Service Accounts for Browser Services and FD Launcher (Full-text Search)

Similar Messages

• Service Accounts for Reporting Service in SQL Server Failover Cluster setup

  I am setting up 2 Report Services (SSRS) in SQL Failover Clustering (Version: 2012SP1) on Windows 2012, as part of scale out architecture.
  There are 2 options to configure the service account for SSRS:
  Option 1) Using domain accounts, as what I have done for DB Engine and SQL Agent.
  Option 2) accept the default, which is virtual account for SSRS. Per documentation URL:
  http://msdn.microsoft.com/en-us/library/ms143504.aspx
  which is the recommended one? is it option 2?
  There is security note on above URL as well, but does not clearly mention that option 1 is not recommended.
  Security Note:  Always run SQL Server services by using the lowest possible user rights. Use a MSA or  virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead
  of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted
  directly to a service SID, where a service SID is supported.
  Thanks very much for your help!

  Hi Luo Donghua,
  In SQL Server Failover Cluster Instance, personally two options can run well. If you use the virtual account for SQL Server Reporting Service. Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the features to
  simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment.
  Of cause, you can also use domain accounts in your clustering. 
  Just make sure your service account is set up here, or that it is using a proper built-in account.For more information, see:http://ermahblerg.com/2012/11/08/cluster-ssrs-in-2008/
  Thanks,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Service Account for SQL Server Agent on SQL Server 2008 R2

  This SQL Server instance is SQL Server 2008 R2 (10.50.4000).  We had Active Domain Service accounts created to run the service accounts for SQL Server and SQL Server Agent.
  It has become company policy to alter the service accounts that run SQL Server and SQL Server Agent.  Currently, both were running under the Local System Accounts.  We have altered the SQL Server but we are having issues with the SQL Server Agent. 
  I am told by another DBA that
  "The agent is requiring elevated rights.  It will startup if it has local admin rights, but not with domain accounts without admin rights."
  So I was wondering if anyone has come across this issue and how did they resolve it.
  lcerni

  "The agent is requiring elevated rights.  It will startup if it has local admin rights, but not with domain accounts without admin rights."
  This is completely not true. It is indeed possible to run agent as a domain account without giving it local admin. Chances are you'll need to update the local acls by adding the account to the local security groups. Please see this article for more information:
  http://technet.microsoft.com/en-us/library/ms143504(v=sql.105).aspx
  Edit: In addition, it'll need rights to SQL server for that account to connect and do its work. It will need to be given sysadmin:
  http://technet.microsoft.com/en-us/library/ms191543.aspx
  Sean Gallardy | Blog |
  Twitter

• How to use the same services-config for the local and remote servers.

  My flex project works fine using the below but when I upload my flash file to the server I doesn't work, all the relative paths and files are the same execpt the remote one is a linux server.
  <?xml version="1.0" encoding="UTF-8"?>
  <services-config>
      <services>
          <service id="amfphp-flashremoting-service"
              class="flex.messaging.services.RemotingService"
              messageTypes="flex.messaging.messages.RemotingMessage">
              <destination id="amfphp">
                  <channels>
                      <channel ref="my-amfphp"/>
                  </channels>
                  <properties>
                      <source>*</source>
                  </properties>
              </destination>
          </service>
      </services>
      <channels>
      <channel-definition id="my-amfphp" class="mx.messaging.channels.AMFChannel">
          <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
      </channel-definition>
      </channels>
  </services-config>
  I think the problem  is the line
          <endpoint uri="http://localhost/domainn.org/amfphp/gateway.php" class="flex.messaging.endpoints.AMFEndpoint"/>
  but I'm not sure how to use the same services-config for the local and remote servers.

