Configuring Your Inedo Product to Run As a Windows Domain Account
The example screenshots are from BuildMaster, but the process will be exactly the same no matter which one of our products you’re using.
Refer to this table – depending on which product you are using, enter the coinciding name, or abbreviation, into each space that has a red [product’s name] or [XX].
|The Inedo Product You’re Using||[product’s name]||[XX] abbreviation|
During installation, you can select the user account that your product will run as:
- Local System
- Network Service
For evaluation purposes it’s generally easiest to select “Local System” as that prevents most permissions issues, but once you’ve determined the exact use case for your installation, you can lock down permissions granularly by changing the user account to a domain user following the least-privilege principle.
Changing the User Account
Since Inedo products are made up of a web application (whether it’s hosted through IIS or the Integrated Web Server) and a service that orchestrates builds and deployments, the user account must be changed in 2 places:
To change the user account for the [product’s name] service, visit the Windows Services Management Console (Start > Run > “services.msc”) and right-click on the [product’s name] Service (INEDO[XX]SVC) and select Properties. Select the “Log On” tab, then enter the name of the account along with its credentials:
Integrated Web Server Hosted Web Application
To change the user account for the [product’s name] Integrated Web Server service, the process is the same as changing the account that hosts the [product’s name] service, except the name of the service is “[product’s name] Web Server” (INEDO[XX]WEBSRV).
If you are changing to an account that is not a machine administrator,
you will also need to add a URL reservation for this user account to be able
to host a web site on the integrated web server. Follow the instructions
in KB#1014 to add a reservation for the user account.
Note: Explicit URL reservations are only required when using a non-administrator account and hosting with the integrated web server.
IIS-Hosted Web Application
To change the user account for the web application when it is hosted
through IIS 7+, you must change the identity of the application pool that runs
it. By default, it is named
“[product’s name]AppPool”. You can change the user by opening the IIS Manager, selecting “Application Pools”, right-click on the [product’s name] application pool and selecting “Advanced Settings…”, and under Process Model, you can change the identity:
If you are using integrated SQL authentication, you will also need to make sure that the user account has permission to access SQL Server, and must have the [product’s name]User_Role role.
Managed Service Accounts
Inedo products support being run as a Managed Service Accounts. However, this requires that your database and application pool also have the ability to run as and accept logins from these accounts.