Configure Windows authentication
Microsoft recommends to use Windows authentication when you connect to a Microsoft SQL Server. This is more secure than SQL Server authentication.
- Depending on the configuration of your database server, you can use Windows authentication on server-level or on database-level. If you switch between authentication modes on server-level, other databases on this server are also affected.
- You can only use Windows authentication if all Ivanti Identity Director components are member of a domain in the same AD forest or of a trusted domain (typically single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows authentication is not supported.
- Windows authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server.
- In Microsoft Active Directory, create a Group for service accounts.
- Create an Active Directory User that is a member of this service accounts group.
- Create the following policy:
- Log on as a service for the service accounts group.
- Add the service accounts group to the local administrators group.
- Link the policy to the OU that contains the computers running the Management Portal, Setup and Sync Tool, Transaction Engine and/or Catalog Services.
- Open Microsoft SQL Server Management Studio.
- In the Security folder, create a new login.
- Click Search and then Object Types.
- Add the service accounts group that you created earlier.
- Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool).
- Create a new default database with the following settings:
- Size 150MB, autogrow 25MB
- Log 75MB, autogrow 10MB
- Open the properties of the service accounts group.
- On the User Mapping tab, select the database you just created.
- In Database Role Membership, select the db_owner role.
- All users who need access to the Management Portal and Setup and Sync Tool need at least the following rights on the Datastore:
- DB_Datawriter: To adjust these rights, do the following:
- Create an Active Directory group.
- Add all users who need access to the Management Portal and Setup and Sync Tool to this Active Directory group.
- Add this group in the Security node on the SQL server.
- Under User Mapping select the Ivanti Identity Director Datastore and select the roles db_datareader and db_datawriter.
- Add the account that is going to create the database tables and add the role DBO.
- Alternatively, when you use accounts from another domain:
- Add Domain Admins (or any group of administrators that uses the Management Portal and Setup and Sync Tool) and the service account group to a domain local group.
- In Microsoft SQL Server Management studio, add the domain local group to the database as db_owner.
- Install Ivanti Identity Director with a user that has the role DBO.
- After installation of the Management Portal, change the application pool on the IIS server to run under the domain account that has sufficient access to the database.
- Start the Management Portal.
- When prompted, do NOT create a new database, but connect to the one that you just created.
- Provide the required information and select Windows Authentication.
- Specify the Service Account in the format: DOMAIN\username.
- Click Save. When you connect to the database, you need to confirm whether to create the required tables.
Existing installations that use SQL Server authentication
- On the Microsoft SQL Server, switch the authentication mode for the Ivanti Identity Director Datastore from mixed mode authentication to Windows Authentication.
- Follow the steps as described above, but skip the step where you create a new database.
- On the IIS server of the Management Portal, change the application pool to run under the domain account that has sufficient access to the database.
- Start the Management Portal and at Setup > Datastore select Windows Authentication.
- Provide the service account credentials and click Connect.
Transaction Engine and Catalog Services
In addition, configure the Transaction Engine and Catalog Services. The Transaction Engine service and the Catalog Services need to run under the service account with access rights to the database.
- For manual installations of the Transaction Engine and Catalog Services, configure Windows Authentication settings in the installation wizard.
- For unattended installations of the Transaction Engine and Catalog Services, use the public properties in the command line: /dbwinauth=yes;no (either enable or disable the use of Windows Authentication).
Use a (service) account with access rights to the database and apply the public property /CONFIGDB to the executables of the Catalog Services and the Transaction Engine. This opens a window in which you can specify the new settings.
- Transaction Engine: “%%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe” /CONFIGDB
- Catalog Services: “%%ProgramFiles%\RES Software\IT Store\Catalog Services\resocs.exe” /CONFIGDB
You can also do this silently with the following command lines:
- Transaction Engine: "%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe" /configdb /silent /dbtype=<dbtype> /dbserver=<server> /dbname=<database> /dbuser= /dbencryption=<yes/no>
- Catalog Services: "%ProgramFiles%\RES Software\IT Store\Transaction Engine\resote.exe" /configdb /silent /dbtype=<dbtype> /dbserver=<server> /dbname=<database> /dbuser= /dbencryption=<yes/no>
Windows Authentication is only used if the /dbuser argument has an empty value (... /dbuser= /dbencryption=no....). The value of the /dbpassword argument is ignored.