Integrated security for DB access from Vault app pool

[popezilla]

In this article: http://msdn2.microsoft.com/en-us/library/ms998292.aspx

Microsoft talks about the benefits of authenticating to the SS from an ASP.NET application using the App Pool's identity as a trusted subsystem.

I setup a test installation of seperate Vault web server and sql server to do this. Everything is working fine but before I deploy this solution to production, I want to make absolutely sure I've not left something lurking in the shadows.

The steps I followed were not too difficult:
1 - change vault app pool identity to active directory user 'testvault'
2 - give the AD user 'testvault' RW access to these folders:
C:\Inetpub\wwwroot\VaultService\,
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys,
C:\Inetpub\wwwroot\VaultService\VaultShadowFolder, and
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files.
3 - give AD user 'testvault' dbo perms on sgvault and sgmaster databases
4 - remove the identity impersonate setting in web.config if there
5 - ensure the web.config connect string uses Integrated Security='true'

One red flag in my mind about this is: Maybe SourceGear didn't add this option to their Vault installation for a reason.

Thanks.

[Beth]

I didn't see anything wrong here, but I believe this is what is done automatically when you use a Custom Process Account in the IIS Process Model screen during installation.

[popezilla]

Not quite.

The custom option will do steps 2,3 but it will leave the app pool operating under NETWORK SERVICE instead of the 'testvault' AD account, it adds the IMPERSONATE option to the web.config file with the 'testvault' AD account password in plaintext in the web.config file.

Since you do not see anything wrong with this approach, then can I make a request to add this to the installation options?

Thanks.

[Beth]

I can put in the request for the developers to review. Thanks for the feedback.