Using an alternate user to run guest application services

Avatar
Dan Turkenkopf
Follow
Apprenda requires two Windows accounts with administrative access in order to run the management aspects of the platform. By default, guest application WCF services will run with the same credentials, which might not be the desired approach for an organization.

To change the user that guest application WCF services run as:

 

1. Create a domain group that all service process users will belong to (ie ApprendaServiceUsers)

2. Grant the group the right to "Replace process level token"

3. Grant that group permissions in the net.tcp port sharing service.

On each machine, edit the SMSvcHost.exe.config file to allow the group access to both net.tcp and net.pipe. The file location varies by bitness of the operating system and can be found at:

On 32 bit: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe.config
On 64 bit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe.config

In the file, ensure these sections are uncommented, and add the SID for the ApprendaServiceUsers group to the allowed accounts for both protocols (to find the proper SID, use the SysInternals tool PsGetSid):

<system.serviceModel.activation>
<net.tcp listenBacklog="10" maxPendingConnections="100" maxPendingAccepts="2" receiveTimeout="00:00:10" teredoEnabled="false">
<allowAccounts>
<!-- LocalSystem account -->
<add securityIdentifier="S-1-5-18"/>
<!-- LocalService account -->
<add securityIdentifier="S-1-5-19"/>
<!-- Administrators account -->
<add securityIdentifier="S-1-5-20"/>
<!-- Network Service account -->
<add securityIdentifier="S-1-5-32-544" />
<!-- IIS_IUSRS account (Vista only) -->
<add securityIdentifier="S-1-5-32-568"/>
<!-- ApprendaServiceUsers group -->
<add securityIdentifier="GROUP SID HERE" />
</allowAccounts>
</net.tcp>
<net.pipe maxPendingConnections="100" maxPendingAccepts="2" receiveTimeout="00:00:10">
<allowAccounts>
<!-- LocalSystem account -->
<add securityIdentifier="S-1-5-18"/>
<!-- LocalService account -->
<add securityIdentifier="S-1-5-19"/>
<!-- Administrators account -->
<add securityIdentifier="S-1-5-20"/>
<!-- Network Service account -->
<add securityIdentifier="S-1-5-32-544" />
<!-- IIS_IUSRS account (Vista only) -->
<add securityIdentifier="S-1-5-32-568"/>
<!-- ApprendaServiceUsers group -->
<add securityIdentifier="GROUP SID HERE" />
</allowAccounts>
</net.pipe>
<diagnostics performanceCountersEnabled="true" />
</system.serviceModel.activation>

3. Grant that group the http reservation for the shared http port

The group needs a reservation for the shared http port on each server. 

Run the following command on Windows Server 2008 / Windows 7:
netsh http add urlacl url=http://+:34000/ group=ApprendaSerivceUsers

Run the following command on Windows Server 2003:
httpcfg.exe set urlacl /u http://+:34000/ /a "D:(A;;GX;;;GROUP SID HERE)"

4. Restart each machine

5. Add the system and admin users to the group. Add the account that will execute the guest applications to the group.

6. Install Apprenda

7. Set the Default Service Account registry settings for the Apprenda platform to match the Guest Application account.

SaaSGridDefaultServiceAccountDomain: DOMAIN
SaaSGridDefaultServiceAccountUsername: USER
SaaSGridDefaultServiceAccountPassword: PASSWORD  

 

 

Have more questions? Submit a request

Comments