If you plan on using Windows Authentication to access the SQL database, it is recommended that you create a service account. To do this, you can follow these steps:
- Create a local user or domain user
- Open IIS (start->run->inetmgr->OK)
- Impersonate as your service account if running version 6.2.000011 or greater
OR
Change the identity of your application pool
- For IIS 6 (Windows XP, Server 2003), locate the application pool that Secret Server is using, right click on it, click properties, click the "Identity" tab, click the "Configurable" radio button, enter the service account user name and password, click "OK"
- For IIS 7 (Windows Vista, Windows 7, Server 2008), locate the application pool that Secret Server is using, right click on it, click "advanced settings", click the "Identity" box in the "Process Model" section, click the three dots on the right of the box, click the "Custom Account" radio button, click "Set", enter your service account name and password, and click "OK"
- Open the command console (start->run->cmd)
- Change the directory to your .NET framework 2.0 installation directory using the "cd" command
(usually "C:\Windows\Microsoft.NET\Framework\v2.0.50727" or "C:\Windows\Microsoft.NET\Framework64\v2.0.50727")
- Type in "aspnet_regiis -ga <domain name>\<user name>" and press enter. Replace the fields with the relevant values, omitting the domain name parameter for local accounts
- Give your service account "modify" access to C:\Windows\TEMP
- Give your service account "read & execute", "list folder contents", and "read" permissions on the file folder where Secret Server is installed (typically c:\inetpub\wwwroot\SecretServer). If you choose to not give it "write" and "modify" access, you will need another account for the installation process.
- Open SQL Server Management Studio, expand the "Security" folder, right click on the "Logins" folder, click "New Login"
- Type in the <domain name>\<user name> in the "name" text box, click "User Mapping" on the left, check the "Map" box next to your secret server database, check the "db_owner" checkbox near the bottom, and click OK
- Grant batch logon permissions to your service account
- For a domain user, log on to your domain controller, open the Group Policy Management Console (start->run->gpmc.msc->OK), right click on "Default Domain Policy" under your domain, click edit, expand "Computer Configuration", expand "Policies", expand "Windows Settings", expand "Security Settings", expand "Local Policies", click on "User Rights Assignment", right click on "Log on as a batch job", click "properties", check the "define these policy settings" box, add your service account, and click "OK"
- For a local user, open the Local Security Policy Console (start->run->secpol.msc->OK), expand "Local Policies", click on "User Rights Assignment", right click on "Log on as a batch job", click "properties", check the "define these policy settings" box, add your service account, and click "OK
- Disable impersonation if enabled (unless you chose to not change your application pool identity in step 3)
- In IIS 6.0, located the web-identity config file in the website folder and set impersonation to false
- In IIS 7.0, click the website, click Authentication, Set ASp.Net Impersonation to disabled.
- Go through the web installation wizard for Secret Server and select "Windows Authentication" in step number three
Article ID: 60, Created On: 10/19/2009, Modified: 11/25/2011