4.1 Setting up user accounts
For details of the procedures needed to set up your user accounts, see your Microsoft documentation.
Note: You are recommended to set up the MyID user accounts so that the passwords do not expire. If your organization's security policy does not allow this, you must make use of MyID's system for monitoring the expiry of system credentials; see the Monitoring the expiry of system credentials section in the Advanced Configuration Guide for details. If you need to change the password for the MyID user accounts, you can use the Password Change Tool; see the Password Change Tool guide for details.
4.1.1 Installation account
SIU references: SIU-040, SIU-041, SIU-042, SIU-043, SIU-044, SIU-217.
We recommend that your installation is carried out using a domain user that is part of the local Administrator group. This ensures the correct set-up and permissions for your installation.
The account must have the following properties:
- Must be a member of Domain Users.
- Must be a member of the local Administrators group on the Application Server.
- Must be a member of the local Administrators group on the Web Server.
- Must be a member of the local Administrators group on the Database Server, if you intend to carry out any installations directly on the database server, rather than remotely from the application server.
-
Must have dbcreator and public Server Role privileges for their logon to SQL Server.
Note: If you are installing into an existing database (for example, when upgrading an existing MyID system), and do not need to create any new databases, you can omit the dbcreator permission as long as you ensure that the installation user has db_owner permissions on all MyID databases (including archive databases).
-
Must have an effective permission of ALTER ANY LOGIN within SQL Server.
This permission is required to allow the installation user to create the MyID COM+ user as a login in SQL Server. You can assign this permission by temporarily granting the sysadmin Server Role until you have completed the installation; alternatively, you can add the MyID COM+ and MyID Authentication users as logins to SQL Server manually.
If you add the MyID COM+ and MyID Authentication users manually, they must have the following roles:
MyID COM+ user on the MyID database:
-
db_datareader
-
db_datawriter
-
public
MyID COM+ user on the authentication database:
-
db_datareader
-
db_datawriter
-
public
MyID Authentication user on the MyID database:
-
db_datareader
-
public
MyID Authentication user on the authentication database:
-
db_datareader
-
db_datawriter
-
public
-
You are recommended to use this account for performing all installation and maintenance procedures related to MyID, including subsequent patch installation.
Note: You are also recommended to ensure that the installation user is permitted to impersonate a client after authentication. On rare occasions, Windows service packs have caused installation problems that this membership will overcome.
On both the application server and the web server, use the Windows Local Security Policy Editor to add the Impersonate a client after authentication option from the User Rights Assignment section of the Local Policies to the installation user.
Note: You are recommended to define the MyID user accounts under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist. If you put the accounts in a different organizational unit, the System Interrogation Utility will be unable to detect the account.
4.1.2 MyID COM+ account
SIU references: SIU-045, SIU-046, SIU-047, SIU-048, SIU-049, SIU-050, SIU-051.
You must have the name and password of the account that will be used to run the MyID service. This information is required during the installation.
- Create the account before installing MyID.
- Set the password for the account so that it does not expire.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- Ensure the account is active (not disabled), unlocked, and does not expire.
After creating the account, on the MyID application server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID COM+ user, then click OK to save the changes.
Note: When the MyID installation program sets the COM+ user as the COM+ identity for the MyID components, COM+ automatically adds the Log on as a batch job privilege. This privilege is required for the correct operation of COM+ components – make sure that the group policy does not remove the privilege.
4.1.3 IIS user account
SIU references: SIU-053, SIU-054, SIU-055, SIU-056, SIU-057, SIU-058.
You will need to enter the name and password of a valid IIS user account during the installation process.
- Create the account before installing MyID.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- Set the password for the account so that it does not expire.
- Ensure the account is active (not disabled), unlocked, and does not expire.
- If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine.
After creating the account, on the MyID web server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID IIS user, then click OK to save the changes.
4.1.4 Web service user account
SIU references: SIU-059, SIU-060, SIU-061, SIU-062, SIU-063, SIU-064.
You will need to enter the name and password of a valid user account to be used for the MyID web services during the installation process.
- Create the account before installing MyID.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- Set the password for the account so that it does not expire.
- Ensure the account is active (not disabled), unlocked, and does not expire.
- If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine.
After creating the account, on the MyID web services server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID web service user, then click OK to save the changes.
4.1.5 MyID Authentication account
SIU references: SIU-310, SIU-311, SIU-312, SIU-313, SIU-314, SIU-315, SIU-316.
You must have the name and password of the account that will be used to access the authentication database and access the authentication web service app pool. This information is required during the installation.
-
Create the account before installing MyID.
-
Set the password for the account so that it does not expire.
-
You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
-
Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
-
Ensure the account is active (not disabled), unlocked, and does not expire.
-
If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine.
After creating the account, on the server running the MyID authentication web service:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID authentication user, then click OK to save the changes.
4.1.6 SQL Server account
If you are using MyID with a SQL Server installation, Windows Authentication mode is required for communications between the MyID application server and the database.
If you are using MyID with SQL Azure, SQL Authentication is used. See the Prerequisites section in the Microsoft Azure Integration Guide. For more information about SQL Server Authentication, contact your DBA, or see the Microsoft documentation.