  paul.williams wrote:
  You are confusing "served from a web-server" with "compiled on a web-server". Served from a web-server means you are downloading a file from the web-server, it does not necessarily mean that the files has been generated / compiled on the server.
  The server.name and server.port tokens are replaced at runtime (ie. on the client when the swf has been downloaded and is running) not compile time (ie. while mxmlc / ant / wet-tier compiler is running). You do not need to compile on the server to take advantage of this.
  Hi Paul,
  In Flex, there is feature that lets developer to put all service-config.xml file configuration information into swf file. with
  -services=path/to/services-config.xml
  IF
  services-config.xml
  have tokens in it and user have not specified additional
  -context-root
  and this swf file is not served from web-app-server (like tomcat for example) than it will not work,
  Flash player have no possible way to replace token values of service-config.xml file durring runtime if that service-config.xml file have been baked into swf file during compilation,
  for example during development you can launch your swf file from your browser with file// protocol and still be able to access blazeDS services if
  -services=path/to/services-config.xml
  have been specified durring compilation.
  I dont know any better way to exmplain this, but in summary there is two places that you can tell swf  about service confogiration,
  1) pass -services=path/to/services-config.xml  parameter to compiler this way you tell swf file up front about all that good stuff,
  or 2) you put that file on the webserver( in this case, yes you should have replacement tokens in that file) and they will be repaced at runtime .

• Service accounts for the Workspace Database service permission Error while creating Tabular Mode from PowerPivot

  Hi All,
  Please help me out against this issue. I have spent so much (3 working days) time just figuring out what is the issue and its solution.
  I am learning Tabular Mode and trying to create a mode based on PowerPivot model. I am getting following error message:
  'The PowerPivot workbook could not be imported. The service account for the workspace database server does not have permission to read from the PowerPivot workbook.'
  Here is my infrastructure:
  1. SSAS in Tabular Mode is installed on my Windows 8 Laptop
  2. PowerPivot is also in my laptop
  3. There is only my account (as Admin of course) for SSAS
  Here are my questions:
  1. What is this error and how can I cope with that? A step by step explanation would be highly appreciated :-)
  2. Do I need to change something in Windows settings or in SSAS?
  3. I am confused about my workspace database server as well, Do I have to install SSAS twice; one for development and one for workspace?
   Looking forward for the expert advise.
  Tahir
  Thanks, TA

  Hi,
  I suspect you might have more luck if you try the SSAS forum: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlanalysisservices
  Regards
  Jamie
  ObjectStorageHelper<T> – A WinRT utility for Windows 8 |
  http://sqlblog.com/blogs/jamie_thomson/ |
  @jamiet |
  About me

• Verizon is charging my account for a service that was not provided.

  Verizon is charging my account for a service that was not provided.
  I am a LONG term Verizon customer and no one is helping.....
  I work in IT, with the Network and Mobility groups, so I know what I am talking about, network access, O/S, bandwidth, etc….
  I changed to a droid Bionic, from my LG (broken).   I started experiencing issues with inability to connect to a solid 4G network. The phone was not updated to Ice Cream Sandwich O/S and tried repeatedly to get update, but no go. Verizon did swap out with another bionic, but still experienced issues with inability to consistently get network access.  I work in a big city, no one else was having issues at my work.
  Husband left for Europe due to a family emergency mid Sept.   FIL was in hospital.  I work and there is a 7 hour time difference.   We both had SKYPE on our phones.  At work, I tried to contact him, using SKYPE.   SKYPE would not connect, due to the phone issue connecting to the network.   I had to call husband directly (international calls) to get updates on the condition of my ill, 96 yo FIL.  
  1.   This was not an issue of an app that did not function and that Verizon does not support.   I did not have access to the network, thus could not use SKYPE to make calls.  This was not a choice to call international.  
  Verizon admitted that it was a phone issue.  Since I am a long term Verizon customer and have insurance on the phone, they tried to give me yet another Bionic 9that would not work).  After much discussion, they sent me a RAZR that was on the updated O/S.
  Up to the 29th of Sept, I was on the Bionic and could not access SKYPE.  Once I transferred over, I could use SKYPE and was not forced by Verizon to make international calls due the lack of network service that I pay for EACH MONTH.
  When I received my bill for Sept, there were hundreds of dollars of additional charges.  
  This was due to the international calling that I was forced to use to check on status of terminally ill 96 yo FIL.
  This was due to the overage of minutes that I had and was never notified of by Verizon, due to the interational calls.
  I have tried to deal with Verizon on eliminating the charges. This is after having to deal with the death and funeral arrangements, service, etc of FIL.  Verizon claims that I made the calls, thus I must pay.   They admitted to it being a Verizon network issue when they traded for the Razr and updated O/S, but still want me to pay hundreds of dollars in extra fees that THEY CAUSED.

