Configure Windows authentication

Microsoft recommends to use Windows authentication when you connect to a Microsoft SQL Server. This is more secure than SQL Server authentication.

New installations

  1. In Microsoft Active Directory, create a Group for service accounts.
  2. Create an Active Directory User that is a member of this service accounts group.
  3. Create the following policy:
    1. Log on as a service for the service accounts group.
    2. Add the service accounts group to the local administrators group.
  4. Link the policy to the OU that contains the computers running the Management Portal, Setup and Sync Tool, Transaction Engine and/or Catalog Services.
  5. Open Microsoft SQL Server Management Studio.
    1. In the Security folder, create a new login.
    2. Click Search and then Object Types.
    3. Add the service accounts group that you created earlier.
    4. Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool).
  6. Create a new default database with the following settings:
  7. Open the properties of the service accounts group.
  8. On the User Mapping tab, select the database you just created.
  9. In Database Role Membership, select the db_owner role.
  10. All users who need access to the Management Portal and Setup and Sync Tool need at least the following rights on the Datastore:
  11. Add the account that is going to create the database tables and add the role DBO.
  12. Alternatively, when you use accounts from another domain:
    1. Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool) and the service account group to a domain local group.
    2. In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
  13. Install Ivanti Identity Director with a user that has the role DBO.
  14. After installation of the Management Portal, change the application pool on the IIS server to run under the domain account that has sufficient access to the database.
  15. Start the Management Portal.
  16. When prompted, do NOT create a new database, but connect to the one that you just created.
  17. Provide the required information and select Windows Authentication.
  18. Specify the Service Account in the format: DOMAIN\username.
  19. Click Save. When you connect to the database, you need to confirm whether to create the required tables.

Existing installations that use SQL Server authentication

  1. On the Microsoft SQL Server, switch the authentication mode for the Ivanti Identity Director Datastore from mixed mode authentication to Windows Authentication.
  2. Follow the steps as described above, but skip the step where you create a new database.
  3. On the IIS server of the Management Portal, change the application pool to run under the domain account that has sufficient access to the database.
  4. Start the Management Portal and at Setup > Datastore select Windows Authentication.
  5. Provide the service account credentials and click Connect.

Transaction Engine and Catalog Services

In addition, configure the Transaction Engine and Catalog Services. The Transaction Engine service and the Catalog Services need to run under the service account with access rights to the database.

New installations:

Existing installations:

Use a (service) account with access rights to the database and apply the public property /CONFIGDB to the executables of the Catalog Services and the Transaction Engine. This opens a window in which you can specify the new settings.

You can also do this silently with the following command lines:

Windows Authentication is only used if the /dbuser argument has an empty value (... /dbuser= /dbencryption=no....). The value of the /dbpassword argument is ignored.

See also

Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other