One Identity Manager Application Server
If you install the One Identity Manager Application Server under IIS, you must add an account that is able to access the Data Governance server (that is, an Active Directory user account that is mapped to a One Identity Manager employee with the Data Governance | Administrators and Data Governance | Access Managers application roles applied) as the application pool identity.
To modify the application pool identity
- Open Internet Information Services (IIS) Manager.
- In the left pane, navigate to and select Application Pools.
- In the middle pane, select the application pool for the application server (AppServer_POOL is the default name).
- In the right pane, click Advanced Settings.
- In the Advanced Settings dialog, edit the Identity value (under the Process Model section). This value must contain an account that is able to access the Data Governance server (i.e., an Active Directory user account mapped to an employee with both the Data Governance | Administrators and Data Governance | Access Managers application roles).
If the Application Server application pool is set to the default Network Security identity, Data Governance Edition reports will fail to generate.
One Identity Manager database encryption
If you encrypted the One Identity Manager database, you must perform the following steps to ensure Data Governance Edition can find and use the same key file.
NOTE: If the One Identity Manager database is encrypted and the encryption key file is not provided (or updated) in Data Governance Edition, you will encounter the following error when trying to add a service account to Data Governance Edition: Error: "Logon failure: unknown user name or bad password".
- After encrypting the One Identity Manager database, locate the key file that was generated.
-
Run the following Data Governance Edition PowerShell cmdlet so Data Governance Edition can find and use this same key file:
Set-QEncryptionOptions -File <path to .key file>
Authentication using service accounts and managed domains
Most organizations running a network of Windows computers have multiple Active Directory domains and forests to be managed. Users expect seamless integration and IT administrators need an all-encompassing view of their network security to make that happen.
Data Governance Edition consolidates security information across many domains and forests by accessing these network entities using stored credentials (service accounts). These service accounts are Active Directory users granted the appropriate permissions in their respective domains and registered with Data Governance Edition.
By elevating to the service accounts as necessary, the Data Governance server is able to deploy agents and retrieve security information across the organization. All communication is secure and all credential information is encrypted and protected.
Administrators responsible for the Data Governance Edition deployment must register service accounts with the system and link them with domains that have been previously synchronized with One Identity Manager. The link between a service account and an Active Directory domain makes it a “Managed Domain”.
Administrators link a service account to an Active Directory domain through the Manager. For more information, see Readying a service account and domains for deployment.
How are the credentials stored securely?
Service account credentials are stored in the central One Identity Manager database. These credentials can be encrypted using the Crypto-Configuration tool. For more information, see Encrypt Data in a Database in the One Identity Manager Installation Guide.
What permissions do service accounts need and why?
For details on the required permissions, see Data Governance Edition minimum permissions.
Notes:
- Remote managed hosts (EMC, NetApp, Windows cluster, Cloud) require a service account with sufficient permissions to access target computers.
- SharePoint farms are similar to remote managed hosts in that they require a service account with sufficient permissions to access the data, even though they are installed locally.
- NetApp managed hosts require a service account with sufficient permissions to create and maintain FPolicy on a NetApp filer.
Readying a service account and domains for deployment
Before you can gather information on the data in your enterprise, you must:
You can specify these credentials on a per domain basis. Each domain can only have one associated service account at any time, but the same service account can be used for multiple domains. Service accounts are also used to run remote agent services on agent host computers and must be specified during remote agent deployment.
When a domain is managed, a Data Governance container is created in the domain’s System container. This container holds a Service Connection Point object, which is used by the Data Governance Edition components to find one another. Agents use this information to determine where the Data Governance server they should connect to exists.
Note: Only domains that have had Active Directory synchronized with One Identity Manager can be managed. For details, see Setting up Synchronization with an Active Directory Environment in the One Identity Manager Administration Guide for Connecting to Active Directory.