  szilasi wrote:
  Just as a FYI..  Husband was at the hospital, not at a PC. It would be so sanitary and easy if all was scheduled properly, but guess what?  Usually when someone is ill enough and has been rushed to the hospital and extended stay, you do not only contact at 6 AM in the morning.   You check on statuses, talk to doctors, etc. during the day. 
  I thought you said YOUR phone was the one having the problem, not his. You could have Skyped/emailed from a computer TO his phone, but you chose to call instead.
  Yes, you are correct, everyone does not always think clearly when in a stressful situation such as that. Does not mean someone else should pay for YOUR actions.
  Another thing I notice about your prior post is you say "Verizon claims that I made the calls, thus I must pay." but you also claim to have made the calls yourself, so it isn't necessarily that Verizon "claims" you made the calls, you DID make the calls.
  Finally, I have found myself in a similar situation in the past and most likely in the near future. I also didn't(and don't) expect Verizon to pay for my phone usage during those times.

• Question : Service Accounts for SQL Server 2012

  Hello,
  I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
  I was reading the following
  Configure Windows Service Accounts and Permissions
  and
  Windows Privileges and Rights
  Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
  Isn't it recommended to create separate account for every service and they should not be local accounts ?
  Hope to hear soon as to what industry standards are being followed for production systems ?
  Thank you very much in advance.
  Regards
  Nikunj

  From MSDN:
  Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
  at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
  When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
  not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
  From Glen Berry's Blog:
  You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
  where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
  You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
  or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
  secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
  Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
  program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
  location.
  Please Mark This As Answer if it solved your issue
  Please Mark This As Helpful if it helps to solve your issue
  Thanks,
  Shashikant

• Do we need separate Unattended service account for each SharePoint Server 2013 BI service applications?

  SharePoint 2013 - I'm planning to use 'unattended service account' method of Secure Store Service - for Excel, Performance Point and Visio services. I'm about to create Active directory accounts for them.
  Question: Do we need separate Active directory accounts for each service
  DomainName\ExcelUnattendedAccount
  DomainName\PPSUnattendedAccount
  DomainName\VisioUnattendedAccount
  (or)
  Can I have just one Active Directory account DomainName\SharePointUnattendedAccount ?
  Are there any drawbacks having a single account? Any best practice around this? For all the three services the data sources are going to be the same. 
  Subash.S

  Security is the only reason you would separate accounts (as these accounts must have access to the source data). There should be no other drawbacks.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Use SIA service account for SQL Server reporting connections (BIP4.1)

  Is it possible to use the SIA service account as a proxy for a SQL Server connection using OLE DB? This way, anytime a report was refreshed, the SIA service account would be used when authenticating to the reporting database? This is a common pattern in software development to minimize database maintenance (when there is sufficient security being enforced at the application layer - BOBJ provides this).
  This would make SQL Server database security management very easy for the DBAs (just add the BOBJ service account to the database and assign dbreader).
  I would think this would be an option, but a Relational Connection only provides the following 3 Authentication modes when using the IDT to create and publish a Relational Connection (OLEDB/MSSQL):
  Use BusinessObjects credential mapping
  This takes the username and password from the "Database Credentials" section of the BusinessObjects User object for the user in the current session. It passes the info as hard-coded SQL authentication.
  Use single sign-on when refreshing reports at view time
  This is ONLY for end-to-end single-sign-on (as the error message in the next paragraph specifies) and uses the Windows AD credentials for the user in the current session. It is this method of authentication that I'd like to use, i.e. Windows Integrated Security, but I'd like to have the SIA account act as the account that makes the connection, not end-to-end.
  Use specified username and password
  This is for hard-coding usernames and passwords (only SQL authentication in OLE DB).
  I've tried leaving the "Cache security context" option OFF in Windows AD Authentication settings, hoping it would default to using the service account for authentication to the database... to no avail. It fails during tests in the IDT with the message:
  "Single Sign-On failed in the CMS. Please contact your system administrator for details. : The authentication provider (secWinAD) associated with this logon session does not have inter-process Single Sign-On enabled. Contact your system administrator for details. (FWB 00019)"
  Alternatively, a SQL user could be hard-coded into the connection (same simple maintenance on the DBA side), but we'd really like to rely on Windows Integrated Security if possible!
  Is there a way?
  Any help is greatly appreciated!
  David

  Hey David,
  Did you ever solve this? We get the same SSO error when indexing information spaces in Explorer.
  Thanks,
  Brandon

• HTTP SERVICE STOPS FOR NO REASON AND NO ERRORS IN LOGS WIN2K

  The HTTP service stops for no reason and we have to stop and restart to unlock and web server runs again. It appears to be related to number of concurrent users but we cannot tie it down to and specfics except on our NT 4.0 system the service never stops and runs fine . We are running versions R1 patch 4 and have gone up to 5 and 7 . We are running against an 9i database and using forms and reports. We are not using the forms server in patch 4 just the HTTP service. This is a big problem and would like an answer if possiable.

