RMS Service Account ConnectionString

Similar Messages

• ADRMS Install on Server 2012 - Invalid credentials presented error when supplying service account.

  Adding AD RMS to a 2012 Standard server.  At the point where it wants a service account.  I tried numerous accounts and it would give me the same error on all of them "Invalid credentials were presented.  Verify the correctness of the provided
  password."
  I tried more and less complex passwords with no change.  If I used a non-existant user name it would throw a different error so I know it's not that.
  I was able to get it to take the Domain Administrator account name and password.  Obviously I don't want to use that so I set the same password on a service account with no change in error.
  Attepted to logon with SA on the server.  Logon was successful.  Attempted install logged on as service account and got message "The service account cannot be the same account used to install AD RMS.  Please specify a different account".
  Am I missing something?
  There's no place like 127.0.0.1

  But to be clear, installing RMS on a Domain Controller is NOT recommended. Precisely for the reasons you found.
  Enrique Saggese - Sr. Program Manager - Information Protection - Microsoft Corporation

• How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"

  Can someone
  help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
  "Service Account Name" and "Display Name"<o:p></o:p>
  Your help will be greatly appreciated.<o:p></o:p>
  leonie6214

  Hello,
  Is the following article what you are looking for?
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  If not, could you explain a little bit more what you want to accomplish?
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• EWS API - Impersonating to update a calendar item created by any other user than a service account, raise an error "Access is denied. Check credentials and try again."

  Hi,
  I am new to using EWS managed APIs.
  Following is the issue:
  1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
  on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
          private static void Impersonate(string organizer)
              string impersonatedUserSMTPAddress = organizer;
              ImpersonatedUserId impersonatedUserId =
                  new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
              service.ImpersonatedUserId = impersonatedUserId;
  4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
  update that event.
         private static void FindAndUpdate(ExchangeService service)
              CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
              cv.MaxItemsReturned = 25;
              try
                  FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
                  foreach (Appointment item in masterResults.Items)
                      if (item is Appointment)
                          Appointment masterItem = item as Appointment;
                          if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
                              masterItem.Load();
                              if (!masterItem.Subject.Contains(" (Updated content)"))
                                  //impersonate organizer to update and save for further use
                                  Impersonate(masterItem.Organizer.Address.ToString());
                                  // Update the subject and body
                                  masterItem.Subject = masterItem.Subject + " (Updated content)";
                                  string currentBodyType = masterItem.Body.BodyType.ToString();
                                  masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
  xxxxxxxxxxxx";
                                  // This results in an UpdateItem operation call to EWS.
                                  masterItem.Update(ConflictResolutionMode.AutoResolve);
                                  // Send updated notification to organizer of an appointment
                                  CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
                                  masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
                              else
                                  Console.WriteLine("Event is already updated. No need to update again.:\r\n");
                                  Console.WriteLine("Subject: " + masterItem.Subject);
                                  Console.WriteLine("Description: " + masterItem.Body.Text);
              catch (Exception ex)
                  Console.WriteLine("Error: " + ex.Message);
  5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
  Any help is appreciated.
  Thanks

  Your logic doesn't sound correct here eg
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
  When your connecting to [email protected] mailbox the only user that can make changes to items within
  abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
  appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
  When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
  Cheers
  Glen

• Service accounts for the Workspace Database service permission Error while creating Tabular Mode from PowerPivot

  Hi All,
  Please help me out against this issue. I have spent so much (3 working days) time just figuring out what is the issue and its solution.
  I am learning Tabular Mode and trying to create a mode based on PowerPivot model. I am getting following error message:
  'The PowerPivot workbook could not be imported. The service account for the workspace database server does not have permission to read from the PowerPivot workbook.'
  Here is my infrastructure:
  1. SSAS in Tabular Mode is installed on my Windows 8 Laptop
  2. PowerPivot is also in my laptop
  3. There is only my account (as Admin of course) for SSAS
  Here are my questions:
  1. What is this error and how can I cope with that? A step by step explanation would be highly appreciated :-)
  2. Do I need to change something in Windows settings or in SSAS?
  3. I am confused about my workspace database server as well, Do I have to install SSAS twice; one for development and one for workspace?
   Looking forward for the expert advise.
  Tahir
  Thanks, TA

  Hi,
  I suspect you might have more luck if you try the SSAS forum: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlanalysisservices
  Regards
  Jamie
  ObjectStorageHelper<T> – A WinRT utility for Windows 8 |
  http://sqlblog.com/blogs/jamie_thomson/ |
  @jamiet |
  About me

• SQL server agent job running as Agent Service Account whose service account does not have r/w access but is still able to write?

  Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege.  I have a SQL server 2012 instance whose Agent service is configured to run
  under an AD user account named 'SQLServices'.  The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'.  The jobs are set up to execute SSIS packages which read and
  write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server).  The jobs are currently executing without error and are reading writing data correctly.  Upon close examination, it turns out the
  SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server.  How are these jobs working?  I verified in profiler that the login name indeed is 'SqlServices'.  I also verified
  that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected.  According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
  some cases where that is not necessarily the case.  So this is not so concerning.  What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does. 
  The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access.  What am I missing here?  Any input would be helpful.

  After 2 days on this forum I found the answer to my own question.  In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
  The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed.  This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
  role.  This is the login that Agent uses to connect to the local instance of SQL server.  If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
  used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server. 
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity

• Error occurred while accessing application id Excel services application unattended service account from secure store service

  Hi,
    I follow up the book "Professional SharePoint 2013 Administration" to build the SharePoint 2013 BI include Excel Services. and created the Secure Store services to save the user SP_Install for member.
  For Now, I can upload the worksheet and open it in browser, but when I tried to refresh it, the SP 2013 show error "Error occurred while accessing application id Excel services application unattended service account from secure store service".
   does anybody can help ? and do I need to turn on C2WTS ? 
  Thanks
  James Liang

  Hi James,
  Excel Services can be used with Secure Store in three primary scenarios:
  Unattended Service Account
  Embedded Connections
  External Data Connections
  If you haven't configure unattended service account yet, you could refer to the article below:
  http://technet.microsoft.com/en-us/library/hh525344(v=office.15).aspx
  More information:
  http://technet.microsoft.com/en-us/library/ff191191(v=office.15).aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• Query relating to the creation of Managed Service Accounts

  Hi Folks
  I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
  I have successfully created an MSA account named 'MSATest' on a DC  using:
   new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
  and
   add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
  However the guide that I am using now says that I now need to run:  Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
  So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
  PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
  Install-ADServiceAccount : Cannot install service account. Error Message: 'An
  unspecified error has occurred'.
  At line:1 char:1
  + Install-ADServiceAccount -Identity msatest
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : WriteError: (msatest:String) [Install-ADServiceA
     ccount], ADException
      + FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
     ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
    llADServiceAccount
  PS C:\Users\administrator.PCECORP>
  However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ?  or am I doing something wrong?
  Thanks in advance for you help.

  Try using  -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
  Gleb.
  Hi Gleb
  Thank you for your help, it is appreciated.  That did the trick.
  All the best.

• Service account password change

  Hi.
  we have ADFS 3.0 ( 1 server, not a farm ) with groupmanaged service account. All Works fine. Now - i see on DC,  on one moment that password for this object has been changed.
  Description:
  An attempt was made to reset an
  account's password. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name:
  DC1$ Account Domain: DOMAIN Logon ID: 0x3e7 Target Account: Security ID:
  DOMAIN\First_gMSA$ Account Name: First_gMSA$ Account Domain: DOMAIN
  . And about ~40 min later login via ADFS to third party saas stopped to work.
  In security log on ADFS server following events started to show up.
  An account failed to log on.
  Subject:
  Security ID:  DOMAIN\First_gMSA$
  Account Name: First_gMSA$
  Account Domain:  DOMAIN
  Logon ID: 0x872CA
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xC000018D
  ADFS service runs under this account and after restarting service all was fine again.
  Error code should be - STATUS_TRUSTED_RELATIONSHIP_FAILURE
  So - the question is - HOW should service proceed password change or should any additional configurations performed ( which are missed by me.

