Service account without elevated privileges
This is an advanced topic
Overview
Installing and upgrading Sequoia using a service account that does not have elevated privileges is possible, but is not straightforward. This is the reason why in the past, the recommendation has been that a Sequoia service account has elevated privileges.
This may be a security concern for certain companies - depending on in-house user account policies and access to the Sequoia Server.
This guide will cover what is needed to do to install / upgrade Sequoia, but makes no attempt to configure a new Sequoia service account on your system, or explain how to assign a service the right to be started by a specific user account. If you are unable to do this yourself or with the help of your systems administrator, you will need to create a Sequoia service account which has elevated privileges.
Sequoia service account setup
- The service account should be a domain account.
- This is because the account must have a windows assigned SID, otherwise IdeaBlade components will not work correctly. This also helps when creating a user account in SQL server, because you will not need to use mixed mode authentication and embed SQL server credentials in the connection string.
- The service account needs to be given the 'log on as a service right'.
Post Installation/Upgrade tasks
After Sequoia is on your server, you will need to do the following:
One-off things to do after changing the Sequoia service account:
- Add permissions to the database for the new user.
- If changing the Sequoia service account (i.e. upgrade):
- Add permission to the log files folder for the service account to read/write files.
- Add permission to the licence folder for the service account to read/write files.
- Add permission to the tariff download folder for the service account to read/write files.
- Add permission to the document store folder for the service account to read/write files.
- Remove HTTP reservations
netsh http delete urlacl url=http://+:9010/Asm/Sequoia/SequoiaApiService
netsh http delete urlacl url=http://+:9001/Asm/Sequoia/SequoiaApiService
netsh http delete urlacl url=http://+:9001/
netsh http delete urlacl url=http://+:9010/
- Add HTTP reservations
netsh http add urlacl url=http://+:9010/Asm/Sequoia/SequoiaApiService user=<User account>
netsh http add urlacl url=http://+:9001/Asm/Sequoia/SequoiaApiService user=<User account>
netsh http add urlacl url=http://+:9001/ user=<User account>
netsh http add urlacl url=http://+:9010/ user=<User account>
netsh http add urlacl url=http://SequoiaServer:9092/IEventLoggingService user=<User account>
netsh http add urlacl url=http://SequoiaServer:9095/UserActivityMoniterService user=<User account>
- Assign full control to the Sequoia service account for all Sequoia related message queues.
Things to do after installation / every upgrade
- Update all Sequoia services so that they can be started by the Sequoia service account.
- This is a windows administrative function, and how to accomplish this task is outside the scope of this document. Speak to your systems administrator for assistance.
- Every time the installer is run, all Sequoia services will get uninstalled and re-installed. You need to update all Sequoia services so that they can be stopped / started by a particular service account after installation, because Windows does not persist this information.