Identity Director Setup and Sync Tool

Home 

This is not the latest version of Identity Director documentation.
View available documentation.

Configure Windows Authentication

Use the node Setup > Datastore to manage the Datastore connection settings of the Setup and Sync Tool.

When you connect to a Microsoft SQL Server, Microsoft recommends to use Windows authentication. This is more secure than SQL Server authentication.

  • Depending on the configuration of your database server, you can use Windows authentication on server-level or on database-level. If you switch between authentication modes on server-level, other databases on this server are also affected.
  • You can only use Windows authentication if all Ivanti Identity Director components are member of a domain in the same AD forest or of a trusted domain (typically single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows authentication is not supported.
  • Windows authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server.

New installations

  1. In Microsoft Active Directory, create a Group for service accounts.
  2. Create an Active Directory User that is a member of this service accounts group.
  3. Create the following policy:
    1. Log on as a service for the service accounts group.
    2. Add the service accounts group to the local administrators group.
  4. Link the policy to the OU that contains the devices that run the Management Portal, Setup and Sync Tool, Transaction Engine and/or Catalog Services.
  5. Open Microsoft SQL Server Management Studio.
    1. In the Security folder, create a new login.
    2. Click Search and then Object Types.
    3. Add the service accounts group that you created earlier.
    4. Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool).
  6. Create a new default database with the following settings:
    • Size 150MB, autogrow 25MB
    • Log 75MB, autogrow 10MB
  7. Open the properties of the service accounts group.
  8. On the User Mapping tab, select the database just created.
  9. In Database Role Membership, select the db_owner role.
  10. All users who need access to the Management Portal and Setup and Sync Tool need at least the following rights on the Datastore:
    • DB_Datareader
    • DB_Datawriter: To adjust these rights, do the following:
      1. Create an Active Directory group.
      2. Add all users who need access to the Management Portal and Setup and Sync Tool to this Active Directory group.
      3. Add this group in the Security node on the SQL server.
      4. Under User Mapping select the Identity Director Datastore and select the roles db_datareader and db_datawriter.
  11. Add the account that is going to create the database tables and add the role "dbo".
  12. Alternatively, when you use accounts from another domain:
    1. Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool) and the service account group to a domain local group.
    2. In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
  13. Install Identity Director with a user that has the role "dbo".
  14. After installation of the Management Portal, change the application pool on the IIS server to run under the domain account that has sufficient access to the database.
  15. Start the Management Portal.
  16. Do NOT create a new database, but connect to the one that you just created.
  17. Provide the required information and select Windows Authentication.
  18. Specify the Service Account in the format: DOMAIN\username.
  19. Click Save. When you connect to the database, you need to confirm whether to create the required tables.

Existing installations that use SQL Server authentication

  1. On the Microsoft SQL Server, switch the authentication mode for the Identity Director Datastore from mixed mode authentication to Windows Authentication.
  2. Follow the steps as described above, but skip the step where you create a new database.
  3. On the IIS server of the Management Portal, change the application pool to run under the domain account that has sufficient access to the database.
  4. Start the Management Portal and at Setup > Datastore select Windows Authentication.
  5. Provide the service account credentials and click Connect.

Transaction Engine and Catalog Services

The Transaction Engine service and the Catalog Services service need to run under the service account with access rights to the database. You need to configure this manually:

New installations:

  • For manual installations of the Transaction Engine and Catalog Services, you can configure Windows Authentication settings in the installation wizard.
  • For unattended installations of the Transaction Engine and Catalog Services, you can use the public properties in the command line: /dbwinauth=yes;no (either enable or disable the use of Windows Authentication).

Existing installations:

You can configure these settings by starting the configuration wizards of the Transaction Engine and Catalog Services, with a (service) account with access rights to the database.

  • Transaction Engine: “%%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe” /configdb
  • Catalog Services: “%%ProgramFiles%\RES Software\IT Store\Catalog Services\resocs.exe” /configdb

Copyright © 2019, Ivanti. All rights reserved.

Privacy and Legal