Running Vault Server under an Impersonated Windows Account

A collection of information about Vault, including solutions to common problems.

Moderator: SourceGear

Post Reply
jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Running Vault Server under an Impersonated Windows Account

Post by jclausius » Tue Jul 27, 2004 9:10 am

In certain environments, you may be required to run the Vault Server using a different Windows Identity through Impersonation. (http://support.sourcegear.com/viewtopic.php?t=188) This KB Post is for Windows Server 2008 R2, Windows Server 2012 ,and presumably Windows Server 2016

The following article lists a set of instructions you can use to configure Vault Server to run under an impersonated account. The example in this article uses a Domain Account. Note, it is unknown if a "mirrored" account will work, and that configuration is currently unsupported.

The text for this article was adapted from https://msdn.microsoft.com/en-us/library/ff649223.aspx
  1. Determine the Impersonation .NET Domain Account -
    If you do not already have a domain account available for use, create a new Domain User Account.

    To Create an account:
    Create an actual account on the Domain - for example, "MYDOMAIN\VaultServerAccount".
    • Make sure to use a strong password for the account.
    • Clear the "User must change password at next logon" option.
    • Select the "User cannot change password" option.
    • Select the "Password never expires" option.
    Next, ensure the account credentials work on the Web Server:
    • Log into the IIS/Vault Server machine as MYDOMAIN\VaultServerAccount using the password from the previous step.
    To configure the SQL Server, on the SQL Server machine:
    • Verify the Domain Administrator (MYDOMAIN\Administrator) has full administrative (sysadmin) rights on SQL Server.
    • If SQL Server will be installed on a different machine than the Vault Server, use SQL Server Configuration Manager, and review the SQL Server Network Configuration to ensure the network protocols are enabled. Most likely, TCP/IP can be used for the SQL Server traffic.
      • Note, the 32/64 bit Client Protocols may also have TCP/IP enabled, but it is uncertain if this is necessary for connectivity.
    To configure the Web Server, on the IIS/Vault Server machine:
    • Log into the IIS/Vault Server machine as MYDOMAIN\Administrator
    • Add Web Server Role and Web Services for ASP.NET. If you expand Application Development, and select the ASP.NET node, it should check the other required components (ISAPI Extensions, ISAPI filters, ASP.NET, etc.). Unchecked items may include ASP, CGI and Server Side Includes.
    After IIS is installed, verify both directories "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files" and "%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files" have a security entry for the Local IIS_USRS group.

    Next, from the Computer Management utility in the Control Panel, for Local Users and Groups, add MYDOMAIN\VaultServerAccount to the IIS_USRS group. This should automatically assign the correct permissions necessary for the Domain User to run an IIS Application Pool.

    Finally, install the Vault Server.
    • While still logged into the Vault Server as MYDOMAIN\Administrator, using an elevated command prompt running as Administrator, execute the command to launch msiexe.exe with the Vault Server installation. For example, "msiexec /i \\Path\to\VaultServer....msi"
    • On the "Choose IIS Process User", choose Custom, and enter the MYDOMAIN\VaultServerAccount and password.
    • On the SQL Server dialog, depending on the location of SQL Server, you can use (local)[\instancename] or the TCP/IP hostname[\instancename] of your SQL Server, and choose the SQL authentication mode of how you would like the Vault Server to connect to SQL Server (either SQL Authentication or Windows Authentication)
Jeff Clausius
SourceGear

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: Running Vault Server under an Impersonated Windows Accou

Post by jclausius » Wed May 11, 2016 1:41 pm

In certain environments, you may be required to run the Vault Server under Identity Impersonation. (http://support.sourcegear.com/viewtopic.php?t=188) This KB post is for Windows Server 2003 and earlier versions of Windows

UPDATE (for Windows 2003 Server and Earlier): SourceGear has provided a tool to set the impersonation called IdentitySwitcher. It is recommended that you use that to set impersonation. The following instructions are left here for archival purposes.

The following article lists a set of instructions you can use to configure Vault Server to run under an impersonated account. Please note, it is possible to configure the impersonated Windows account to run under a Windows Domain account or a Local Machine account. The examples in this article use a Domain Account, but the same instructions would also apply to the Local User / Local Groups on the Vault Server.

The text for this article was adapted from https://msdn.microsoft.com/en-us/library/ff649223.aspx

  1. Determine the Impersonation .Net Domain Account -
    If you do not already have a domain account available for use, create a new DOMAIN Account.

    To Create an account:
    Create an actual account on the Domain - for example, "DOMAIN\VaultServerAccount".
    • Make sure to use a strong password for the account.
    • Clear the "User must change password at next logon" option.
    • Select the "Password never expires" option.
  2. Verify Minimum Privileges for ASP.Net-
    This procedure assigns the minimum set of privileges necessary to run ASP.Net.

    To verify minimum privileges :
    1. From the Administrative Tools programs group, start the Domain Security Policy tool.
    2. Expand Local Policies, and then select User Rights Assignment. A list of privileges is displayed in the right pane.
    3. Verify the following privileges have been granted to the domain account:
      • Access this computer from the network
      • Log on as a batch job
      • Log on as a service
      Note - To assign a privilege to an account, double-click the privilege, and then click Add to select the required account.
    4. Close the tool.
  3. Assign NTFS Permissions -
    This procedure grants the custom ASP.NET account required NTFS permissions within the local file system.

    Note: The steps in this procedure apply to the file system on the Web server (and not on a remote computer, where you may be duplicating the account, for network authentication purposes).
    • FULL CONTROL - %WINDIR%\Microsoft.NET\Framework\<version>\Temporary ASP.NET Files
    • READ - .Net Framework hierarchy (%WINDIR%\Microsoft.NET\Framework\<version>)
    • READ - %WINDIR%\assembly¹
    • FULL CONTROL - %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService
    • FULL CONTROL - %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService\VaultShadowFolder
    • FULL CONTROL - %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService\VaultIndexService
    • FULL CONTROL - %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService\VaultNotifyService
    • READ / WRITE / MODIFY - %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys or %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys depending on operating system.
  4. It is recommended to Uninstall / Reinstall the Vault Server to complete the configuration for Identity Impersonation. Vault Server's installation will prompt for the IIS / ASP.Net process model (Machine, System or Custom). Choose the Custom option and provide the DOMAIN\VaultServerAccount for the account name.


    Note, If you have already installed the Vault Server, you can configure the server manually:
    • Open up the web.config file located in the VaultService virtual directory. The default location for this directory is %SYSTEMDRIVE%\Inetpub\wwwroot\VaultService.
    • Uncomment the identity element in the web.config file and replace the values for username and password with valid values.
    The identity element should look like this:
    <identity impersonate="true" userName="DOMAIN\WINDOWSACCT" password="plaintext_pwd"/>
You should now be ready to run Vault Server under the impersonated account.

¹ - This is the global assembly cache. You cannot directly use Windows Explorer to edit ACLs for this folder. Instead, use a command Windows and run the following command - cacls %windir%\assembly /e /t /p domain\useraccount:R
Alternatively, prior to using Windows explorer, unregister shfusion.dll with the following command - regsvr32–u shfusion.dll
After setting permissions with Windows explorer, re-register shfusion.dll with the following command - regsvr32 shfusion.dll
Jeff Clausius
SourceGear

Post Reply