Re: ADAM Service Account
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 May 2008 13:53:31 -0500
Network Service IS a domain account. When Network Service accesses the
network, it uses the computer account in the domain.
The trick with SSL and read rights on the private key is that permissions do
not inherit from the folder down to the individual keys, so setting the ACL
on the folder doesn't really help much. You need to find the individual key
file in that directory and apply the ACL granting network service read
rights directly to the file. It is usually easiest to do this right when
the key is first added to the server as it will be obvious which of the
files in the directory corresponds to the key you just added by the
date/time stamp. There are other ways of discovering which key is the key
for that SSL cert as well though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"jskalicky" <jskalicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55188B00-C48B-4696-97F4-887F87F05EC7@xxxxxxxxxxxxxxxx
Dmitri,
I did that he first time but had problems when trying to use SSL as the
network service account did not have permissions to the ssl folder on the
local box. How do you set the permissions for the Network Service Account
to
be able to use SSL in ADAM. I did not install the cert into the
certificate
store for ADAM, I installed it using the certificate snap in on the local
machine. Also, we will be running other services on the same machine as
ADAM.
I would prefer to use a domain account for the project we are working on.
What permission level is necessary? Please advise...
"Dmitri Gavrilov [MSFT]" wrote:
The best option is to use the default, Network Service.
It provides just sufficient privileges on the local machine (admin is too
much), and it also has sufficient permissions in the domain, to be able
to
register SPNs on the computer account (which is needed for mutual auth),
and
to create SCPs.
Using a named service account means you have to take care of password
changes, assigning appropriate permissions in AD for SPN registration and
SCPs, assigning local permissions on the box to open an LDAP listener and
to
log security events, and maybe a few others... It only makes sense (in my
view), if there's many different services running on the same machine,
and
you don't want to expose them to each other by sharing the service
account.
If ADAM is the only service on the box, then using NetworkService makes
most
sense.
--
Dmitri Gavrilov
SDE, Exchange
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"jskalicky" <jskalicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EB564BA8-4BEE-49B0-9693-4874BE0039E8@xxxxxxxxxxxxxxxx
I am trying to install ADAM in our domain on two seperate servers. One
will
be the Master and the other will be a replica. I will be using a domain
account for the service. What permissions are necessary for the ADAM
service
account in a domain? Do I just need to make it an admin on the local
box?
Please advise....
.
- References:
- ADAM Service Account
- From: jskalicky
- Re: ADAM Service Account
- From: Dmitri Gavrilov [MSFT]
- Re: ADAM Service Account
- From: jskalicky
- ADAM Service Account
- Prev by Date: Re: Restricting FTP access via windows Explorer
- Next by Date: Re: ADAM Service Account
- Previous by thread: Re: ADAM Service Account
- Next by thread: Re: ADAM Service Account
- Index(es):
Relevant Pages
|
