Introduction
The vSEC:CMS service runs under the local Windows SYSTEM account by default. However, in certain scenarios, it may be necessary to configure the service to run under a dedicated Windows domain account. This article guides configuring the vSEC:CMS service to utilize a dedicated Windows account.
Prerequisites
Before proceeding with the configuration, ensure the following prerequisites are met:
- Basic understanding of Windows system administration.
- Access to the Windows server where vSEC:CMS is installed.
- Necessary permissions to create and configure Windows domain accounts.
Configure Dedicated Service Account
Follow these instructions to set up the vSEC:CMS service to run under a dedicated Windows account.
Create Windows Domain Account
The Windows account doesn't require a specific type; a domain user type suffices. However, specific permissions need to be configured for this account, as outlined in the next section.
It's recommended to configure the Windows account password to never expire to avoid service disruptions.
If the Windows account used is a Windows group Managed Service Account (gMSA) then it will not be possible to issue an Enrollment Agent (EA) if a Microsoft CA is used if you are using server-side EA signing in the CA connection configuration. The only option in this case is to generate a .pfx for the service account and import the certificate in this case into the local user certificate store on the server where vSEC:CMS is installed.
Configure vSEC:CMS Service
Once the dedicated Windows account is created, follow these steps:
- Stop the vSEC:CMS service from the Windows service manager (services.msc).
- Right-click the service vSEC:CMS Service and select Properties.
- Navigate to the Log On tab and select This account. Enter the Windows user account name created in the previous step.
Ensure the Windows account name is entered in the pre-2000 Windows account format to prevent service startup issues.
If you are using other vSEC:CMS services you should leave them all to run under Local SYSTEM.
Configure Windows Directory Permissions
Adjust permissions to ensure the vSEC:CMS service can function properly under the dedicated Windows account. Follow these steps:
- Locate the dat folder in the vSEC:CMS installation directory.
- Right-click the dat folder and select Properties.
- Go to the Security tab click the Edit button and add the specific Windows user account created. Give the user full control and click Apply.
Configure Windows Registry Permissions
To ensure the proper functioning of the vSEC:CMS service under the dedicated Windows account, it's essential to configure specific permissions for a registry folder. Follow these steps:
- Open the registry editor using regedit.
- Browse to the appropriate registry location based on your system architecture:
For 32-bit version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service]
For 64-bit version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T\Service]
- Right-click on the Service folder and select Permissions.
- Click the Add button to add the dedicated Windows account created earlier.
- Assign full control permissions to the user.
- Click Apply and then close the Permissions dialog.
Start the vSEC:CMS Service
Start the vSEC:CMS service from the Windows service manager, now, the vSEC:CMS service will run smoothly under the dedicated Windows account.
Troubleshooting
If encountering issues with vSEC:CMS startup or functionality, consider the following:
- If vSEC:CMS fails to start with an error indicating a missing specified database, it's likely due to the Windows user account's inability to access or write/execute in the dat folder. Ensure the Windows user account has proper read/write/execute permissions for this folder.
- If vSEC:CMS is set up to utilize MS SQL as the database and requires a dedicated Windows account for the connection, add this account to the MS SQL database table with full read and write permissions.
- If vSEC:CMS is configured to use Microsoft CA, it is required that the dedicated Windows account has Issue and Manage Certificates permissions on the CA.