Windows permissions for database service accounts
When configured with Trust Protection Platform to use Windows integrated authentication to a MSSQL database, you must allocate the following permissions to the database service accounts on all Venafi servers:
Service Account | Log On as a Service | Log On as a Batch Job | Local Windows administrator group |
---|---|---|---|
Database owner account | |||
Operational database account |
With Windows integrated authentication, the Venafi Windows services and IIS application pools will be configured to launch as the operational database account. We require the security permissions "Log On As a Service" and " Log On As a Batch Job" on all Venafi servers. The Venafi installer will attempt to apply permissions automatically, if possible; however sometimes enterprise group policy domain settings prohibit us from making that change. In these cases, you will need to work with your Active Directory team to grant both database service accounts the permissions specified in the table above.
NOTE If you use the same account for both roles, that account must have all three permissions: Log On as a Service, Log On as a Batch Job, and be a member of the Local Windows administrator group.
For more information on the Log On as a Service permission, see the Microsoft TechNet article Log on as a service.
For more information on the Log On as a Batch Job permission, see the Microsoft Windows Server forum post Log on as batch job right.
You can use Group Managed Service Accounts (gMSAs) to minimize the administrative maintenance. See Using Group Managed Service Accounts (gMSAs).