6.1 Setting up user accounts
For details of the procedures needed to set up your user accounts, see your Microsoft documentation.
Note: You are recommended to set up the MyID user accounts so that the passwords do not expire. If your organization's security policy does not allow this, you must make use of MyID's system for monitoring the expiry of system credentials; see the Monitoring the expiry of system credentials section in the Advanced Configuration Guide for details. If you need to change the password for the MyID user accounts, you can use the Password Change Tool; see the Password Change Tool guide for details.
6.1.1 User account name format
MyID CMS supports user account names in the format:
<domain>\<account>
where:
- 
                    <domain> is the NETBIOS domain name. 
- 
                    <account> is the sAMAccountName. Note: Due to the limitations of the sAMAccountName field in Active Directory, this account name cannot exceed 20 characters. 
For example:
MYDOMAIN\MyUserAccount
Important: MyID CMS does not support account names in the UPN format:
<logon>@<DNS domain>
6.1.2 Installation account
SIU references: SIU-040, SIU-041, SIU-042, SIU-043, SIU-044, SIU-217.
We recommend that your installation is carried out using a domain user that is part of the local Administrator group. This ensures the correct set-up and permissions for your installation.
The account must have the following properties:
- Must be a member of Domain Users.
- Must be a member of the local Administrators group on the application server.
- Must be a member of the local Administrators group on the web server.
- Must be a member of the local Administrators group on the database server, if you intend to carry out any installations directly on the database server, rather than remotely from the application server.
- 
                    If the database does not already exist, must have sysadmin privileges for their logon to SQL Server. This allows you to create databases and add the MyID COM and Authentication users as logins to SQL server. 
- 
                    If the database does already exist (for example, when upgrading an existing MyID system, or installing a new system where your DBA has already created an empty database), and do not need to create any new databases or logins, you can omit the sysadmin permission as long as you ensure that the installation user has db_owner permissions on all MyID databases (including archive databases). If the database already exists, the installation user must have the Default Schema set to dbo for the MyID database. If the default schema is set to something different, an error similar to the following may appear when running the installation program: Error 27506. Error executing SQL script schema.sql. Line 2685. The default schema does not exist. (2797) If you do not want to grant the installation user sysadmin privileges, you must also add the MyID COM+ and MyID Authentication users as logins to SQL Server manually. If you add the MyID COM+ and MyID Authentication users manually, you must do so before running the installation process. The user accounts must have the following roles: MyID COM+ user on the MyID database: - 
                            db_datareader 
- 
                            db_datawriter 
- 
                            public 
 MyID COM+ user on the authentication database: - 
                            db_datareader 
- 
                            db_datawriter 
- 
                            public 
 MyID Authentication user on the MyID database: - 
                            db_datareader 
- 
                            public 
 MyID Authentication user on the authentication database: - 
                            db_datareader 
- 
                            db_datawriter 
- 
                            public 
 If these users do not exist with the above permissions, or the installation user does not have the ALTER ANY LOGIN permission to update SQL Server with the above permissions (as provided by the sysadmin privilege), the installation process will display errors, the eCertificate service will be unable to start, and you will be unable to run GenMaster. 
- 
                            
You are recommended to use this account for performing all installation and maintenance procedures related to MyID, including subsequent patch installation.
Note: You are recommended to define the MyID user accounts under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist. If you put the accounts in a different organizational unit, the System Interrogation Utility will be unable to detect the account.
6.1.3 MyID COM+ account
SIU references: SIU-045, SIU-046, SIU-047, SIU-048, SIU-049, SIU-050, SIU-051, SIU-276.
You must have the name and password of the account that will be used to run the MyID service. This information is required during the installation.
- Create the account before installing MyID.
- Set the password for the account so that it does not expire.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- The account should not be a member of the Domain Admins or the Enterprise Admins domain groups.
- Ensure the account is active (not disabled), unlocked, and does not expire.
