Configure Windows authentication
Microsoft recommends to use Windows authentication when you connect to a Microsoft SQL Server. This is more secure than SQL Server authentication.
- Depending on the configuration of your database server, you can use Windows authentication on server-level or database-level. If you switch between authentication modes on server-level, other databases on this server will also be affected.
- You can only use Windows authentication if all Identity Director components are member of a domain in the same AD forest or of a trusted domain (typically single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows authentication is not supported.
- Windows authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server.
- In Microsoft Active Directory, create a Group for service accounts.
- Create an Active Directory User that is a member of this service accounts group.
- Create the following policy:
- Log on as a service for the service accounts group.
- Add the service accounts group to the local administrators group.
- Link the policy to the OU that contains the devices running the Management Portal, Setup and Sync Tool and/or Transaction Engine.
- Open Microsoft SQL Server Management Studio.
- In the Security folder, create a new login.
- Click Search and then Object Types.
- Add the service accounts group that you created earlier.
- Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool).
- Create a new default database with the following settings:
- Size 150MB, autogrow 25MB
- Log 75MB, autogrow 10MB
- Open the properties of the service accounts group.
- On the User Mapping tab, select the database that you just created.
- In Database Role Membership, select the db_owner role.
- All users who need access to the Management Portal and Setup and Sync Tool need at least the following rights on the Datastore:
- DB_Datawriter: To adjust these rights, do the following:
- Create an Active Directory group.
- Add all users who need access to the Management Portal and Setup and Sync Tool to this Active Directory group.
- Add this group in the Security node on the SQL server.
- Under User Mapping select the Identity Director Datastore and select the roles db_datareader and db_datawriter.
- Add the account that is going to create the database tables and add the role DBO.
- Alternatively, when using accounts from another domain:
- Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool) and the service account group to a domain local group.
- In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
- Install Identity Director with a user that has the role DBO.
- After installation of the Management Portal, change the application pool on the IIS server to run under the domain account that has sufficient access to the database.
- Start the Management Portal.
- When prompted, do NOT create a new database, but connect to the one that you just created.
- Provide the required information and select Windows Authentication.
- Specify the Service Account in the format: DOMAIN\username.
- Click Save.
- When you connect to the database, confirm to create the required tables.
- On the Microsoft SQL Server, switch the authentication mode for the Identity Director Datastore from mixed mode authentication to Windows Authentication.
- Follow the steps as described above, but skip the step where you create a new database.
- On the IIS server of the Management Portal, change the application pool to run under the domain account that has sufficient access to the database.
- Start the Management Portal and at Setup > Datastore select Windows Authentication.
- Provide the service account credentials and click Connect.
In addition, configure the Transaction Engine. The Transaction Engine service needs to run under the service account with access rights to the database. You need to configure this manually:
- For manual installations of the Transaction Engine, you can configure Windows Authentication settings in the installation wizard.
- For unattended installations of the Transaction Engine, provide an empty value for the public property DBUSER.
You can configure these settings by starting the configuration wizard of the Transaction Engine, using a (service) account with access rights to the database:
"%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe" /configdb
You can also do this silently with the following command line:
"%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe" /configdb /silent /dbtype=<dbtype> /dbserver=<server> /dbname=<database> /dbuser= /dbencryption=<yes/no>
Windows Authentication will only be used if the /dbuser argument has an empty value (... /dbuser= /dbencryption=no....). In this situation, the value of the /dbpassword argument will be ignored.