  Try this: "STATUS_TRUSTED_RELATIONSHIP_FAILURE" error when you log on to Office 365 from AD FS proxy in Windows
  https://support.microsoft.com/en-us/kb/3032590
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Domain administrator service accounts limit access to a particular server/s

  We need to adjust these to adjust our service accounts and would like them to be restricted to a particular server and restrict their logon or access.  Any
  suggestions on how to manage this through Active Directory at an enterprise level? We want to lock down the accounts to specific servers but we can't use local admins for these particular group of accounts.
  For the time being I was thinking about using AD to "logon on to" and enter the server names to limit the access but I was didn't know if there was any
  better approach to the solution. Any suggestion or any other ways to configure? Caveats?

  > For the time being I was thinking about using AD to "logon on to" and
  > enter the server names to limit the access but I was didn't know if
  > there was any better approach to the solution. Any suggestion or any
  > other ways to configure? Caveats?
  Funny I wrote a post on user privilege assignment some days ago :)
  Unfortunately, it is available in german only, but maybe google/bing can
  translate good enough to make sense:
  http://evilgpo.blogspot.de/2015/04/wer-bin-ich-und-was-darf-ich.html
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• What is the effect of the service account permissions

  Hi,
  What is the effect of the service account permissions? For example, suppose the service account for SQL Server database engine is SomeDomain\A, and has no permission to execute stored procedure X, and a user with domain account SomeDomain\B does have the
  said permission. Which one will prevail, i.e. can the user execute stored procedure X? If so, what permissions must I give the service account SomeDomain\A?
  I am asking this in the context of planning deployment in the production environment of a data warehouse application.
  Cheers,
  Jerome
  Jerome Smith BI Consultant, MCP

  Hi Jerome,
  Service account for SQL Server Database Engine only have limited permissions. To grant the account permission to execute stored procedure X, please refer to the following
  query:
  USE database;
  GRANT EXECUTE ON OBJECT::dbo.X
  TO SomeDomain\A;
  GO
  Since the user is in the context of planning deployment in the production environment of a data warehouse application, we may need to add some additional permissions. For more details, please refer to the following blog:
  http://blogs.msdn.com/b/data_otaku/archive/2011/06/28/securing-the-data-warehouse.aspx
  Thanks,
  Katherine Xiong
  Katherine Xiong
  TechNet Community Support

• Service Account Management through Request Templates

  Hi,
  I am trying to implement Service Account lifecycle use cases (Create, Modify, Delete) on 2 resources(AD User, iPlanet User) through Request templates. In this case OOTB tasks - Service Account Alert, Service Account Changed, Service Account Moved with resource specific Process definitions are not get triggered as I am initiating process through Request Templates.
  I want to trigger post process EventHandler upon triggering any of these events. so, I created metadata xml file as the following and imported it into MDS.
  -----------------EventHandler Metadata file------------------------
  <?xml version='1.0' encoding='utf-8'?>
  <eventhandlers>
  <action-handler class="com.wipro.sdf.iam.oim.plugin.ServiceAccountCreationEventHandler" entity-type="Resource" operation="PROVISION" name="ServiceAccountCreateEventHandler" stage="postprocess" order="1021" sync="TRUE"/>
  </eventhandlers>
  ----------------------------XXX----------------------------------------------
  When I trigger create event of SA on any of the resources, the EventHandler is being invoked and from execute() method, Orchestration is giving the following data
  {UD_IPNT_USR_LAST_NAME=TestTwo, BENEFICIARYKEY=798, UD_IPNT_USR_COMMON_NAME=SA Test Two, *ResourceKey*=12, serviceaccount=true, UD_IPNT_USR_SA_ADMIN=USER16TE, UD_IPNT_USR_USERID=SATEST2, UD_IPNT_USR_FIRST_NAME=SAccount}
  My EventHandler has to do some actions on target resource(AD / iPlanet),so I would like to get resource connection details like IP, port , admin login details etc.
  To fetch those details, I am using ResourceKey that is coming from Orchestration.
  When I use the following code to find Resource details based on Key, its throwing resource not found exception.
  -----------------------Code from execute() of EventHandler----------------------
  String resKey = getParamaterValue(parameters, "ResourceKey");
  tcITResourceInstanceOperationsIntf resInsObj = Platform.getService(tcITResourceInstanceOperationsIntf.class);
  //Get Resource Details based on Resource Key
  HashMap searchMap= new HashMap();
  searchMap.put(Constants.IT_RESOURCE_KEY, resKey);
  logger.debug(methodName+" - IT Resouece Search Map is : "+searchMap);
  tcResultSet resultSet = resInsObj.findITResourceInstances(searchMap);
  -------------------------------End of code ------------------------------------------------
  I tried finding for the table which stores all IT Resource connection details. But no luck.
  Now my questions are:
  1. Which table stores all IT Resource Information that can be seen from Design Console -> Resource Management -> IT Resource Type Definition - > Resource?
  2. Which table stores Resource Key and Name details?
  3. When we do query for records from any form in Design Console, where exactly would logs get recorded? (as it queries DB to fetch information there should some file like DB Tracer Log etc)
  Could somebody please answer these questions and give some hint to implement SA management through Req Templates?
  Thank you in advance,
  Mounika

