Service Accounts - Your Ideas
I have been tasked to install SQL 2012 on a new machine(2012 R2) which we will move all current 2008 R2 databases over too (approx. 26).
This machine will also hold a new instance of SharePoint (not sure if this makes any difference).
I have gone through the setup.exe process, up to Service Accounts tab to see what accounts are needed: (They are:)
1. SQL Server Agent
2. SQL Server Database Engine
3. SQL Server Reporting Services
4. SQL Server Integration Services 11.0
5. SQL Server Browser
I have read that you should at least create two basic AD accounts (like domain\sqluser1, domain\sqluser2) with sqluser1 being a Local Admin
on the box? Setting #2 as sqluser1 (refer to above list) and the rest as being sqluser2
I have also read I should have at least two as above but - use sqluser1 to log into the machine and do the install, then after the install to disable, but not delete the AD account?
I have also read that you need one AD account per Service Accounts?
Here are my thoughts and please Advise is this will not work or if there is a security issue:
(I understand that every install is different, but any info will help - Thanks)
I will create two regular BASIC AD accounts domain\SQLAdmin and domain\SQLWorker
I will set domain\SQLAdmin up as a Local Admin to the machine
I will set up the following:
1. SQL Server Agent domain\SQLAdmin
2. SQL Server Database Engine domain\SQLAdmin
3. SQL Server Reporting Services NETWORKSERVICE
4. SQL Server Integration Services 11.0 domain\SQLWorker
5. SQL Server Browser domain\SQLWorker
Thanks for any advice,
(An Accidental DBA)
Hi,
Its not advised and not considered as good security practice to run SQL Server service with account having admin privileges on machine. In your case account domain\SQLAdmin, you are adding this as local admin which is not a good practice as per security.
I strongly suggest you to spend some time on below Microsoft Link
http://msdn.microsoft.com/en-gb/library/ms143504.aspx
You are correct with creating separate account just rights should be minimum and above link will guide you
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it.
My TechNet Wiki Articles
Similar Messages
-
When trying to add my Partner Intune rights to my Microsoft Online services account, I get the error;
Note: your existing Microsoft Online Services account is not eligible for one or more partner benefits.
Learn more
Does anybody know how to work around this?Hi Mathew, this worked for me:
1. Sign into your Microsoft Partner account
2. Go to Orders & Benefits
3. Select Download Software
4. Click on Microsoft Online Services
5. Under MPN Online Services click Expand products
6. You should see Windows Intune click this
7. There is one final link to click
This should add you Intune licenses to your portal
Martin -
Changed SP application pool service account - 500 internal server error
Hi all,
Trying to resolve some farm installation issues in our test environment. Long story short is that on install a previous user used our SP_Farm account to install everything and pretty much use this account to run all web applications/services.
So I am in the process of trying to resolve one portion of it by allocating a new managed account for the web application pools. I have created a new account called SP_Pool on the DC. This is just a domain user with no specific rights applied (classic authentication).
I changed the account using CA "configure service accounts" for both our mysite and SharePoint site web apps.
SP applied the new SP_Pool to the appropriate workstation groups and DB rights. Tried to hit the site and got the rather generic HTTP 500 Internal Server error. Put SP_Pool into the local admin rights group to test and was able to hit the site so something
is definitely pointing to a rights/permission issue. I was under the impression the app pool accounts did not require any local SP server rights? I have seen mention of "Impersonate a client after authentication" but that's only for Claims based
auth
I've gone through every scenario which are mentioned below:
Tried to connect from a client machine and server. 500 error
All App pools are started and SP_Pool is running both web apps
IIS bindings are same as before
no changes to the web.config
No errors in the Application event viewer
Checked iis logs and has 500 errors throughout it. The 4th number in the sequence usually changes (i.e. 500 0 0 499, 500 0 0 468 etc)
Turned on Failed Request Tracing and no issue has come up
Tried to clear the configuration cache - same deal
Ran process mon - seen nothing out of the ordinary
So based off the above is there anywhere else I could look to try and resolve this issue? Or is there something so damn obvious I've missed here? Running out of ideas
Appreciate any feedback
ThanksHello,
Have you tried to turn your SharePoint server off and on again ( I know , it sounds like a basic helpdesk answer but in the case of changing user account for application pool, it already fixed the issue for me)
Best regards, Christopher.
Blog |
Mail
Please remember to click "Mark As Answer" if a post solves your problem or
"Vote As Helpful" if it was useful.
Why mark as answer? -
Process in C# with Windows Service Account
Hi,
I would like to launch SQL Server Management Studio from C# Process Class thru windows service account. When I start the process, I got the in Win32Exception ( “Logon failure: unknown user name or bad password”). I verified the User credentials
as well. Please let me if you have any idea on this issue.
