
The following command shows if a specific port has certificates bound to it:
netsh http show sslcert ipport=0.0.0.0:9704
Update certificates for TLS/SSL connections
The certificate itself can be updated using the certificate snap-in in the Windows management console. Certificates that are bound to a port should be deleted before a new certificate is bound to a port:
netsh http add sslcert ipport=0.0.0.0:9704
netsh http add sslcert ipport=0.0.0.0:9704 appid={A4A30429-936B-4312-A9E1-34500C706AC4} certhash=99ea86fa52396ca99debbe40dddba78011e4aa63
No work is needed when certificates are configured in the appsettings.json file.
Always restart the bus stops and ATS Bus data service when certificates are updated.
Install ATS Security Manager
ATS Bus uses ATS Security Manager to authenticate users and API's against a central database. ATS Security Manager is a plugin found within ATS Configuration Manager.
The minimum requirement for ATS Bus 2.8 is ATS Security Manager 1.4.
Install ATS Security and Configuration Manager
Please follow the ATS Security and Configuration Manager installation document before proceeding with the post installation steps.
Installing ATS Security & Configuration Manager
Ensure that the host names provided during the installation match those specified in the SAN section of the certificates used for TLS/SSL.
Install ATS Licensing
ATS Bus uses the ATS Licensing 4.0 plugin within ATS Configuration Manager and allows users to configure licenses from any computer with a web browser.
ATS Bus is also compatible with ATS Licensing 3.0. For further information, please see the ATS Licensing 3.0 installation guide. 
Install ATS Licensing plugin
Please follow the ATS Licensing installation document before proceeding with the post installation steps.
Ensure that the host names provided during the installation match those specified in the SAN section of the certificates used for TLS/SSL.
Ensure that the steps detailed in the Register ATS Licensing application in ATS Security section in the installation guide are followed closely.
Install NServiceBus Monitoring
ATS Bus uses ServiceControl, ServiceInsight and ServicePulse provided by Particular Software to monitor the bus stops and the messaging framework. ServiceInsight shows the messages being handled and failed and it also shows the message details. ServicePulse is used to monitor the message throughput and other performance related items.
ServiceInsight: Diagnostics tool showing messages and conversations. Uses ServiceControl to view all handled messages.
ServicePulse: A health monitor for the bus stops (production monitoring). It processes heartbeat messages from the bus stops and it allows the user to resend failed messages.
ServiceControl: Backend/service that provides information for ServiceInsight and ServicePulse. It's the central service that handles and processes the audit and error messages. The bus stops have a module/library that connects to the ServiceControl service.
Install NServiceBus Monitoring Tools
The ServiceControl and Monitoring instance can be installed on the same computer as the bus stops, but it is good practice to install them on a central computer.
Extract the NServiceBus_Monitor_Node_xxx.zip file included with the ATS Bus installer package. This archive contains the following installers:
Particular ServiceControl 2.1.3 (required when upgrading from ATS Bus 2.0)
Particular ServiceControl 3.8.4 (required when upgrading from ATS Bus 2.5)
Particular ServiceControl 4.20.2 (version used for ATS Bus 2.8)
Particular ServicePulse 1.30.0 (version used for ATS Bus 2.8)
Particular ServiceInsight 2.8.0 (version used for ATS Bus 2.8)
The Particular applications/services should be installed in the following order:
Particular ServiceControl
Particular ServiceInsight
Particular ServicePulse
The Particular software is licensed and the provided license named NServiceBus.License.xml must be installed. Open the ServiceControl Management application and click on the License button at the top right-hand side and import the license from NServiceBus.license.xml.
A warning may be shown that the upgrade protection expired. This message can be ignored as it does not affect Particular ServiceControl, Particular ServiceInsight, Particular ServicePulse or ATS Bus.
Setup a Monitoring Instance
Perform the following steps to setup a ServiceControl Monitoring instance:
Open the ServiceControl management application.
The following window opens.
It may or may not show already configured ServiceControl or monitoring instances.
