Windows Authentication
When connecting to a Microsoft SQL Server, Windows Authentication can also be used.
- Depending on the configuration of your database server, you can use Windows Authentication on server-level or on database-level. Please note that switching between authentication modes on server-level will also affect other databases on this server.
- Windows Authentication is only supported in Ivanti Automation environments in which all components are member of a domain in the same AD forest or of a trusted domain (typically, single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows Authentication is not supported.
Before you can start using Windows Authentication in Ivanti Automation to connect to the Datastore, follow these steps:
New installations
- In Microsoft Active Directory, create a Group for service accounts.
- Create an Active Directory User that is a member of this service accounts group.
- Create the following policy:
- Log on as a service for the service accounts group.
- Add the service accounts group to the local administrators group.
- Link the policy to the OU that contains the computers running the Consoles and/or Dispatchers.
- Open Microsoft SQL Server Management Studio.
- In the Security folder, create a new login.
- Click Search and then Object Types.
- Add the service accounts group that you created earlier.
- Add Domain Admins (or any other group of Ivanti Automation administrators that uses the Ivanti Automation Console).
- Create a new default database with the following settings:
- Size 150MB, autogrow 25MB
- Log 75MB, autogrow 10MB
- Open the properties of the service accounts group.
- On the User Mapping tab, select the database just created.
- In Database Role Membership, select the db_owner role.
- All users who will have access to the Ivanti Automation Console need at least the following rights on the Ivanti Automation Datastore:
- DB_Datareader
- DB_Datawriter
Show me how
- Create an Active Directory group.
- Add all users who will have access to the Ivanti Automation Console to this Active Directory group.
- Add this Active Directory group in the Security node on the SQL server.
- Under User Mapping select the Ivanti Automation Datastore and select the db_datareader and db_datawriter roles.
- Add the account that is going to create the database tables and add the role "dbo".
- Alternatively, when using accounts from another domain:
- Add Domain Admins (or any other group of Ivanti Automation administrators that use the Ivanti Automation Console) and the service account group to a domain local group.
- In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
- Install Ivanti Automation with the installation .MSI with a user that has the role "dbo".
- After installation, start the Ivanti Automation Console.
- When prompted, do NOT create a new database, but connect to the one that you just created.
- Provide the required information and select Windows Authentication.
- Specify the Service Account in the format: DOMAIN\username.
- Click OK.
- When connecting to the database, Ivanti Automation will ask for confirmation first. When confirmed, Ivanti Automation will create the required tables.
Existing installations using SQL Server Authentication
- On the Microsoft SQL Server, switch the authentication mode for the Ivanti Automation Datastore from mixed mode authentication to Windows Authentication.
- Follow the steps as described above until step 13. Skip the step where you create a new database.
- Start the Ivanti Automation Console and at Setup > Database change Database authentication to Windows Authentication.
- Provide the service account credentials and click Connect. The Console will now restart.
- Repair all Consoles and Dispatchers in the Ivanti Automation environment. Every new Console and Dispatcher that you deploy will run using the provided service account credentials.
- If you change the service account at a later stage, you need to repair all Consoles and Dispatchers.
- For troubleshooting purposes, use the Windows Event log to validate a successful connection.
- Windows Authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server. This only affects components that connect to the Datastore (Consoles and Dispatchers), not Agents.