Configuring the Windows Server Agent Account

In order to manage shared folders in EmpowerID or execute other system management tasks on a local Windows server, the Windows Server Management Web Service job must be running on each machine that is an intended target for these tasks. Additionally, as the service is hosted in IIS, it must be associated with a service account that is a member of the domain administrator's group with a password that is vaulted in EmpowerID. Vaulting the password allows the service to access the private key that was used to encrypt the password, decrypting it to gain the necessary privileges on the server.

This topic demonstrates how to configure the EmpowerID Windows Server Agent Service account and is divided into the following activities:

Creating a service account for the Windows Server Agent

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the User Account management page by expanding Identities and clicking User Accounts.
  2. From the Actions pane of the User Account management page, click Create User (Person Optional).
  3. This opens the Create Account page.

  4. From the General tab select Service from the Account Type drop-down. You should notice the fields on the form change to reflect the options you have for creating a service account. Specifically, EmpowerID removes the First Name, Last Name, and Display Name fields. This keeps EmpowerID from automatically provisioning an EmpowerID Person from the account during the next inventory event.
  5. Underneath Account Creation Location, click Select a Location and in the Location selector that appears, search for and select the directory location in which you want to create the service account. Once you have selected a location, click Save to close the Location selector.
  6. Type a logon name for the account in the Logon Name field.
  7. Type a description and any comments in the Description and Comments or Justification fields, respectively.
  8. Select Allow me to enter a password and then type a password in the Password and Confirm Password fields.
  9. The account must have a password before it can be vaulted in EmpowerID.
  10. In the Security section of the form, deselect Allow Joining Account to a Person, Allow Provisioning a Person from Account, and Enable Sync Password.
  11. Click Save.
  12. After EmpowerID creates the account, you should see the View page for it. The View page allows you to view information about the account and manage it as needed. You will use this page to add the account to the Domain Admins group, as well as to vault the account password.

  13. From the View page, expand the Group Membership accordion.
  14. From Group Membership accordion, type Domain Admins in the Enter name to add field and then click the tile for that group.
  15. Click Submit.
  16. Now that the service account has been created and added to the domain admins group, the next step is to vault the account password. This is discussed in the next section.

To vault the service account password

  1. From the View page for the service account, expand the Actions accordion and click Edit Vaulted Account Password.
  2. This directs you to the Service Account Credentials page.

  3. From the Encryption Certificate drop-down, select the SSL certificate you are using to secure communications between EmpowerID and IIS.
  4. Type the service account password in the Password and Confirm Password fields and then click Submit.
  5. Click OK to close the Operation Execution Summary.
  6. Now that the service account password is vaulted, the next step is to add the account to the agent. This is discussed in the next section.

To add the service account to the Windows Server agent

  1. From the Navigation Sidebar, navigate to the Windows Server Agent Service Accountpage by expanding Admin > Applications and Directories and clicking Windows Server Agent Accounts.
  2. From the Windows Server Agent Service Account page, search for the appropriate Windows server and then click the Name link for that server.

  3. From the View One page for the Windows Server Agent that appears, click the Edit link. Edit links have the Pencil icon.
  4. This directs you to the Edit One page for the WCF Component. This component represents the Windows Server Management Web Service in the EmpowerID Identity Warehouse.

  5. From the Service Account field, type the name of the service account you created above and then click the tile for that account.
  6. Click Save.