Click +NEW and select Add monitoring instance.
In the new window enter the required information. The transport selected should be the same as the transport used by the bus stops and the ServiceControl instance.
Click Add once all configuration items are provided.
Setup a ServiceControl and Audit Instance
Run Service Control Management.
Older versions of ServiceControl managed audit, error and control messages. ServiceControl version 4.20.2 separates the audit message handling from the error and control message handling and requires the user to configure 2 separate instances. The instances should use the following preferred configuration values:
Transport: RabbitMQ, Azure Service Bus, Azure Storage Queues or SQL Server Transport. This depends on the transport used by ATS Bus.
Audit retention: 2 days. The value could be set to a higher value but that requires more disk space to be used by the embedded ServiceControl database. The approximate storage capacity required depends on the amount of messages being audited * their message size * the retention time.
Error retention: 5 days. This gives the user 5 days to detect errors and retry the messages using ServicePulse or ServiceInsight. The value could be set to a higher value but that requires more disk space to be used by the embedded ServiceControl database. The approximate storage capacity required depends on the amount of messages being audited * their message size * the retention time.
Instance name: The name of the ServiceControl instance. It allows the user to configure a meaningful name for the instance that is shown in the Windows Services application.
The name of the ServiceControl instance is used as the ServiceControl queue name. The name for the ServiceControl instance must match the ‘ServiceControl queue’ in the general NServiceBus configuration in ATS Bus Cockpit.
Audit Queue name: The name of the audit queue. It must match the ‘Audit queue’ in the general NServiceBus configuration in ATS Bus Cockpit.
Error Queue name: The name of the error queue. It must match the ‘Error queue’ in the general NServiceBus configuration in ATS Bus Cockpit.
ServicePort: The default value of the ServiceControl instance is 33333, the Audit instance uses 44444.
Database maintenance port: The default value of the ServiceControl instance is 33334, the Audit instance uses 44445.
Ensure that the drive/directory where the ServiceControl database and logfiles are store has enough storage capacity. The size of the database may exceed 100GB depending on the amount of messages being audited.
After configuration, the ServiceControl Management application may show the following instances:
Upgrading NServiceBus Monitoring Tools
ATS Bus 2.0 came with ServiceControl 1.47.5, ATS Bus 2.5 came with ServiceControl 2.1.3 and 3.2.2 and ATS Bus 2.8 comes with ServiceControl 2.1.3, 3.8.4 and 4.20.2. These versions of ServiceControl are required to upgrade ServiceControl to a newer version.
Upgrading to ServiceControl 4.20.2 is done in the following order:
Upgrade from ServiceControl 1.47.5 to ServiceControl 2.1.3 if ATS Bus 2.0 is installed.
Upgrade from ServiceControl 2.1.3 to ServiceControl 3.8.4 if ATS Bus 2.0 or 2.5 is installed.
Upgrade from ServiceControl 3.8.4 to ServiceControl 4.20.2 if ATS Bus 2.0, 2.5, 2.6 or 2.7 is installed.
Upgrading from ATS Bus 2.0 to 2.8 requires an upgrade to ServiceControl 2.1.3 first, then to version 3.8.4 and finally to version 4.20.2.
Always create a backup of the ServiceControl Data. Please visit https://docs.particular.net/servicecontrol/backup-sc-database for instructions.
Upgrade from ServiceControl 1.47.5 to 2.1.3
There are 2 methods of performing this upgrade:
In-place upgrade to version 2 (intrusive). This migrates the existing database to a newer version. This upgrade cannot be rolled back and therefore a backup is required! The migration can take a long time depending on the amount of messages in the ServiceControl database.
Side-by-side upgrade to version 2 (less intrusive). This involves running a second instance of ServiceControl to be deployed. Please be advised that the old ‘audit’ and ‘error‘ queues should be renamed as ATS Bus cannot configure different names for the ‘audit’ and ‘error’ queues.
