Windows Authentication (using a Designated Account)
When connecting to a Microsoft SQL Server, Windows Authentication can also be used.
- Depending on the configuration of your database server, you can use Windows Authentication on the server-level or on the database-level. Please note that switching between authentication modes on the server-level will also affect other databases on this server.
- Windows Authentication is only supported in Ivanti Automation environments in which all components are members of a domain in the same AD forest or of a trusted domain (typically, single-tenant sites). In an environment with disjointed AD connectivity (typically in multi-tenant sites), Windows Authentication is not supported.
To use Designated Account authentication, follow the steps below in the section that applies to you:
- New installations
- Existing installations using SQL Server Authentication
- Upgrading an environment that uses the old form of Windows Authentication to a version that has the new form of Windows Authentication (using Designated Account)
- Downgrading to a version that has the old form of Windows Authentication from a version that has the new form of Windows Authentication (using Designated Account)
- In Microsoft Active Directory, create a Group for service accounts.
- Create an Active Directory User that is a member of this service accounts group (this account is the Designated Account).
- Create the following policy:
- Log on as a service for the service accounts group.
- Add the service accounts group to the local administrators group.
- Link the policy to the OU that contains the computers running the Dispatchers.
- Open Microsoft SQL Server Management Studio.
- In the Security folder, create a new login.
- Click Search and then Object Types.
- Add the Active Directory User (Designated Account) that you created earlier.
- Create a new default database with the following settings:
- Size 150MB, autogrow 25MB
- Log 75MB, autogrow 10MB
- Open the properties of the Designated Account.
- On the User Mapping tab, select the database just created.
- In Database Role Membership, select the db_owner role.
- Add the account that is going to create the database tables and add the role "dbo".
- Install Ivanti Automation with the installation .MSI with any user that has install rights on the system.
- After installation, start the Ivanti Automation Console.
- When prompted, do NOT create a new database, but connect to the one that you just created.
- Provide the required information and select Windows Authentication.
- Specify the Service Account in the format: DOMAIN\username.
- Click OK.
- When connecting to the database, Ivanti Automation will ask for confirmation first. When confirmed, Ivanti Automation will create the required tables.
Existing installations using SQL Server Authentication
- On the Microsoft SQL Server, switch the authentication mode for the Ivanti Automation Datastore from mixed mode authentication to Windows Authentication.
- Follow the steps as described above until step 12. Skip the step where you create a new database.
- Start the Ivanti Automation Console and at Setup > Database change Database authentication to Windows Authentication.
- Provide the Designated Account credentials and click Connect. The Console will now restart.
- Repair all Consoles and Dispatchers in the Ivanti Automation environment. Every new Console and Dispatcher that you deploy will run using the Designated Account credentials.
Upgrading an environment that uses the old form of Windows Authentication to a version that has the new form of Windows Authentication (using Designated Account)
- Run the Upgrade Pack that contains the new implementation for Windows Authentication (using a Designated Account).
- Create the Active Directory User (the Designated Account) by repeating steps 5 through 10 from the "New Installations" section.
- Remove/disable the GPOs for "Log on as a service" and "add to local administrators group" for Console computers.
- Open the Ivanti Automation Console and change the current Windows Authentication account with the newly created one (the Designated Account).
- Repair all the Consoles and Dispatchers in the environment. They should all connect to the database server using the Designated Account credentials, regardless of the user logged on the system.
- Remove all the Active Directory users/group(s) configured as dbo from the Ivanti Automation database. Leave only the Designated Account user.
Downgrading to a version that has the old form of Windows Authentication from a version that has the new form of Windows Authentication (using Designated Account)
- Follow the steps from the old form of Windows Authentication (section “Existing installations using SQL Server Authentication”).
- Remove the User Mapping of the Designated Account login for the Ivanti Automation DB from the SQL Server.
- Open the Ivanti Automation Console and configure the Windows Authentication users according to their needs.
- Run the Ivanti Automation Upgrade Pack of an older version that contains the old form of Windows Authentication.
- After the Ivanti Automation Consoles get updated, set the Ivanti Automation Console Service to run with the corresponding user (as it was configured before upgrading to 2019.1 or later) and restart the service.
- If you change the service account at a later stage, you need to repair all Consoles and Dispatchers.
- For troubleshooting purposes, use the Windows Event log to validate a successful connection.
- Windows Authentication is not supported on Domain Controllers and on Microsoft Windows Small Business Server. This only affects components that connect to the Datastore (Consoles and Dispatchers), not Agents.