  Hi kevin,
  thanks for reply.
  i am thinking that, Even though OIM11G is developed in ADF,some parts of the code is in struts only,like xlWebApp.war .
  i have seen source code of xlWebApp.war folder that is there in OIM11g.
  it seems to be developed in struts only.
  is there any ADF interaction in that?
  i have written helloworld program in struts,that is working fine.
  i have done that,for ADUser resource popup i added button "serviceaccount for this resource".when i click that one jsp page will come.
  so i am thinking that,some other reason is there for not working.
  can u please tell me the reason?

• Service accounts rights in Sql Server 2008 clustered installation.

  I have to install  Sqlserver 2008 in a 2 node clustered environment in
  Windows Server 2008 R2. For that I have set up 4 less privileged
  a/c in domain for Db engine, Sql agent, Reporting services and Analysis
  service. During the installation I plan to specify these a/c's in the
  domain to run the above 4 services under these a/c. I understand the sql server agent
  a/c should have 6 rights in the local computer security policy
  ie a)Adjust memory quotas for process,b)Act as a part of os,c)Bypass
  traverse chechking,d)Log on as a batch job and e)Log on as a service.
  Will these rights get automatically assigned during installation
  or should it be manually assigned in each node under its local security
  policy. Also what are rights for the other 3 service a/c and do these
  rights get assigned automatically during installation.

  I have to install  Sqlserver 2008 in a 2 node clustered environment in
  Windows Server 2008 R2. For that I have set up 4 less privileged
  a/c in domain for Db engine, Sql agent, Reporting services and Analysis
  service. During the installation I plan to specify these a/c's in the
  domain to run the above 4 services under these a/c. I understand the sql server agent
  a/c should have 6 rights in the local computer security policy
  ie a)Adjust memory quotas for process,b)Act as a part of os,c)Bypass
  traverse chechking,d)Log on as a batch job and e)Log on as a service.
  Will these rights get automatically assigned during installation
  or should it be manually assigned in each node under its local security
  policy. Also what are rights for the other 3 service a/c and do these
  rights get assigned automatically during installation.
  You should get Domain account created before starting cluster installation and specifically give these rights to the account.
  Regarding rights below link might be helpful
  http://blogs.msdn.com/b/askjay/archive/2011/02/28/required-rights-for-sql-server-service-account.aspx
  When installing cluster make sure you use Domain account which is added as local administrator on both nodes.
  It should have righst to create Computer name object(CNO) in domain where cluster is being created
  Windows CNO must have complete rights on SQL server CNO.You should also take help from AD team in providing these rights and understanding if any.
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• Service Account details are not going through header(OSB Business service)

  Hi
  I have an issue with service account. Assume I have a proxy service A, Business Service B, Proxy service C.
  A invokes B and B invokes C (A --> B --> C). All calls are through http protocol.
  I created a service account with userid and password details and attached it to the Business service B(Static for basic authentication).
  Added log activity in proxy service C for context variable $header to verify whether userid and password are coming through request header or not.
  I executed proxy service A from sbconsole but I couldn't see userid and password details of created service account in the logs. Only nemespace are logged in the file.
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"></soap:Header>>
  Can someone please help me why service account details are not going through business service request. Am I missing any steps?
  Thanks in advance
  KK
  Edited by: 966531 on Oct 23, 2012 4:23 AM

  Basic authentication information is stored under transport headers (check $inbound) whereas $header is populated for message headers (for e.g. - SOAP headers), so you should be checking $inbound instead of $header
  Regards,
  Anuj