For further information on the methods to perform the upgrade, please visit https://docs.particular.net/servicecontrol/upgrades/1to2
Upgrade from ServiceControl 2.1.3 to 3.8.4
Upgrading to ServiceControl 3.8.4 can be done in place. The ServiceControl application should be upgraded first. The ServiceControl Management tool can then be used to upgrade the ServiceControl instance.
For further information on upgrading the ServiceControl, please visit https://docs.particular.net/servicecontrol/upgrades/2to3
Upgrade from ServiceControl 3.8.4 to 4.20.2
The ServiceControl application should be upgraded first. The ServiceControl Management tool can then be used to upgrade the ServiceControl instance.
The most significant change in ServiceControl 4.20.2 is that the ServiceControl instance does not maintain the 'audit' queue and only maintains the control and error. Audit messages are maintained via a separate ServiceControl Audit instance. Please read the 'Disk space requirements' section at the URL below as it details the impact on disk space and compacting the ServiceControl embedded database.
For further information on upgrading the ServiceControl, please visit https://docs.particular.net/servicecontrol/upgrades/3to4
ServicePulse (1.30.0) and ServiceInsight (2.8.0) can be installed after ServiceControl is installed and running.
Register ATS Bus application in ATS Security
Before starting the installation, the ATS Bus application needs to be registered in ATS Security.
Browse to the ATS Security URL and login with a user that has rights to edit applications.
Click the Security card and press Open.
Click the Applications card and press Add Application.
Enter the following information about the new application:
Name: Enter a name for the application, for example ATS Bus.
The name assigned to the application must be unique within ATS Security.
Description (optional): Enter a description for the application that can be seen in the applications grid card.
Application logo and/or background image (optional): Upload a logo image and/or background image for the application.
Press Add and edit.
If the application was added successfully, the pane will refresh and feature a new Application Id field and the Application status field will display Created.
Acquire Application ID for ATS Bus application
During the installation of the ATS Licensing Server services, an Application ID is required. To obtain the Application ID, hover over the Application Id field and copy the string by pressing the the copy 
icon.
Install ATS Bus Data Service
This section describes the ATS Bus installation process.
Close any application that controls Windows services like services.msc, computer management and the task manager before installing ATS Bus. They may interfere with the installation procedure.
Run the installer. The following screen will be displayed:
Click Next.
Select I accept the terms in the license agreement. Click Next.
Select one or more features that should be installed. Items can be installed individually.
Services (ATS Bus Data Service): The data service that serves as a bridge between the ATS Bus configuration database and applications and bus stops.
Database: Installs or overwrites the ATS Bus configuration database to an SQL Server. Do not enable this feature when upgrading ATS Bus, it will overwrite the existing database.
Click Next. The next dialog will depend on whether or not you're creating a new database.
When the database feature is selected
The following dialog asks for the SQL connection string to create the ATS Bus configuration database.
Fill in the required information to connect to the SQL Server to create the ATS Bus configuration database. The username and password must belong to an SQL Server user that has administrative privileges. These values can only be provided when the Trusted Connection is not selected. The Trusted Connection uses the Windows credentials of the user that executes the ATS Bus installer.
Clicking 
next to the Database drop down list will show which databases are already present on the SQL Server.
Click Next.
This dialog asks for the SQL login. Provide a Login ID and Password which are used by the ATS Bus data service to login to the ATS Bus configuration database.
The Login ID and Password are different from the one used to logon to ATS Bus Cockpit.
Click Next.
When the database feature is not selected
The following screen is shown if the database is not selected but the Data Service is as the Data Service needs to know how to access the database.
This dialog does not create a new ATS Bus configuration database but connects to an existing one using the SQL user Logon ID and Password.
Enter the required information and click Next.
For All Installations
This dialog configures the endpoint details for the licensing server.
Provide the Hostname and Port Number of the licensing server and click Next.
If the Database feature is not selected, the endpoint is prefilled using information from the current database.
ATS Bus uses ATS Security to authenticate users. Authentication happens through an authentication endpoint and this dialog is used to provide that endpoint to the ATS Bus Data Service.