Code:
private
void cmdSqlServer2012_Click(object sender,
EventArgs e)
Process objProcess =
null;
ProcessStartInfo objProcessStart =
null;
string strSqlServer =
@"C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe";
//string strSqlServer = "ssms.exe";
string strUserID = ConfigurationManager.AppSettings["UserID"];
string strUserPwd = ConfigurationManager.AppSettings["Password"];
try
objProcess =
new Process();
objProcess.StartInfo.LoadUserProfile =
false;
objProcess.StartInfo.FileName = strSqlServer;
objProcess.StartInfo.UseShellExecute =
false;
objProcess.StartInfo.UserName =
"Senthil.Krishnamoort";
objProcess.StartInfo.Domain =
"Services";
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
objProcess.Start();
catch (Win32Exception w32E)
// The process didn't start.
MessageBox.Show(w32E.Message);
catch (Exception ex)
MessageBox.Show(ex.Message);
finally
objProcess.Dispose();
objProcess =
null;
public static
SecureString ConvertToSecureString(string password)
if (password == null)
throw new
ArgumentNullException("password");
SecureString secureString =
new SecureString();
foreach (char ch
in password)
secureString.AppendChar(ch);
secureString.MakeReadOnly();
return secureString;Hi
Krish0609,
Firstly please try do the following steps
Service____rightclik___Propertise___Logon___allow service to interact with desktop.
Secondly, from your code, I would suggest you used
ProcessStartInfo.Arguments
Property
to sets the set of command-line arguments to use when starting the application.
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
I doubt this issue maybe you have converted to secure string.
By the way, here is how to use SSMS command line.
Usage:
sqlwb.exe [-S server_name[\instance_name]] [-d database] [-U user] [-P password] [-E] [file_name[, file_name]] [/?]
[-S The name of the SQL Server instance to which to connect]
[-d The name of the SQL Server database to which to connect]
[-E] Use Windows Authentication to login to SQL Server
[-U The name of the SQL Server login with which to connect]
[-P The password associated with the login]
[file_name[, file_name]] names of files to load
[-nosplash] Supress splash screen
[/?] Displays this usage information
Please also refer to Bruce Prang's Blog
to learn more.
Best regards,
kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
JMS based message service and Service account in OSB
Hi forum,
I have query regarding JMS base messaging service and Service account.
My OSB service:
I have created one OSB service which of type JMS
configuration :
General :Messaging
Messaging: Request type :XML response type :none
Transport:JMS
JMS Transport: Destination Type queue., JMS Service account :.........(browse)
My requirement is to provide security to JMS proxy.
I have seen one option available in JMS transport is JMS Service Account.
I dont have a idea about using service accounts in JMS.
can any one pls give idea about JMS service account in JmS.How to provide security to jms proxy...
If u have any documents pls share me
Thanks & regards,
Krishna.In your weblogic console go to your JMS Modules > ***JMSModule >****Queue >Roles >Policies. Add a user to the queue.This user should be there in the security realm of the weblogic console.
Create a service account with the same user name password and use it in your OSB to read or write to the queue. -
Weblogic Server cannot find Service accounts in my MSAD via LDAP
Hello,
I've configured an LDAP security provider in my WebLogic server but it's only finding some of my users, not my "service account" users.
The users are found in the following locations in the tree:
OU=Users,OU=Accounts,DC=dev,DC=mtb,DC=com
OU=Service,OU=Accounts,DC=dev,DC=mtb,DC=com
So I configured the LDAP provider with the following settings:
User Base DN: OU=Accounts,DC=dev,DC=mtb,DC=com
All Users Filter: (blank)
User from Name Filter: (&(cn=%u)(objectclass=user))
User Search Scope: subtree
User Name Attribute: cn
User Object Class: user
But it cannot find users in the "Service" node, only users in the "Users" node. Both users have CN=, and "user" as part of their objectClass string. Any idea what I might be missing?
Thank you,
-BenHi
1. I hope you already created a datasource on Weblogic Side using weblogic admin console and create New Data Source. Create a data source preferably with this JNDI Name "jdbc/mydbDSDS". It can be anything, but standard is jdbc/whatevernameyouwant. Once data source is created, you give db details like host, port, sid, username/password. Then deploy to appropriate server(s) like using Targets screen. Once all done. Under your domain/config/jdbc, you should see a .xml file with some unique name that has all the datasource details. The jndi name tag should be like this: <jndi-name>jdbc/mydbDSDS</jndi-name>
2. Now, edit your persistence.xml file to refer above jndi name. By default, I know, it adds that wierd name with jdbc/jdbc etc etc. But you can edit it always. Take a backup of your persistence.xml file and edit it to look like this.
