Using the IdentitySwitcher to configure impersonation

A collection of information about Vault, including solutions to common problems.

Moderator: SourceGear

Post Reply
Posts: 1821
Joined: Thu Dec 18, 2003 11:39 am
Location: Sourcegear

Using the IdentitySwitcher to configure impersonation

Post by jeremy_sg » Thu Jan 27, 2005 4:07 pm

You can download the Identity Switcher from this page. The current Vault version is at the top; scroll down for previous versions:

Certain Vault features (such as Active Directory authentication) require that the Vault web service be impersonating a domain user. In order to make it easier for Vault customers to set up impersonation, Sourcegear provides the IdentitySwitcher utility.

Before running the IdentitySwitcher, you must first configure a Windows Account with minimum Privileges for ASP.Net impersonation.

Note, based on what you are trying to accomplish, you can use privileges for the Local or Domain Security policies. For this article, we will focus on Domain Policies only.

To verify minimum privileges :
  1. From the Administrative Tools programs group, start the Domain Security Policy tool.
  2. Expand Local Policies, and then select User Rights Assignment. A list of privileges is displayed in the right pane.
  3. Verify the following privileges have been granted to the domain account:
    • Access this computer from the network
    • Log on as a batch job.
    • Log on as a service
    • Allow Log on Locally - if the Domain Users Group is not already in the Access Control List.
    Note - To assign a privilege to an account, double-click the privilege, and then click Add to select the required account.
  4. Close the tool.
Create Local File Structure -
Log on to the same machine running the Vault Server using the Impersonated Windows account. This will ensure that all normal folders are created for that user's %APPDATA% setting (ie. C:\Documents and Settings\VaultShadowFolderAccount\Application Data).

You are now ready for the IdentitySwitcher. The IdentitySwitcher utility can be downloaded below.
You will be prompted for several things during the Identity configuration

1. The location of the Vault web.config.
2. The username and password of the domain user to impersonate. This user must already exist. If you cannot connect to the domain, make sure that you are running IdentitySwitcher as a domain user.
3. If you have configured Vault to use Windows authentication to connect to the SQL Server, you will be prompted for the location of the SQL server and credentials to add the domain user as a SQL Server login and give it permission to use the Vault database.

Post Reply