> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.
# SharpHound Enterprise Local Configuration
The local configuration of SharpHound Enterprise occurs within two files: [settings.json](#settings-json) and [auth.json](#auth-json). Their file paths can be found in the table below. Note that `%AppData%` is the directory of the service account: `C:\\Users\\SERVICE_ACCOUNT$\\AppData\\Roaming`.
When using Integrated Windows Authentication (IWA), the `auth.json` file is not used; all authentication information is provided in `settings.json` instead.
| **SharpHound File** | **Default Path (v2.5.8+)
** | **Default Path (\<= v2.5.8)
** |
| ------------------- | ----------------------------------------------------- | ----------------------------------------------------- |
| Configuration File | `%AppData%\\BloodHoundEnterprise\\settings.json` | `C:\\Program Files (x86)\\SHService\\settings.json` |
| Authentication File | `%AppData%\\BloodHoundEnterprise\\auth.json` | `C:\\Program Files (x86)\\SHService\\auth.json` |
| Active Logs | `%AppData%\\BloodHoundEnterprise\\*.log` | `%AppData%\\BloodHoundEnterprise\\*.log` |
| Archived Logs | `%AppData%\\BloodHoundEnterprise\\log_archive\\*.zip` | `%AppData%\\BloodHoundEnterprise\\log_archive\\*.zip` |
## Modifying SharpHound Settings
To modify any settings below on your SharpHound configuration, you must stop the SharpHound service. The process to modify SharpHound's settings files is as follows:
1. Stop the SharpHound Enterprise service: "SharpHound Delegator"
2. Edit and save the desired settings file. You may need to open the file as a local Administrator to save it.
3. Start the SharpHound Enterprise service: "SharpHound Delegator"
## Settings Files
### settings.json
Plaintext JSON file that defines information about how the service behaves, such as settings for connecting to the BloodHound Enterprise tenant, connecting to Active Directory, and writing logs.
An example of the file:
```json theme={null}
{
"RestEndpoint": "CODENAME.bloodhoundenterprise.io",
"RestPort": 443,
"SSL": true,
"CurrentJob": null,
"LogLevel": "Information",
"EnumerationLogLevel": "Information",
"TempDirectory": "C:\\Users\\gmsa_SHS$\\AppData\\Roaming\\BloodHoundEnterprise",
"Proxy": null,
"ComputerPasswordResetWindow": 60,
"ForceLDAPKerberosAuth": true,
"PortCheckTimeout": 10000,
"LDAPSSLPort": 636,
"LDAPPort": 389,
"ForceLDAPSSL": false,
"NumWorkers": 50,
"PartitionLDAPQueries": true,
"Version": "2.5.9.0"
}
```
#### Integrated Windows Authentication (IWA)
If using IWA instead of API tokens, you must include IWA-specific configuration fields in your `settings.json` file. These fields are required to enable SharpHound to authenticate using the service account's Windows credentials via Active Directory Federation Services (ADFS).
```json theme={null}
{
... (other settings) ...
"ProviderWellKnown": "https://adfs.example.com/.well-known/openid-configuration",
"ClientId": "12345678-1234-1234-1234-123456789012",
"Resource": "https://your-tenant.bloodhound.com",
"UseIntegratedWindowsAuthForADFS": true,
}
```
When using this configuration, do not include an `auth.json` file. The authentication credentials will be handled through ADFS using the service account's Windows identity.
The following table outlines supported fields and their default values:
| **Field** | **Type** | **Description** | **Default value** | **Example value** |
| ------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | ------------------------------------------------------------------------ |
| RestEndpoint | String | Your tenant domain, as provided by your account team
This field should contain a domain only; do not include URI information such as `https://` | `CODENAME.bloodhoundenterprise.io` | `demo.bloodhoundenterprise.io` |
| RestPort | Integer | TCP port which BloodHound Enterprise API runs on. | `443` | `443` |
| SSL | Boolean | Is the API SSL enabled | `True` | `True` |
| CurrentJob | Array | SharpHound utilizes this field to track the currently running task. It will be null when no task is running. | Do not modify this value. | Do not modify this value. |
| LogLevel | String | Logging verbosity level for the service itself. These logs appear in service.log within the configured TempDirectory location.
The following levels are supported from most to least verbose:
\* Trace
\* Debug
\* Information
\* Warning
\* Error
\* Critical
\* None | `Information` | `Trace` |
| EnumerationLogLevel | String | Logging verbosity level used during collection jobs.
The following levels are supported from most to least verbose:
\* Trace
\* Debug
\* Information
\* Warning
\* Error
\* Critical
\* None | `Information` | `Trace` |
| TempDirectory | String | Directory in which logs and temporary files are stored. Upon service start, if this value is null, the service will default to the `%APPDATA%\\BloodHoundEnterprise\\` directory belonging to the service user.
Logs are retained for 14 days.