  Please post your question in the appropriate product forum(s):
  Database
  http://forums.oracle.com/forums/index.jsp?cat=18
  AppServer
  http://forums.oracle.com/forums/index.jsp?cat=13
  Forms
  Forms
  Reports
  Reports

• Creating Service Accounts For Components of SQL Server

  Hello , am trying to install SQL Server 2014 on a windows  8 but dont know how to create the service accounts for the various components . 

  Hello , am trying to install SQL Server 2014 on a windows  8 but dont know how to create the service accounts for the various components . 
  Hi,
  You need to refer to below BOL article
  Configure service account
  Service account setup
  Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
  My Technet Wiki Article
  MVP

• Service Account in Proxy Service

  I have two Proxy Services A and B.
  B is password protected and I have created a Service account in OSB.
  Now, A accesses B.
  So, where to configure the Service Account so that A can access B successfully.
  Thank You!

  You must configure it in the business service that would point to service B.
  For proxy service to proxy service calls you might not be able to use service accounts.
  See here - http://svgonugu.wordpress.com/2011/03/28/using-the-service-accounts-in-osb/

• Error in  Creation of Service Name for Bussiness Service

  Hi Friends
  I am creating customized Service Program for Bussiness Service which is used for uploading spotbilling data to ccb . The service program CM_Sbm_Upload consists of program com ids CIPBSEGP,CIPMMRDP,CIPTSATP . when i give this to bussiness service i am getting error
  Service metainfo missing for 'CM_SBM_UPLOAD'
  pls help me to resolve this issue.
  Thanks&Regards
  sivaram

  Hi,
  I've got the same error during my development of a page maintenance service.
  Please check if the cm.jar is correctly deployed in your splservice.ear and check also all other deployment directories.
  You can find them in the Output window of eclipse after execution of the "Deploy CM" script.
  When the cm.jar is deployed well, check if you annotations are correct.
  My annotations are looking like this:
  * Perform Batch Add.
  * @PageMaintenance (secured = false, service = CMIMDIMP,
  *      body = @DataElement (contents = { @DataField (name = CM_SIMULATION)
  *                  , @DataField (name = XML_REQUEST)}),
  *      actions = { "change"
  *            , "read"},
  *      modules = { "foundation"})
  */To connect a Page Maintenance Service, you must first create a service programm and the "service name" of the service program must match to
  the name of the service annotation that you have specified on your Page Maintenance Service, in my case "CMIMDIMP".
  There is no validation during the saving of the service programm, the validation happens when you save the Business Service.
  BTW. you can use jd-gui.exe to decompile the cm.jar file but you will not see the annotations !
  For viewing the ear file I'm using 7-zip.

• How do I create a new account for an iPod that is on an existing account?  My brother and I have shared an account for five years, and now that I'm moving out, I want to create my own account but still want to be able to play the music I've purchased.

  My brother and I have shared an account for five years, and now that I'm moving out, I want to create my own separate account but still want to be able to play the music I've purchased over five years. 

  In order to continue to play and sync the music you purchased with your old account, you'll need to authorize your new computer/iTunes library to do so.  You can do this by choosing Store -> Authorize This Computer and then entering in your old account credentials.
  That's all you should need to.  Then just create your own account and start purchasing and using it the same you have with the old one.
  B-rock

• Why we use different clearing account for GR/IR and planned cost clearing a

  My client ask for using same account for GR/IR account and all planned cost clearing account.
  i try to convince it should be different accounts but he needs a logical answer.
  Why we use different clearing account for GR/IR and planned cost clearing accounts?

  Dear friend.
  u just tell him while doing GR it will debited n  while doing IR it should get credited.hence we  need to take diff G/L account or same account.
  regds
  nasir