jskalicky
Mon May 05 13:51:00 PDT 2008
Dmitri,
Upon review of your last post, I am going to use the Network Service
Account. Thanks for the quick response and insigh into this!!!!
"Dmitri Gavrilov [MSFT]" wrote:
> You really are setting yourself up for more headache than you need... SSL
> problem is simple to take care of, as Joe mentioned.
> If you plan to get around your SSL issue by granting the account local admin
> permissions on the machine, then, excuse me, the "service account
> separation" argument does not hold. An admin owns everything running on the
> box.
>
> Anyway, here's the set of permissions that you might need:
> Locally on the machine:
> * logon as service (IIRC adaminstall grants this automatically to the
> selected account)
> * generate security audits
> * create TCP listener (not sure which privilege it is, I think this is
> granted by default)
> * Read on the private cert key.
>
> In AD:
> * Validated write on servicePrincipalName on the account
> * If you want to publish SCPs, then createChild for serviceConnectionPoints,
> under the account. Otherwise, you should disable SCP publication.
>
> In addition, you'll need to implement a process for service account password
> updates.
>
> Also, if you ever need to change the service account or move it to another
> domain, or move the machine to another domain, then you will have to jump
> through hoops to restore ADAM replication, because other instances will stop
> recognizing you.
>
> Again, I strongly recommend using NetworkService.
>
> --
> Dmitri Gavrilov
> SDE, Exchange
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
>
http://www.microsoft.com/info/cpyright.htm
>
> "jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
> news:55188B00-C48B-4696-97F4-887F87F05EC7@microsoft.com...
> > Dmitri,
> >
> > I did that he first time but had problems when trying to use SSL as the
> > network service account did not have permissions to the ssl folder on the
> > local box. How do you set the permissions for the Network Service Account
> > to
> > be able to use SSL in ADAM. I did not install the cert into the
> > certificate
> > store for ADAM, I installed it using the certificate snap in on the local
> > machine. Also, we will be running other services on the same machine as
> > ADAM.
> > I would prefer to use a domain account for the project we are working on.
> > What permission level is necessary? Please advise...
> >
> > "Dmitri Gavrilov [MSFT]" wrote:
> >
> >> The best option is to use the default, Network Service.
> >> It provides just sufficient privileges on the local machine (admin is too
> >> much), and it also has sufficient permissions in the domain, to be able
> >> to
> >> register SPNs on the computer account (which is needed for mutual auth),
> >> and
> >> to create SCPs.
> >>
> >> Using a named service account means you have to take care of password
> >> changes, assigning appropriate permissions in AD for SPN registration and
> >> SCPs, assigning local permissions on the box to open an LDAP listener and
> >> to
> >> log security events, and maybe a few others... It only makes sense (in my
> >> view), if there's many different services running on the same machine,
> >> and
> >> you don't want to expose them to each other by sharing the service
> >> account.
> >> If ADAM is the only service on the box, then using NetworkService makes
> >> most
> >> sense.
> >>
> >> --
> >> Dmitri Gavrilov
> >> SDE, Exchange
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> Use of included script samples are subject to the terms specified at
> >>
http://www.microsoft.com/info/cpyright.htm
> >>
> >> "jskalicky" <jskalicky@discussions.microsoft.com> wrote in message
> >> news:EB564BA8-4BEE-49B0-9693-4874BE0039E8@microsoft.com...
> >> >I am trying to install ADAM in our domain on two seperate servers. One
> >> >will
> >> > be the Master and the other will be a replica. I will be using a domain
> >> > account for the service. What permissions are necessary for the ADAM
> >> > service
> >> > account in a domain? Do I just need to make it an admin on the local
> >> > box?
> >> > Please advise....
> >>
>
>