ATS Security Manager endpoint: Enter the endpoint for Security Manager.
If the Database feature is not selected, the endpoint is prefilled using information from the current database.
The endpoint should include the FQDN and be in the following format: https://hostname.domain:5000
Application ID: Paste the application ID gathered in section Acquire Application ID for ATS Bus application. Click Next.
Provide the HTTP schema and port to configure the data service endpoint. Use 'https' when a secure endpoint is required.
Use 'http' when the service is deployed behind a reverse proxy because the reverse proxy will serve as a terminating endpoint for the secure connection, therefore https is not required.
The Base path is only required when the service runs behind a proxy server. The base path starts with a forward slash. E.g. /busservices/dataservice. This will yield the following endpoint: http://fqdn/busservices/dataservice.
Click Next.
Select a certificate from the dropdown, which will be used for all web API's and channels that have TLS enabled. The dropdown shows certificates in the Personal folder that have their intended use set to Server Authentication.
Click Next.
Click Install. This will create the database when the Database feature has been selected and create and start the ATS Bus Data Service when the Services feature has been selected. The installer also creates log sources, installs certificates and makes sure that the data service is started when Windows starts.
The process of upgrading from older versions of ATS Bus to version 3.3 use the database migration tool. Updates to future versions of ATS Bus will handled by the ATS Bus Data Service once it starts.
Click Finish to close the installer.
Install ATS Bus Cockpit
This section describes the ATS Bus Cockpit installation process.
Run the installer. The following screen will be displayed:
Click Next.
Select I accept the terms in the license agreement. Click Next.
Select the installation folder for Cockpit. Click Next.
Provide the ATS Bus Data Service configuration endpoint. Click Next.
Click Install to install the application.
Click Finish to close the installer.
Configuration of roles for ATS Bus Configuration
After the successful installation of ATS Bus the status of the registered ATS Bus application in ATS Security should be set to Configuration Uploaded. This indicates that the ATS Bus application rights have been uploaded to ATS Security and can be assigned to ATS Security roles, which in turn can be assigned to users.
ATS Bus includes the following application permissions:
AtsBusConfigurationRead
AtsBusConfigurationWrite
AtsBusWorkOrderHandlingRead
AtsBusWorkOrderHandlingWrite
AtsBusMonitoringRead
AtsBusBusStopRestart
For more information on creating and managing user accounts, please visit the ATS Security online help here.
ATS Bus must be installed before ATS Security is configured.
Create an ATS Bus role
Create a new role in ATS Security i.e. ATSBusAdmin. For further information on creating user roles, click here.
Select the Rights tab and expand the ATSBus list.
Assign all permissions to the new role. For further information on editing roles, click here.
Assign the new role to a user that can authenticate through ATS Security such as an admin user. For further information on editing users, click here.
Alternatively, assign all permissions to an existing admin role.
Users assigned with the new permissions are required to log out and sign in again for the changes to take effect.
The user and role configurations are completed. The user can log into ATS Bus Cockpit using the Admin account.
Additional identity providers such as active directory can be configured to provide access e.g. via the current windows login.
Install a Bus Stop
This section describes the installation process for every Bus Stop type.
If an earlier version is present it must be uninstalled before proceeding.
Run the installation executable and click Next.
Select I accept the terms in the License Agreement and click Next.
Select an installation folder.
The OT, IT and ADOS bus stop install to C:\Program Files\.
The OT bus stop installer will also display a tab with a list of features under a Features tab. The installation directory can be configured in the Installation folder tab.
Click Next.
Enter the name of the bus stop. This is the name it will use during configuration.
Select Use TLS to specify that all endpoints will use TLS. This setting is configures the default certificate in the appsettings.json file.
Provide a base path if the bus stop is deployed behind a reverse proxy.
The bus stop may only contain the following characters: 'a'-'z', 'A'-'Z', '0'-'9' and '_'
This bus stop name will also be used as folder name in which the installer will copy the assemblies and configuration files of that bus stop.
Step 9 will be skipped if Use TLS is set to No.
