-
Title
How to change the One Identity Cloud Access Manager service account. After changing service account can no longer login to the admin page. -
Description
How to change the One Identity Cloud Access Manager service account.
After changing service account can no longer login to the admin page.
Cannot get to the Application Portal however the status on the Home page shows green and the proxy is up and running.
Error.html appears Error. An unexpected error has occurred. Please contact your Cloud Access Manager administrator to check the logs for additional details.
-
Cause
The service account that was being used for CAM was changed. This account is hard coded in the sqlserver database for services such as IIS and showed the old account being used. -
Resolution
CAUTION: Changing the service account without following the proper steps will break login to the Admin page.
1. Very important: Back-up all Cloud Access Manager (CAM) hosts (Proxy, STS and DB) for example by taking snapshots of each VM or making backup copies of the databases.
2. Create a new user in Active Directory to be used to run the CAM components, for example, called “cam-service” and set the password to never expire. No special privileges or groups are required, just a standard domain user.
3. Uninstall CAM from the STS host(s) with the old service account in place.*** When later reinstalling the STS service you must use the same shared secret as for the original install. This can be retrieved from the CAM Admin UI > Settings > Fallback password and shared secret page; check this before uninstalling if you are unsure of the value. ***4. Using SQL Management Studio run the following SQL on ALL CAM databases:
CTAuditCTDataCTSessionSecurityAnalyticsEngine (from CAM v8.0)If your current CAM service user is the domain administrator the following SQL will not be required as no CTUser account will exist, however, it is written with that in mind so always run it if unsure:IF EXISTS(SELECT * FROM sys.database_principals WHERE name = 'CTUser') BEGINPRINT 'Deleting existing user...'DROP USER [CTUser]ENDThis SQL creates the new user – run it against each database replacing “YOURDOMAIN\cam-service” with the name of your new CAM service user:PRINT 'Creating user...'CREATE USER [CTUser] FOR LOGIN [YOURDOMAIN\cam-service]EXEC sp_addrolemember 'db_datareader', 'CTUser'EXEC sp_addrolemember 'db_datawriter', 'CTUser'EXEC sp_addrolemember 'db_ddladmin', 'CTUser'EXEC sp_addrolemember 'db_owner', 'CTUser'
Example screenshots:
5. Reinstall CAM on the STS host(s), entering the new user at the beginning of the install wizard.
6. When the installer completes the RSTS service and IIS app pool will be running as the new CAM user.
See example screenshots:
7. In the CAM Launch wizard:
*** You must enter the same shared secret as for the original install. ***- When prompted to configure the database, point to your existing database and specify an account with the sysadmin role (as for the original install).- Enter the same Proxy Hostname as was set prior to uninstallation.
8. When the STS configuration prompts you to install the Proxy(s), uninstall and re-install the existing proxy(s) on the Proxy host(s).9. Complete the Launch wizard configuration on the STS server.
10. Once complete check you can log in using the fallback admin and a domain login. -
Additional Information
If you have not setup a lot of applications, another option is to uninstall CAM, manually delete the CAM database and then reinstall with the correct service account and then get a new SSL cert.