Windows Authentication

When connecting to a Microsoft SQL Server, Windows Authentication can also be used.

  • Depending on the configuration of your database server, you can use Windows Authentication on server-level or on database-level. Please note that switching between authentication modes on server-level will also affect other databases on this server.
  • Windows Authentication is only supported in Ivanti Automation environments in which all components are member of a domain in the same AD forest or of a trusted domain (typically, single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows Authentication is not supported.

Before you can start using Windows Authentication in Ivanti Automation to connect to the Datastore, follow these steps:

New installations

  1. In Microsoft Active Directory, create a Group for service accounts.
  2. Create an Active Directory User that is a member of this service accounts group.
  3. Create the following policy:
    1. Log on as a service for the service accounts group.
    2. Add the service accounts group to the local administrators group.
  4. Link the policy to the OU that contains the computers running the Consoles and/or Dispatchers.
  5. Open Microsoft SQL Server Management Studio.
    1. In the Security folder, create a new login.
    2. Click Search and then Object Types.
    3. Add the service accounts group that you created earlier.
    4. Add Domain Admins (or any other group of Ivanti Automation administrators that uses the Ivanti Automation Console).
  6. Create a new default database with the following settings:
    • Size 150MB, autogrow 25MB
    • Log 75MB, autogrow 10MB
  7. Open the properties of the service accounts group.
  8. On the User Mapping tab, select the database just created.
  9. In Database Role Membership, select the db_owner role.
  10. All users who will have access to the Ivanti Automation Console need at least the following rights on the Ivanti Automation Datastore:
    • DB_Datareader
    • DB_Datawriter
      1. Create an Active Directory group.
      2. Add all users who will have access to the Ivanti Automation Console to this Active Directory group.
      3. Add this Active Directory group in the Security node on the SQL server.
      4. Under User Mapping select the Ivanti Automation Datastore and select the db_datareader and db_datawriter roles.
  11. Add the account that is going to create the database tables and add the role "dbo".
  12. Alternatively, when using accounts from another domain:
    1. Add Domain Admins (or any other group of Ivanti Automation administrators that use the Ivanti Automation Console) and the service account group to a domain local group.
    2. In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
  13. Install Ivanti Automation with the installation .MSI with a user that has the role "dbo".
  14. After installation, start the Ivanti Automation Console.
  15. When prompted, do NOT create a new database, but connect to the one that you just created.
  16. Provide the required information and select Windows Authentication.
  17. Specify the Service Account in the format: DOMAIN\username.
  18. Click OK.
  19. When connecting to the database, Ivanti Automation will ask for confirmation first. When confirmed, Ivanti Automation will create the required tables.

Existing installations using SQL Server Authentication

  1. On the Microsoft SQL Server, switch the authentication mode for the Ivanti Automation Datastore from mixed mode authentication to Windows Authentication.
  2. Follow the steps as described above until step 13. Skip the step where you create a new database.
  3. Start the Ivanti Automation Console and at Setup > Database change Database authentication to Windows Authentication.
  4. Provide the service account credentials and click Connect. The Console will now restart.
  5. Repair all Consoles and Dispatchers in the Ivanti Automation environment. Every new Console and Dispatcher that you deploy will run using the provided service account credentials.
  • If you change the service account at a later stage, you need to repair all Consoles and Dispatchers.
  • For troubleshooting purposes, use the Windows Event log to validate a successful connection.
  • Windows Authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server. This only affects components that connect to the Datastore (Consoles and Dispatchers), not Agents.