Click Next.
This dialog allows users configure a default certificate that is used for all web API’s, which are hosted by the bus stop and have Use TLS set to Yes.
Set Allow invalid certificates to Yes if self-signed certificates are used. Also make sure to add a copy of the self-signed certificate to the Trusted Root Certification Authorities store.
Click Next.
For further information on configuring certificates, please click here.
Provide the ATS Bus Data Service configuration endpoint.
The default port of the ATS Bus 3.0 data service configuration endpoint is 9704. The hostname of the endpoint should match one of the hostnames provided in the Subject Alternative Name section of the certificate that secures the configuration endpoint.
Click Next.
Click Install.
When the application has successfully installed the following screen will be shown. Click Finish to close the installer.
Install OPC UA Browsing Service
The ATS Bus OPC Browsing Service is required when the ATS Bus Configuration application does not have direct access to OPC UA Server (for example, the configuration application is installed in the cloud for browsing). It should be installed close to the computer where OPC Server is installed. An OT OPC client channel is used to connect to the browsing service.
Run the OPC UA Browsing Service installer and click Next.
Select I accept the terms in the License Agreement and click Next.
Select an installation folder and click Next.
Select https to specify that the endpoint will use TLS. This setting configures the default certificate in the appsettings.json file.
Enter a port number for the browsing service endpoint.
Provide a base path when the bus stop is deployed behind a reverse proxy.
Press Next.
The following dialog screen is only displayed when HTTP schema is set to https in the previous step. This dialog allows users to configure a default certificate that is used for all web API’s which are hosted by the browsing service.
Set Allow invalid certificates to Yes if self-signed certificates are used. Also make sure to add a copy of the self-signed certificate to the Trusted Root Certification Authorities store.
Press Next.
Provide the ATS Bus Data Service configuration endpoint.
Enter the GUID for the browsing service instance in the Client id field.
Enter a description of the OPC server in the the Client description field. All fields on this dialog are mandatory.
Press Next.
Click Install.
When the application has successfully installed the following screen will be shown. Click Finish to close the installer.
The Swagger interface can be used to test whether the service is properly installed. To test the service, use the following url:
<configured_endpoint>/swagger
It provides documentation for the resources and methods supported by the service RESTful API’s and allows these methods to be invoked.
Update ATS Bus
To update ATS Bus the current application must be uninstalled before installing a newer version. The user must unselect the database feature in the feature selection window before proceeding with the new installation. Keeping the database feature selected creates a new copy of the ATS Bus database for the version that is installed or it may overwrite an existing one.
It is highly recommended that the current database be backed up prior to installing the new version.
Update from ATS Bus 2.6 to 2.7 (or newer)
The ATS Bus 2.7 and newer configuration databases store the configuration data as XML containers instead of storing it as relational data. When upgrading to 2.7, the installer first scans the ATS Bus 2.6 configuration database and updates it to the latest 2.6 version.
It is highly recommended that the current database be backed up prior to installing the new version.
Next, a conversion tool will convert the relational data to XML containers and save everything to a new database. Finally, a migration script will migrate the new configuration database to the version that is being installed.
The OperationsCapability messages in ATS Bus 2.6 and earlier use ‘topics’ to route and handle the messages. ATS Bus 2.7 and onwards use ‘operations’ for this because other Operations* messages like OperationsPerformance and OperationsSchedule also use ‘operations’ to route and handle these messages. The database migration tool in the ATS Bus data service installer executes the following actions:
Deletes the PublishAsOperationsCapability actions from the OT bus stop channel message configuration. The user must reconfigure these actions in the channel message handling tab of the OT bus stop.
Deletes all PublishWithTopic actions in the ADOS, Cloud and IT bus stop from channel messages that handle an OperationsCapability. The user must recreate these actions in the channel message handling tab of the OT, IT and ADOS bus stop and use the PublishOnTheBus action instead of the PublishWithTopic action.
