The following article lists a set of instructions you can use to configure Vault Server to run under an impersonated account. The example in this article uses a Domain Account. Note, it is unknown if a "mirrored" account will work, and that configuration is currently unsupported.
The text for this article was adapted from https://msdn.microsoft.com/en-us/library/ff649223.aspx
- Determine the Impersonation .NET Domain Account -
If you do not already have a domain account available for use, create a new Domain User Account.
To Create an account:
Create an actual account on the Domain - for example, "MYDOMAIN\VaultServerAccount".
- Make sure to use a strong password for the account.
- Clear the "User must change password at next logon" option.
- Select the "User cannot change password" option.
- Select the "Password never expires" option.
- Log into the IIS/Vault Server machine as MYDOMAIN\VaultServerAccount using the password from the previous step.
- Verify the Domain Administrator (MYDOMAIN\Administrator) has full administrative (sysadmin) rights on SQL Server.
- If SQL Server will be installed on a different machine than the Vault Server, use SQL Server Configuration Manager, and review the SQL Server Network Configuration to ensure the network protocols are enabled. Most likely, TCP/IP can be used for the SQL Server traffic.
- Note, the 32/64 bit Client Protocols may also have TCP/IP enabled, but it is uncertain if this is necessary for connectivity.
- Log into the IIS/Vault Server machine as MYDOMAIN\Administrator
- Add Web Server Role and Web Services for ASP.NET. If you expand Application Development, and select the ASP.NET node, it should check the other required components (ISAPI Extensions, ISAPI filters, ASP.NET, etc.). Unchecked items may include ASP, CGI and Server Side Includes.
Next, from the Computer Management utility in the Control Panel, for Local Users and Groups, add MYDOMAIN\VaultServerAccount to the IIS_USRS group. This should automatically assign the correct permissions necessary for the Domain User to run an IIS Application Pool.
Finally, install the Vault Server.
- While still logged into the Vault Server as MYDOMAIN\Administrator, using an elevated command prompt running as Administrator, execute the command to launch msiexe.exe with the Vault Server installation. For example, "msiexec /i \\Path\to\VaultServer....msi"
- On the "Choose IIS Process User", choose Custom, and enter the MYDOMAIN\VaultServerAccount and password.
- On the SQL Server dialog, depending on the location of SQL Server, you can use (local)[\instancename] or the TCP/IP hostname[\instancename] of your SQL Server, and choose the SQL authentication mode of how you would like the Vault Server to connect to SQL Server (either SQL Authentication or Windows Authentication)