Search

Configure Dedicated Windows Service Account

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

The vSEC:CMS service runs under the local Windows SYSTEM account by default. However, in certain scenarios, it may be necessary to configure the service to run under a dedicated Windows domain account. This article guides configuring the vSEC:CMS service to utilize a dedicated Windows account.

Prerequisites

Before proceeding with the configuration, ensure the following prerequisites are met:

  • Basic understanding of Windows system administration.
  • Access to the Windows server where vSEC:CMS is installed.
  • Necessary permissions to create and configure Windows domain accounts.

Configure Dedicated Service Account

Follow these instructions to set up the vSEC:CMS service to run under a dedicated Windows account.

Create Windows Domain Account

The Windows account doesn't require a specific type; a domain user type suffices. However, specific permissions need to be configured for this account, as outlined in the next section.

Note
It's recommended to configure the Windows account password to never expire to avoid service disruptions.
Important
If the Windows account used is a Domain User account and you plan to configure vSEC:CMS User, Agent and Admin clients then you need to give the account permissions to access the local certificate store of the server where vSEC:CMS is installed. Open Regedit and in this location [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates] select MY. Right click and from Permissions add the Windows account and check Allow for all permissions.
If this is not configured you can see System Health error ID [0087] reported in the Admin console.
image.png
Important
If the Windows account used is a Windows group Managed Service Account (gMSA) then it will not be possible to issue an Enrollment Agent (EA) if a Microsoft CA is used if you are using server-side EA signing in the CA connection configuration. The only option in this case is to generate a .pfx for the service account and import the certificate in this case into the local user certificate store on the server where vSEC:CMS is installed.

Configure vSEC:CMS Service

Once the dedicated Windows account is created, follow these steps:

  1. Stop the vSEC:CMS service from the Windows service manager (services.msc).
  2. Right-click the service vSEC:CMS Service and select Properties.
  3. Navigate to the Log On tab and select This account. Enter the Windows user account name created in the previous step.

Untitled.png

Important
Ensure the Windows account name is entered in the pre-2000 Windows account format to prevent service startup issues.
Important
If you are using other vSEC:CMS services you should leave them all to run under Local SYSTEM.
Untitled2.png

Configure Windows Directory Permissions

Adjust permissions to ensure the vSEC:CMS service can function properly under the dedicated Windows account. Follow these steps:

  1. Locate the dat folder in the vSEC:CMS installation directory.
  2. Right-click the dat folder and select Properties.
  3. Go to the Security tab click the Edit button and add the specific Windows user account created. Give the user full control and click Apply.

Configure Windows Registry Permissions

To ensure the proper functioning of the vSEC:CMS service under the dedicated Windows account, it's essential to configure specific permissions for a registry folder. Follow these steps:

  1. Open the registry editor using regedit.
  2. Browse to the appropriate registry location based on your system architecture:
For 32-bit version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Versatile Security\vSEC_CMS_T\Service]
For 64-bit version:
[HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T\Service]
  1. Right-click on the Service folder and select Permissions.
  2. Click the Add button to add the dedicated Windows account created earlier.
  3. Assign full control permissions to the user.
  4. Click Apply and then close the Permissions dialog.

Start the vSEC:CMS Service

Start the vSEC:CMS service from the Windows service manager, now, the vSEC:CMS service will run smoothly under the dedicated Windows account.

Troubleshooting

If encountering issues with vSEC:CMS startup or functionality, consider the following:

  • If vSEC:CMS fails to start with an error indicating a missing specified database, it's likely due to the Windows user account's inability to access or write/execute in the dat folder. Ensure the Windows user account has proper read/write/execute permissions for this folder.
  • If vSEC:CMS is set up to utilize MS SQL as the database and requires a dedicated Windows account for the connection, add this account to the MS SQL database table with full read and write permissions.
  • If vSEC:CMS is configured to use Microsoft CA, it is required that the dedicated Windows account has Issue and Manage Certificates permissions on the CA.