Removes the subscriptions for the ProcessOperationsCapability messages from the bus messages tab in the OT, IT and ADOS bus stop. The subscriptions for these messages must be reconfigured and use ‘operations’.
o Removes the export actions from the ProcessOperationsCapability bus messages, the user must reconfigure these actions and assign them to the ‘operation’.
ATS Bus 2.7 uses a newer version of the Impinj Octane SDK which requires the following actions:
Copy the XML configuration from ATS Bus Cockpit to a text editor before updating to ATS Bus 2.7, do this for all RFID channels.
Update to version 2.7.
Go to the RFID channel configuration and press the ‘Use Default’ button in the ‘XML Reader Settings’ control. This will create a new configuration.
Copy the newly created configuration into a text editor.
Create a working copy of the original configuration.
Insert the following XML statement just above the ‘XArray’ node:
<ReducedPowerFrequenciesInMhz />
Rename ‘XArray’ to ‘SpatialConfig’
Set the SpatialConfig Mode to ‘Direction’, ‘Inventory’ or ‘Location’
Add the following nodes to the ‘Location’ nodeset (inside the ‘SpatialConfig’):
<MaxTxPower>true</MaxTxPower>
<TxPowerInDbm>30</TxPowerInDbm>
<DisabledAntennaList />
<LocationAlgorithmControl />
Remove the complete ‘Transition’ nodeset from ‘SpatialConfig’
Add the following to the ‘SpatialConfig’ nodeset:
<Direction>
<EnabledSectorIDs />
<TagAgeIntervalSeconds>20</TagAgeIntervalSeconds>
<UpdateIntervalSeconds>5</UpdateIntervalSeconds>
<UpdateReportEnabled>true</UpdateReportEnabled>
<EntryReportEnabled>true</EntryReportEnabled>
<ExitReportEnabled>true</ExitReportEnabled>
<FieldOfView>Wide</FieldOfView>
<Mode>HighPerformance</Mode>
<TagPopulationLimit>0</TagPopulationLimit>
<DiagnosticReportEnabled>false</DiagnosticReportEnabled>
<MaxTxPower>true</MaxTxPower>
<TxPowerInDbm>30</TxPowerInDbm>
</Direction>
Check if the working copy of the RFID editor has the same elements as the newly created configuration.
Copy the XML from the working copy in the XML Reader Settings section in the RFID channel configuration in ATS Bus Cockpit.
Configure to Run as Local or Domain User
By default, ATS Bus services (data service, browsing service or bus stop) run under the ‘Local System’ account but IT departments may need to run the services under a dedicated user account. This document provides information on how to achieve this. The following topics will be addressed:
Running the ATS Bus services as a dedicated local or domain user.
Setting up OPC DA (Workcenter bus stop OPC DA channel).
Build-in Accounts, Users, Groups and Permissions
Applications and services require a user or build-in account to execute and access resources (objects). The following build-in accounts are often used to run services:
Local System (NT AUTHORITY\System)
Has unrestricted access to all local resources.
More powerful that Administrator account.
The Local System account uses the PC account (hostname$) to login on the remote computer if both systems are in the same domain.
The Local System account uses the ANONYMOUS LOGON account to login on the remote computer if both systems are not in the same domain.
Network Service (NT AUTHORITY\Network Service)
Has restricted access to local resources.
The Network Service account uses the PC account (hostname$) to login on the remote computer if both systems are in the same domain.
The Network Service account uses the ANONYMOUS LOGON account to login on the remote computer if both systems are not in the same domain.
Local Service (NT AUTHORITY\Local Service)
Has restricted access to local resources.
The Local Service account always uses the ANONYMOUS LOGON account to login on the remote computer.
There are 2 types of user account, a local account and a domain account. A local account only has access to local computer resources and a domain account can be used to authenticate a domain user on multiple systems within a domain. In a workgroup configuration, machines cannot resolve each other’s local accounts because they do not share the same security database. Therefore, remote users are authenticated using the ANONYMOUS LOGON account.