Note: When you install MyID using the MyID Installation Assistant, these settings are checked on the Pre-Installation Check Results screen; if you need to change these settings, you can use the fix-it script provided on that screen. See section 2.18, Pre-installation check results for details.
After creating the account, on the MyID application server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID COM+ user, then click OK to save the changes.
Note: When the MyID installation program sets the COM+ user as the COM+ identity for the MyID components, COM+ automatically adds the Log on as a batch job privilege. This privilege is required for the correct operation of COM+ components – make sure that the group policy does not remove the privilege.
6.1.4 IIS user account
SIU references: SIU-053, SIU-054, SIU-055, SIU-056, SIU-057, SIU-058, SIU-277.
You will need to enter the name and password of a valid IIS user account during the installation process.
- Create the account before installing MyID.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- The account should not be a member of the Domain Admins or the Enterprise Admins domain groups.
- Set the password for the account so that it does not expire.
- Ensure the account is active (not disabled), unlocked, and does not expire.
- If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine.
Note: When you install MyID using the MyID Installation Assistant, these settings are checked on the Pre-Installation Check Results screen; if you need to change these settings, you can use the fix-it script provided on that screen. See section 2.18, Pre-installation check results for details.
After creating the account, on the MyID web server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID IIS user, then click OK to save the changes.
Note: The MyID IIS user account requires the Log on as a batch job privilege – make sure that the group policy does not remove the privilege.
6.1.5 Web service user account
SIU references: SIU-059, SIU-060, SIU-061, SIU-062, SIU-063, SIU-064, SIU-278.
You will need to enter the name and password of a valid user account to be used for the MyID web services during the installation process.
- Create the account before installing MyID.
- You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist.
- Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers.
- The account should not be a member of the Domain Admins or the Enterprise Admins domain groups.
- Set the password for the account so that it does not expire.
- Ensure the account is active (not disabled), unlocked, and does not expire.
- If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine.
Note: When you install MyID using the MyID Installation Assistant, these settings are checked on the Pre-Installation Check Results screen; if you need to change these settings, you can use the fix-it script provided on that screen. See section 2.18, Pre-installation check results for details.
After creating the account, on the MyID web services server:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID web service user, then click OK to save the changes.
Note: The web service user account requires the Log on as a batch job privilege – make sure that the group policy does not remove the privilege.
6.1.6 MyID Authentication account
SIU references: SIU-310, SIU-311, SIU-312, SIU-313, SIU-314, SIU-315, SIU-316.
You must have the name and password of the account that will be used to access the authentication database and access the authentication web service app pool. This information is required during the installation.
- 
                        Create the account before installing MyID. 
- 
                        Set the password for the account so that it does not expire. 
- 
                        You are recommended to define the user under the organizational unit Service Accounts in the LDAP directory. Create the Service Accounts OU if it does not already exist. 
- 
                        Set the user as a member of the domain group Domain Users and the local group Distributed COM Users on the web, application, and database servers. 
- 
                        Ensure the account is active (not disabled), unlocked, and does not expire. 
- 
                        If the manualGroupMembership setting in IIS (available in the Configuration Editor in IIS, in the system.applicationHost/applicationPools/applicationPoolDefaults/processModel section) is set to True (the default is False), you must add the user to the IIS_IUSRS group on both the domain and the local machine. 
Note: When you install MyID using the MyID Installation Assistant, these settings are checked on the Pre-Installation Check Results screen; if you need to change these settings, you can use the fix-it script provided on that screen. See section 2.18, Pre-installation check results for details.
After creating the account, on the server running the MyID authentication web service:
- Run the Local Security Policy application.
- Under Local Policies, select User Rights Assignment.
- Double-click Log on as a service.
- Add the MyID authentication user, then click OK to save the changes.
6.1.7 SQL Server account
If you are using SQL Authentication, you set up logins with the appropriate permissions in SQL Server before installing MyID. See section 4.6.6, Configuring SQL Server for SQL Authentication for details..