Certain Vault features (such as Active Directory authentication) require that the Vault web service be impersonating a domain user. In order to make it easier for Vault customers to set up impersonation, Sourcegear provides the IdentitySwitcher utility.
Before running the IdentitySwitcher, you must first configure a Windows Account with minimum Privileges for ASP.Net impersonation.
Note, based on what you are trying to accomplish, you can use privileges for the Local or Domain Security policies. For this article, we will focus on Domain Policies only.
To verify minimum privileges :
- From the Administrative Tools programs group, start the Domain Security Policy tool.
- Expand Local Policies, and then select User Rights Assignment. A list of privileges is displayed in the right pane.
- Verify the following privileges have been granted to the domain account:
- Access this computer from the network
- Log on as a batch job.
- Log on as a service
- Allow Log on Locally - if the Domain Users Group is not already in the Access Control List.
- Close the tool.
Log on to the same machine running the Vault Server using the Impersonated Windows account. This will ensure that all normal folders are created for that user's %APPDATA% setting (ie. C:\Documents and Settings\VaultShadowFolderAccount\Application Data).
You are now ready for the IdentitySwitcher. The IdentitySwitcher utility can be downloaded below.
You will be prompted for several things during the Identity configuration
1. The location of the Vault web.config.
2. The username and password of the domain user to impersonate. This user must already exist. If you cannot connect to the domain, make sure that you are running IdentitySwitcher as a domain user.
3. If you have configured Vault to use Windows authentication to connect to the SQL Server, you will be prompted for the location of the SQL server and credentials to add the domain user as a SQL Server login and give it permission to use the Vault database.