<persistence-unit name="mydbDS">
<provider>org.eclipse.persistence.jpa.PersistenceProvider</provider>
<jta-data-source>jdbc/mydbDSDS</jta-data-source>
<properties>
<property name="eclipselink.target-server" value="WebLogic_10"/>
<property name="eclipselink.cache.shared.default" value="false"/>
</properties>
</persistence-unit>
</persistence>Save it. Redeploy and see how that goes. The above file is simplified version. What it means is, just refer already deployed data source whose jndi name is "jdbc/mydbDSDS". If you really have some extra properties, you can retain them. Otherwise they are not required.
Thanks
Ravi Jegga -
hii
How i can do the service purchase in IDES system.??
Because once i enter account assignment and item category system will ask for G/L account and Cost center??
How i can achieve this without any error ??
ThanksHi,
The details with configuration required are following:
1.1. Define organization status for service category
SPRO u2013>MM-> ESM->Service master-- >Define organization status for service category
1.2. Define Number Ranges
SPRO u2013>MM-> ESM->Service master-- >Define Number Ranges
1.3. Define Service Category
SPRO u2013>MM-> ESM->Service master-- > Define Service Category
& you can do assignment of cost object ( cost center, project, sales order) with co.code with G/L account in OKB9 t.code and in t.code OBYC account assignment of WRX with G/L.
*****After above you can create Master data as Service master AC03
& the transactions are
A. Create PO in ME21N
When ur creating service PO (ME21N), u have to maintain item Category "D" and an account assignment category as per ur requirement (K or C). U can not enter ur material here only u have to maintain short text of material. Also u have to enter ur material group and plant .This is in item Overview details.In the "Item Details" u enter your service master or activity number u created in Service master then quantities, gross price.
A. The detail u have enter are:
a) Maintain Item Category as D
b) Keep material code field blank.
c) Enter description of service & other fields in the PO Item Overview level {assignment category as per ur requirement (K or C or P), material group and plant} Press Enter.
d) System will prompt you to maintain services at Item Level. Maintain your service master number / service description you created in AC03 & other fields (quantity / rate ) and then cost center or sales order number or WBS element.
e) Save the PO.
B. Create SES w.r.t. PO in ML81N
C. MIRO w.r.t. SES
D. Payment to vendor in F-53
E. Reports-> Use T. Code MSRV6 and execute it( can use also ML84).You can get actual quantity in service entry sheet. Or got to Display PO (ME23N) and check Purchase Order History and get the details of service details
The Accounting entries( without TAX) are:
F. SES
Service/ Trading A/C: Dr
GR/IR: Cr
G. MIRO
GR/IR: Dr
Vendor A/C: Cr
H. Payment:
Vendor A/C: Dr
Bank A/C: Cr
For more Check the link:
http://sapmm.wordpress.com/category/esm/
Regards,
Biju K -
Service accounts - custom attributes
Hi,
We want to manage service accounts for different platforms in OIM. I'm aware that OIM can flag accounts as Service accounts. We have some custom attributes that we want to store in OIM as a part of service accounts. These attributes come from different source other than the reosurce on which the service account exists. So the idea is to use use OIM to store that additional information and act as authorittaive source. This information should not be provisioned to the actual service account on the the target resource. It should reside just on OIM side. Is it possible to do this in OIM? Any information on how to achieve this is highly appreciated.
Thanks,
GattooHi Gattoo,
If you are using a custom connector, it is your decision which attributes are sent to target system, which are not.
Eventually, a service account is represented by a resource object and in the process definition you attach the adapters that creates or updates the target system account.
If I am not misunderstanding the question, you are able to store additional information in the process form and not to send them to target system.
Regards,
Ece -
How to upgrade firmware on Curve 8520 from v4.6 - v5 (don't have active Blackberry service account)
Hello
I have a Blackberry Curve 8520 runningt v4.6 formware. I see5.0 Bundle 1168 (v5.0.0.681 firmware is avaiable, platform 5.2.0.67), but I can't install it because I don't have an active service account. I get that error when I try upgrade it using USB cable and the Blackberry desktop software.
Any ideas how to upgrade or create and register one of these active service accounts?
I need to upgrade so that I can use USB MTP (which is not present in the current v4.6 firmware)
Many thanks
richHi and Welcome to the Community!
From your post, I cannot quite tell the specific process you are attempting...so I will give you everything...
The simplest way is to, on a PC (you cannot do this on MAC):
1) Make sure you have a current and complete backup of your BB...you can find complete instructions via the link in my auto-sig below.
