NST logon account security

tedcjohnston

I've read a number of the walkthroughs- all suggest using a domain account for NST. All also suggest using least privileges. Is there a document (accessible to a customer not a partner) that describes the minimum AD permissions required?

When setup as a domain user, the web service will not start. When setup as a domain admin, surprise, it will.

Thanks in advance for your help.

kine

You need at least have rights to run service (it is automatically set up when you use the account for some service in most cases). And look into Event log for more infor about why the service didn't start.

tedcjohnston

Thanks for the reply. Would prefer a definitive work by MS rather than a by guess by golly work by me. I am not an AD master. It is a wonder that MS puts out lots of advice on how to setup the service to use a domain account but does not put out information on how to setup that domain account. Read the hardening NAV document and it is not there either.

I know I should leave these things to people who are AD masters, but those folks bill by the hour.

tedcjohnston

Anyone from MS?

I would think this would fall under the MS Secure Computing initiative- giving customers the resources they need to easily setup NAV 2009 securely.

alexpeck

Web services are probably failing to start because the installer registers the web service URL ACL for the Network Service Account. If you use a domain user, you need to register that domain user in the ACL for the URL. You can verify this by checking the event log. Local admins (and by extension domain admins) have permission by default. Note that the URL ACL is on the local machine, not in AD.

PaulWH has a nice tool to inspect URL ACLs here: http://blogs.msdn.com/paulwh/archive/2007/05/04/addressaccessdeniedexception-http-could-not-register-url-http-8080.aspx

Otherwise you can use netsh at the command line on Server 2008, you need a command like netsh http add urlacl url=http://+:<ws port number>/DynamicsNAV user=<domain\user>, where you replace <ws port number> with 7047 or whatever port you use, and <domain\user> with the domain user account. On 2003 you need to use httpconfig - the syntax is too complicated for me to remember. If you need it I can find it for you.

Returning to your original question, I believe the minimal AD privilege required for the service account is for it to be a member of domain users. If you have installed 3 tiers on 3 computers, the service account must have permission to present delegated credentials to SQL Server. The service account must also have a suitable SPN; but this is an attribute of the account rather than a permission.

If we expand the scope beyond AD, then the service account must also have a SQL Server login, a database login for the NAV database, and select permission on the object tracking table. The logon as a service right will be granted when you set the service to run as the domain account. I think this automatically grants the required local security policy and filesystem permissions on the host. There are, of course, some features of NAV which require more security configuration, but to use RTC this list is pretty complete.

In the documentation, when using least privilege is suggested, I would interpret that as granting only the permissions that are described (this is my opinion rather than a definitive answer). Unfortunately there is no single page with a list, but it is there if you read all the walkthroughs. The URL ACL is an omission we are fixing in the next doc update. I'll also push for getting a better description of what is required for different features/configurations.

Alex