In this article: http://msdn2.microsoft.com/en-us/library/ms998292.aspx
Microsoft talks about the benefits of authenticating to the SS from an ASP.NET application using the App Pool's identity as a trusted subsystem.
I setup a test installation of seperate Vault web server and sql server to do this. Everything is working fine but before I deploy this solution to production, I want to make absolutely sure I've not left something lurking in the shadows.
The steps I followed were not too difficult:
1 - change vault app pool identity to active directory user 'testvault'
2 - give the AD user 'testvault' RW access to these folders:
C:\Inetpub\wwwroot\VaultService\,
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys,
C:\Inetpub\wwwroot\VaultService\VaultShadowFolder, and
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files.
3 - give AD user 'testvault' dbo perms on sgvault and sgmaster databases
4 - remove the identity impersonate setting in web.config if there
5 - ensure the web.config connect string uses Integrated Security='true'
One red flag in my mind about this is: Maybe SourceGear didn't add this option to their Vault installation for a reason.
Thanks.
Integrated security for DB access from Vault app pool
Moderator: SourceGear
The 'custom' option doesn't quite do it
Not quite.
The custom option will do steps 2,3 but it will leave the app pool operating under NETWORK SERVICE instead of the 'testvault' AD account, it adds the IMPERSONATE option to the web.config file with the 'testvault' AD account password in plaintext in the web.config file.
Since you do not see anything wrong with this approach, then can I make a request to add this to the installation options?
Thanks.
The custom option will do steps 2,3 but it will leave the app pool operating under NETWORK SERVICE instead of the 'testvault' AD account, it adds the IMPERSONATE option to the web.config file with the 'testvault' AD account password in plaintext in the web.config file.
Since you do not see anything wrong with this approach, then can I make a request to add this to the installation options?
Thanks.