4.1 Setting up user accounts

For details of the procedures needed to set up your user accounts, see your Microsoft documentation.

Note: You are recommended to set up the MyID user accounts so that the passwords do not expire. If your organization's security policy does not allow this, you must make use of MyID's system for monitoring the expiry of system credentials; see the Monitoring the expiry of system credentials section in the Advanced Configuration Guide for details. If you need to change the password for the MyID user accounts, you can use the Password Change Tool; see the Password Change Tool guide for details.

4.1.1 Installation account

SIU references: SIU-040, SIU-041, SIU-042, SIU-043, SIU-044, SIU-217.

We recommend that your installation is carried out using a domain user that is part of the local Administrator group. This ensures the correct set-up and permissions for your installation.

The account must have the following properties:

You are recommended to use this account for performing all installation and maintenance procedures related to MyID, including subsequent patch installation.

Note: You are also recommended to ensure that the installation user is permitted to impersonate a client after authentication. On rare occasions, Windows service packs have caused installation problems that this membership will overcome.

On both the application server and the web server, use the Windows Local Security Policy Editor to add the Impersonate a client after authentication option from the User Rights Assignment section of the Local Policies to the installation user.

Note: You are recommended to define the MyID user accounts under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist. If you put the accounts in a different organizational unit, the System Interrogation Utility will be unable to detect the account.

4.1.2 MyID COM+ account

SIU references: SIU-045, SIU-046, SIU-047, SIU-048, SIU-049, SIU-050, SIU-051.

You must have the name and password of the account that will be used to run the MyID service. This information is required during the installation.

After creating the account, on the MyID application server:

  1. Run the Local Security Policy application.
  2. Under Local Policies, select User Rights Assignment.
  3. Double-click Log on as a service.
  4. Add the MyID COM+ user, then click OK to save the changes.

Note: When the MyID installation program sets the COM+ user as the COM+ identity for the MyID components, COM+ automatically adds the Log on as a batch job privilege. This privilege is required for the correct operation of COM+ components – make sure that the group policy does not remove the privilege.

4.1.3 IIS user account

SIU references: SIU-053, SIU-054, SIU-055, SIU-056, SIU-057, SIU-058.

You will need to enter the name and password of a valid IIS user account during the installation process.

After creating the account, on the MyID web server:

  1. Run the Local Security Policy application.
  2. Under Local Policies, select User Rights Assignment.
  3. Double-click Log on as a service.
  4. Add the MyID IIS user, then click OK to save the changes.

4.1.4 Web service user account

SIU references: SIU-059, SIU-060, SIU-061, SIU-062, SIU-063, SIU-064.

You will need to enter the name and password of a valid user account to be used for the MyID web services during the installation process.

After creating the account, on the MyID web services server:

  1. Run the Local Security Policy application.
  2. Under Local Policies, select User Rights Assignment.
  3. Double-click Log on as a service.
  4. Add the MyID web service user, then click OK to save the changes.

4.1.5 MyID Authentication account

SIU references: SIU-310, SIU-311, SIU-312, SIU-313, SIU-314, SIU-315, SIU-316.

You must have the name and password of the account that will be used to access the authentication database and access the authentication web service app pool. This information is required during the installation.

After creating the account, on the server running the MyID authentication web service:

  1. Run the Local Security Policy application.
  2. Under Local Policies, select User Rights Assignment.
  3. Double-click Log on as a service.
  4. Add the MyID authentication user, then click OK to save the changes.

4.1.6 SQL Server account

If you are using MyID with a SQL Server installation, Windows Authentication mode is required for communications between the MyID application server and the database.

If you are using MyID with SQL Azure, SQL Authentication is used. See the Prerequisites section in the Microsoft Azure Integration Guide. For more information about SQL Server Authentication, contact your DBA, or see the Microsoft documentation.