A group is a collection of users and it simplifies the administration of user rights. Users inherit their rights from a group if they are a member of that group. The build-in group ‘Everyone’ represents local and domain accounts that the local computer knows.
Permissions apply to objects like files, services and so on and can be granted to domain (and trusted domain) users, groups and local users and groups (of the computer where the object is located). Permissions will indicate if a user or group can perform a specific operation on that object e.g. Execute permission can be assigned to a specific group, then only members of that group can execute that service. Other users that are not members of that specific group are denied the ability to execute the service. A user of that group can be denied permission by explicitly denying the permission for that user.
Follow the guidelines below when updating permissions:
Permissions on local objects (files, directories and queues) do not have to change when all ATS Bus services run as LOCAL SYSTEM on one single computer, this account has enough privileges to access all objects on the local computer.
Permissions for local objects should change when ATS Bus services run under a local or domain user account. Object permission must include this user account.
Remote object permissions (shares, queues, etc…) must include the:
computer account (hostname$) of the system that runs the ATS Bus services as LOCAL SYSTEM when working from within a domain.
the domain user account of the user that runs the ATS Bus services in a domain.
the ANONYMOUS LOGON account when the ATS Bus services use local computer accounts. Remote nodes cannot authenticate local users since they reside in other security databases.
How to Change File and Directory Permissions
Changing file and directory permissions are handled by the security tab in the file or directory property dialog.
Use the windows file explorer to navigate to the file or directory and use the context menu to bring up its properties.
Select the Security tab.
Click Edit to add/remove users or groups from the object permissions.
Click Add to add a computer, local, domain or ANONYMOUS LOGON account.
Make sure Computers is in the list of object types. If it isn't click Object Types to add it.
Click Locations… to select the location where the account may reside.
Click Check Names… to verify if the entered account exists.
Click OK to return to the previous dialog.
Set the permissions for the account that has been added.
Make sure that all groups and users listed in this dialog should be there and click OK to return to the properties dialog.
Click OK to confirm the changes and close the properties dialog.
Sub directories inherit permissions from parent directories. Files inherit permissions from the parent directories.
How to Change File Sharing Permissions
Directory sharing permissions are handled in the sharing tab in the directory property dialog.
Use Windows file explorer to navigate to the directory you want to share and use the context menu to bring up its properties.
Click Share in the Sharing tab and a dialog appears that allows accounts to be added.
Enter the following:
<AccountName>: Local or domain user account.
ANONYMOUS LOGON: The Anonymous logon account.
<COMPUTERNAME>$: Add a computer account.
Click Share. The directory sharing dialog opens.
This action modifies the share permissions and underlying file system permissions. The Advanced Sharing… button only modifies the sharing permission and not the underlying file system permissions. For more information visit the Technet website.
How to Run the ATS Bus Services Using a Dedicated Local or Domain Account
Make sure you have permissions allowing you to update service properties.
Go to the Services dialog (press WIN + R and enter services.msc)
Right click the ATS Bus service (bus stop, data service, browsing service) and select Properties from the context menu.
Select the Log On tab, select the This account radio button and click Browse to browse for the dedicated ATS Bus user account that has been created.
Enter the password for the user and click OK.
Stop the ATS Bus service. Do not restart the service because more changes are required:
File and directory permissions must be updated for the bus stops for the following files and directories:
C:\Program Files (x86)\Applied Tech Systems\ATS Bus Bus Stop\<XXX>\instance-mapping.xml’ where <xxx> resembles the bus stop name. This file may be moved to another location in the future.
All files and folders under C:\ProgramData\Applied Tech Systems\ATS Bus\<XXX>. <XXX> resembles the bus stop name.
Network sharing permission must be changed for:
The attachments directory which is located at: C:\ProgramData\Applied Tech Systems\ATS Bus\<XXX>\Attachments. The directory should be shared and access must be allowed to the ANONYMOUS LOGON account.
The Permissions of the NServiceBus DataBus file share must contain the proper permissions. The share name is configured in the ATS Bus configuration database.
The ATS Bus service can be started after the previous items have been addressed.