Skip to content


Service account without elevated privileges

Sequoia v4.22

This is an advanced topic

Overview

Installing and upgrading Sequoia using a service account that does not have elevated privileges is possible, but is not straightforward. This is the reason why in the past, the recommendation has been that a Sequoia service account has elevated privileges.

This may be a security concern for certain companies - depending on in-house user account policies and access to the Sequoia Server.

This guide will cover what is needed to do to install / upgrade Sequoia, but makes no attempt to configure a new Sequoia service account on your system, or explain how to assign a service the right to be started by a specific user account. If you are unable to do this yourself or with the help of your systems administrator, you will need to create a Sequoia service account which has elevated privileges.

Sequoia service account setup

  • The service account should be a domain account.
    • This is because the account must have a windows assigned SID, otherwise IdeaBlade components will not work correctly. This also helps when creating a user account in SQL server, because you will not need to use mixed mode authentication and embed SQL server credentials in the connection string.
  • The service account needs to be given the 'log on as a service right'.

Post Installation/Upgrade tasks

After Sequoia is on your server, you will need to do the following:

One-off things to do after changing the Sequoia service account:

  1. Add permissions to the database for the new user.
  2. If changing the Sequoia service account (i.e. upgrade):
    • Add permission to the log files folder for the service account to read/write files.
    • Add permission to the licence folder for the service account to read/write files.
    • Add permission to the tariff download folder for the service account to read/write files.
    • Add permission to the document store folder for the service account to read/write files.
    • Remove HTTP reservations
      • netsh http delete urlacl url=http://+:9010/Asm/Sequoia/SequoiaApiService
      • netsh http delete urlacl url=http://+:9001/Asm/Sequoia/SequoiaApiService
      • netsh http delete urlacl url=http://+:9001/
      • netsh http delete urlacl url=http://+:9010/
  3. Add HTTP reservations
    • netsh http add urlacl url=http://+:9010/Asm/Sequoia/SequoiaApiService user=<User account>
    • netsh http add urlacl url=http://+:9001/Asm/Sequoia/SequoiaApiService user=<User account>
    • netsh http add urlacl url=http://+:9001/ user=<User account>
    • netsh http add urlacl url=http://+:9010/ user=<User account>
    • netsh http add urlacl url=http://SequoiaServer:9092/IEventLoggingService user=<User account>
    • netsh http add urlacl url=http://SequoiaServer:9095/UserActivityMoniterService user=<User account>
  4. Assign full control to the Sequoia service account for all Sequoia related message queues.

Things to do after installation / every upgrade

  1. Update all Sequoia services so that they can be started by the Sequoia service account.
    • This is a windows administrative function, and how to accomplish this task is outside the scope of this document. Speak to your systems administrator for assistance.
    • Every time the installer is run, all Sequoia services will get uninstalled and re-installed. You need to update all Sequoia services so that they can be stopped / started by a particular service account after installation, because Windows does not persist this information.