2) Uninstall, from your PC, any BB OS packages
3) Make sure you have the BB Desktop Software already installed
http://us.blackberry.com/software/desktop.html
4) Download and install, to your PC, the BB OS package you desire:
http://us.blackberry.com/support/downloads/download_sites.jsp
It is sorted first by carrier -- so if all you want are the OS levels your carrier supports, your search will be quick. However, some carriers are much slower than others to release updates. To truly seek out the most up-to-date OS package for your BB, you must dig through and find all carriers that support your specific model BB, and then compare the OS levels that they support.
5) Delete, on your PC, all copies of VENDOR.XML...there will be at least one, and perhaps 2, and they will be located in or similarly to (it changes based on your Windows version) these folders:
C:\Program Files (x86)\Common Files\Research In Motion\AppLoader
C:\Users\(your Windows UserName)\AppData\Roaming\Research In Motion\BlackBerry\Loader XML
6) Disconnect your PC from the internet and turn off all radios on your BB (consider also removing the SIM...not likely necessary, but just in case)
76a) For changing your installed BB OS level (upgrade or downgrade), you can launch the Desktop Software and connect your BB...the software should offer you the OS package you installed to your PC.
7b) Or, for reloading your currently installed BB OS level as well as for changing it, bypass the Desktop Software and use LOADER.EXE directly, by proceeding to step 2 in this process:
http://supportforums.blackberry.com/t5/BlackBerry-Device-Software/How-To-Reload-Your-Operating-Syste...
Note that while written for "reload" and the Storm, it can be used to upgrade, downgrade, or reload any BB device model -- it all depends on the OS package you download and install to your PC.
If, during the processes of 7a or 7b, your BB presents a "507" error, simply unplug the USB cord from the BB and re-insert it...don't do anything else...this should allow the install to continue.
Good luck and let us know!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"
Can someone
help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
"Service Account Name" and "Display Name"<o:p></o:p>
Your help will be greatly appreciated.<o:p></o:p>
leonie6214Hello,
Is the following article what you are looking for?
http://msdn.microsoft.com/en-us/library/ms345578.aspx
If not, could you explain a little bit more what you want to accomplish?
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
Hi,
I am new to using EWS managed APIs.
Following is the issue:
1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
private static void Impersonate(string organizer)
string impersonatedUserSMTPAddress = organizer;
ImpersonatedUserId impersonatedUserId =
new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
service.ImpersonatedUserId = impersonatedUserId;
4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
update that event.
private static void FindAndUpdate(ExchangeService service)
CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
cv.MaxItemsReturned = 25;
try
FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
foreach (Appointment item in masterResults.Items)
if (item is Appointment)
Appointment masterItem = item as Appointment;
if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
masterItem.Load();
if (!masterItem.Subject.Contains(" (Updated content)"))
//impersonate organizer to update and save for further use
Impersonate(masterItem.Organizer.Address.ToString());
// Update the subject and body
masterItem.Subject = masterItem.Subject + " (Updated content)";
string currentBodyType = masterItem.Body.BodyType.ToString();
masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
xxxxxxxxxxxx";
// This results in an UpdateItem operation call to EWS.
masterItem.Update(ConflictResolutionMode.AutoResolve);
// Send updated notification to organizer of an appointment
CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
else
Console.WriteLine("Event is already updated. No need to update again.:\r\n");
Console.WriteLine("Subject: " + masterItem.Subject);
Console.WriteLine("Description: " + masterItem.Body.Text);
catch (Exception ex)
Console.WriteLine("Error: " + ex.Message);
5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
Any help is appreciated.
ThanksYour logic doesn't sound correct here eg
2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
When your connecting to [email protected] mailbox the only user that can make changes to items within
abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
Cheers
Glen -
Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege. I have a SQL server 2012 instance whose Agent service is configured to run
under an AD user account named 'SQLServices'. The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'. The jobs are set up to execute SSIS packages which read and
write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server). The jobs are currently executing without error and are reading writing data correctly. Upon close examination, it turns out the
SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server. How are these jobs working? I verified in profiler that the login name indeed is 'SqlServices'. I also verified
that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected. According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
some cases where that is not necessarily the case. So this is not so concerning. What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does.
The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access. What am I missing here? Any input would be helpful.After 2 days on this forum I found the answer to my own question. In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed. This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
role. This is the login that Agent uses to connect to the local instance of SQL server. If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity -
This sign appeared in my account: "Your payment method was declined. Update your biiling info'. After adding new information about my others cards I see the same sign. Can't understand what the problem is and what should I do. Everything used to be good before.
