Integrated security for DB access from Vault app pool

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
popezilla
Posts: 57
Joined: Tue Jul 13, 2004 1:17 pm
Location: MD
Contact:

Integrated security for DB access from Vault app pool

Post by popezilla » Fri Jun 29, 2007 6:11 am

In this article: http://msdn2.microsoft.com/en-us/library/ms998292.aspx

Microsoft talks about the benefits of authenticating to the SS from an ASP.NET application using the App Pool's identity as a trusted subsystem.

I setup a test installation of seperate Vault web server and sql server to do this. Everything is working fine but before I deploy this solution to production, I want to make absolutely sure I've not left something lurking in the shadows.

The steps I followed were not too difficult:
1 - change vault app pool identity to active directory user 'testvault'
2 - give the AD user 'testvault' RW access to these folders:
C:\Inetpub\wwwroot\VaultService\,
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys,
C:\Inetpub\wwwroot\VaultService\VaultShadowFolder, and
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files.
3 - give AD user 'testvault' dbo perms on sgvault and sgmaster databases
4 - remove the identity impersonate setting in web.config if there
5 - ensure the web.config connect string uses Integrated Security='true'

One red flag in my mind about this is: Maybe SourceGear didn't add this option to their Vault installation for a reason.

Thanks.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Post by Beth » Fri Jun 29, 2007 10:47 am

I didn't see anything wrong here, but I believe this is what is done automatically when you use a Custom Process Account in the IIS Process Model screen during installation.

popezilla
Posts: 57
Joined: Tue Jul 13, 2004 1:17 pm
Location: MD
Contact:

The 'custom' option doesn't quite do it

Post by popezilla » Fri Jun 29, 2007 11:15 am

Not quite.

The custom option will do steps 2,3 but it will leave the app pool operating under NETWORK SERVICE instead of the 'testvault' AD account, it adds the IMPERSONATE option to the web.config file with the 'testvault' AD account password in plaintext in the web.config file.

Since you do not see anything wrong with this approach, then can I make a request to add this to the installation options?

Thanks.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Post by Beth » Fri Jun 29, 2007 4:02 pm

I can put in the request for the developers to review. Thanks for the feedback.

Locked