Backslashes (\\) must be escaped for proper JSON formatting, i.e. double backslashes are required. | null | `C:\\Users\\**SERVICE_USER$**\\AppData\\Roaming\\BloodHoundEnterprise\\` |
| Proxy | String | HTTP Proxy URL if needed. | null | `proxy.acme.com:8080` |
| ComputerPasswordResetWindow | Integer | When performing local collections, any computer objects that have not rotated their password with the domain in this many days will be excluded. By default, computers in Active Directory rotated their passwords every 30 days.
*Minimum value: 7*
This Windows setting specifies how often the computer will [rotate its password](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age):
It is possible to [prevent](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes) a Windows computer from rotating its password completely with this setting: | `60` | `365` |
| ForceLDAPKerberosAuth | Boolean | Enforce the use of Kerberos authentication when querying LDAP servers. Disabling this may be required to collect across an External trust type (see [Cross-Trust Collection here](/collect-data/enterprise-collection/cross-trust)).
Setting this value to False means that SharpHound will auto-negotiate authentication to domain controllers, preferring Kerberos if available. | `False` | `True` |
| PortCheckTimeout | Integer | In milliseconds, SharpHound will wait for a response on port 445/TCP before considering the system unavailable.
*Minimum value: 200*
*Requires SharpHound Enterprise v2.2.1+* | `10000` | `15000` |
| LDAPSSLPort | Integer | TCP port utilized for collection on LDAP over SSL.
*Requires SharpHound Enterprise v2.2.1+* | `636` | `636` |
| LDAPPort | Integer | TCP port utilized for collection on LDAP. | `389` | `389` |
| ForceLDAPSSL | Boolean | Force the use of LDAP over SSL.
Setting this value to False means that SharpHound will attempt LDAP over SSL first, before falling back to signed and sealed LDAP.
*Note: this control forces SharpHound to collect using LDAP over SSL where possible. LDAP negotiation may occur for some functionality. Additionally, some AD Structure collection may occur from existing .Net APIs that are used for resolution.*
*Requires SharpHound Enterprise v2.2.1+* | `False` | `False` |
| NumWorkers | Integer | The number of concurrent threads performing privileged collection.
*Minimum value: 10*
*Maximum value: 100*
*Requires SharpHound Enterprise v2.2.1+* | `50` | `50` |
| PartitionLDAPQueries | Boolean | Whether SharpHound should split LDAP queries into multiple parts, used when querying very large domains. | `True` | `True` |
| Version | String | The current version of SharpHound Enterprise. | Do not modify this value. | Do not modify this value. |
| ProviderWellKnown | String | \[IWA Only] The ADFS well-known endpoint URL for Integrated Windows Authentication. This is typically the ADFS server address with "/.well-known/openid-configuration" appended. Required when `UseIntegratedWindowsAuthForADFS` is enabled. | null | `https://adfs.example.com/.well-known/openid-configuration` |
| ClientId | String | \[IWA Only] The Client ID generated by BloodHound during collector client creation. Used to identify SharpHound to the ADFS server. Required when `UseIntegratedWindowsAuthForADFS` is enabled. | null | `12345678-1234-1234-1234-123456789012` |
| Resource | String | \[IWA Only] The BloodHound Enterprise tenant URL used as the resource identifier for the ADFS application. Required when `UseIntegratedWindowsAuthForADFS` is enabled. | null | `https://your-tenant.bloodhoundenterprise.io` |
| UseIntegratedWindowsAuthForADFS | Boolean | \[IWA Only] Enable Integrated Windows Authentication via ADFS. When set to `true`, SharpHound authenticates using the service account's Windows credentials against the configured ADFS server. The `auth.json` file is not used when this is enabled. Requires `ProviderWellKnown`, `ClientId`, and `Resource` to be configured. | `False` | `True` |
### auth.json
Plaintext JSON file that defines the credentials the service uses to authenticate to the BloodHound Enterprise API. Creating a new client or rotating the credentials of an existing one will provide you with the complete JSON structure used for a SharpHound Enterprise client.
An example of the file:
```json theme={null}
{
"Token": "w4Tc+heVmaMTWgodlw0YlztaEGG53J/mwogiEZLvKE6WtylfYuoVEA==",
"TokenID": "0c6120ee-2fbe-478f-a864-2e264f9c16d2"
}
```
The following table outlines supported fields and their default values:
| **Field** | **Type** | **Description** | **Default value** | **Example value** |
| --------- | -------- | ------------------------------------------------------------------------------------ | ----------------- | ---------------------------------------------------------- |
| Token | String | Used by SharpHound Enterprise to authenticate with the BloodHound Enterprise tenant. | null | `w4Tc+heVmaMTWgodlw0YlztaEGG53J/mwogiEZLvKE6WtylfYuoVEA==` |
| TokenID | String | Unique identifier for the token. | null | `0c6120ee-2fbe-478f-a864-2e264f9c16d2` |