Thursday, July 07, 2011

Windows Authentication for Sitecore. Repost

Back in 08 I posted this walkthrough on how to configure Sitecore to use Windows Authentication for SQL connection and effectively remove the username and password from the connectionStrings.config file.
Here is a quick repost of the walkthrough with a few tweaks for SQL 2008 / Windows 2008 (R2) and Sitecore 6.4.x/6.5 (some steps are not required any more):

  1. Find the application pool that your Sitecore is running under. Open Properties and set the identity to the domain user on the corresponding tab.
  2. On the SQL Server box register the domain user and grant security permissions on Sitecore databases for the domain user according to the section “4.4.1 Creating a Database Account for Sitecore CMS Databases on SQL Server 2008” of the Installation Guide.
  3. On the machine that hosts Sitecore add this domain user to the IIS_IUSRS group.
  4. Adjust the permissions for the IIS_IUSRS group according to these sections of the Installation Guide“:
    4.2.2 File System Permissions for ASP.NET Requests”
    “4.2.3 File System Permissions for System Folders”.
  5. Edit the /App_Config/ConnectionStrings.config file and replace the user id and password parameters with the trusted_connection=yes option:
    <?xml version="1.0" encoding="utf-8"?>
    <add name="core" connectionString="Data Source=.\sql2008;Database=Sandbox6_Core;Trusted_Connection=Yes" />
    <add name="master" connectionString="Data Source=.\sql2008;Database=Sandbox6_Master;Trusted_Connection=Yes" />
    <add name="web" connectionString="Data Source=.\sql2008;Database=Sandbox6_Web;Trusted_Connection=Yes" />
  6. Prepare your identity so it can be used as a service account with “aspnet_regiis.exe” and the -ga switch.
  7. Add your domain service account to the local “Performance Monitor Users” group as per this section: “4.2.5 Windows Registry Permissions”
Important note:
This walkthrough describes basic Sitecore configuration with no modules or OMS/DMS installed. Additional security permissions are required for the modules and other components that carry their own databases.


Craig said...

Can you explain why step #7 is required?

Alex Shyba said...

Sitecore is using Performance Counters. This will allow the application to register data about those counters within Windows Server. If you have Counters.Enabled="false" in web.config then you don't need this theoretically. I'd still set this up since you may want to re-enable those at some point for troubleshooting needs.