Do anyone know what I supposed to do in that situation?
Really need help!
Thanks in advance.Contact iTunes Customer Service and request assistance
Use this Link > Apple Support iTunes Store Contact -
Query relating to the creation of Managed Service Accounts
Hi Folks
I am studying for my 70-411 exam and have a query relating to the creation of Managed Service Accounts.
I have successfully created an MSA account named 'MSATest' on a DC using:
new-adserviceaccount -name msatest –dnshostname home-dc-01 -passthru
and
add-AdcomputerServiceAccount -identity home-ap-01 -serviceaccount msatest -passthru
However the guide that I am using now says that I now need to run: Install-ADServiceAccount on the host computer in the domain to install the MSA in order to make available it available for use by services.
So on my member server (home-ap-01) I have installed the Active Directory Module for powershell and ran:
PS C:\Users\administrator.PCECORP> Install-ADServiceAccount -Identity msatest
Install-ADServiceAccount : Cannot install service account. Error Message: 'An
unspecified error has occurred'.
At line:1 char:1
+ Install-ADServiceAccount -Identity msatest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (msatest:String) [Install-ADServiceA
ccount], ADException
+ FullyQualifiedErrorId : InstallADServiceAccount:PerformOperation:Install
ServiceAcccountFailure,Microsoft.ActiveDirectory.Management.Commands.Insta
llADServiceAccount
PS C:\Users\administrator.PCECORP>
However this errors, Have I misunderstood the purpose of the Install-ADServiceAccount ? or am I doing something wrong?
Thanks in advance for you help.Try using -RestrictToSingleComputer parameter when creating service account with New-ADServiceAccount.
Gleb.
Hi Gleb
Thank you for your help, it is appreciated. That did the trick.
All the best. -
Service Accounts for Reporting Service in SQL Server Failover Cluster setup
I am setting up 2 Report Services (SSRS) in SQL Failover Clustering (Version: 2012SP1) on Windows 2012, as part of scale out architecture.
There are 2 options to configure the service account for SSRS:
Option 1) Using domain accounts, as what I have done for DB Engine and SQL Agent.
Option 2) accept the default, which is virtual account for SSRS. Per documentation URL:
http://msdn.microsoft.com/en-us/library/ms143504.aspx
which is the recommended one? is it option 2?
There is security note on above URL as well, but does not clearly mention that option 1 is not recommended.
Security Note: Always run SQL Server services by using the lowest possible user rights. Use a MSA or virtual account when possible. When MSA and virtual accounts are not possible, use a specific low-privilege user account or domain account instead
of a shared account for SQL Server services. Use separate accounts for different SQL Server services. Do not grant additional permissions to the SQL Server service account or the service groups. Permissions will be granted through group membership or granted
directly to a service SID, where a service SID is supported.
Thanks very much for your help!Hi Luo Donghua,
In SQL Server Failover Cluster Instance, personally two options can run well. If you use the virtual account for SQL Server Reporting Service. Virtual accounts in Windows Server 2008 R2 and Windows 7 are managed local accounts that provide the features to
simplify service administration. The virtual account is auto-managed, and the virtual account can access the network in a domain environment.
Of cause, you can also use domain accounts in your clustering.
Just make sure your service account is set up here, or that it is using a proper built-in account.For more information, see:http://ermahblerg.com/2012/11/08/cluster-ssrs-in-2008/
Thanks,
Sofiya Li
Sofiya Li
TechNet Community Support
Maybe you are looking for
-
HP Solution Center for HP Officejet Pro L7780
I have downloaded the full driver for my HP Officejet Pro L7780 printer trying to get the HP Solution Center so that my printer will be able to scan. It didn't help. Any solutions would be greatly appreciated.
-
It still has all his music, even though it is supposedly "deauthorized" and won't work with my iPod without erasing my information. Has anyone encountered this problem, and does anyone know how to fix it?
-
Socket security layer for 8330 curve
With no warning my company added socket security layering on our e-mail exchange server. Now all of us with blackberries cannot receive our mail on our phone. I have a 8330 curve. I'm not able to figure out if there is a setting for this. Please
-
MacBook Pro and HP Premium 3-in-1 printer How to keep connected?
I have a HP Photosmart Premium 3-in-1 wireless printer C310. It is up and running and is connected to my MacBook Pro. However, sometimes I can get the printer to actually print while other times all it says is cannot find printer. It is really ann
-
Netweaver Gateway user creation and self registration Procedure
Dear All, Can you please provide the complete step by stpe by process for creating netweaver gateway user creation and self registration process by useing templates. Thanks & Regards. aYYaPPa.