Change Service account for Configuration Storage Server (ISASTGCTRL) (Full Version)

All Forums >> [ISA Server 2004 General ] >> Installation



Message

adenhaan -> Change Service account for Configuration Storage Server (ISASTGCTRL) (4.Sep.2005 2:40:00 PM)

Initially I had installed the ISA 2004 Configuration Storage Server on my Domain controllers, using the administrator account.
Now while trying to tighten up security, I want to get rid of any service running under the administrator account,
hence I began on a quest to change the credentials for the ISASTGCTRL service, and I want to share my findings here,
as documentation is hard to find on this.

The ISA 2004 Enterprise Edition help contains the following phrase :
quote:
In most scenarios, the Configuration Storage server service runs under the Network Service account.
However, when you install the ISA Server Configuration Storage server on a domain controller,
you must specify a different account under which the Configuration Storage server service will run.
This is because the Network Service account cannot be used when the Configuration Storage server runs on a domain controller.
I have my Configuration Storage Server running on a domain controller,
and eventhough things seemed to work just fine if I changed the account for the ISASTGCTRL service to the local system account,
I wanted to give it a try and create a domain account - with minimal rights - to be used for running the ISA Configuration Storage service.

Step 1:

From ADAM helpfile:
quote:
To enable a workstation or domain user account as a service account,
you must grant the Log on as a service right to the account that is used as the ADAM service account.
So create a domain account (example: Domain\ISAService) in AD, and assign it the rights to run as a service on domain controllers -
where my configuration storage server(s) are - using Default Domain Controller Security Policy snapin :
Add user Domain\ISAService to "Logon as a Service"

Using computer management, Services plugin, change the logon account for ISASTGCTL to ISAService, and restart the service...
You will get the following messages in eventlog:

code:
Event Type: Warning
Event Source: ADAM [ISASTGCTRL] General
Event Category: Service Control 
Event ID: 2538
User:  N/A
Computer: DOMAINCONTROLLER1
Description:
The directory server has detected that the service account used to run this service
has been changed. 
 
This directory server may experience problems starting up. 
 
Additional Data 
Old service account:
DOMAINNAME\Administrator 
New service account:
DOMAINNAME\ISAService 
 
User Action 
If service is experiencing problems starting up, verify that the new service account 
has full control over the database folder(s), full control over the service registry key, 
and that the VSSAccessControl registry key is updated appropriately.
Now this is actually a usefull message, as it is pointing to fix the following

Step2 add ISAService account to VSSAccessControl

In registry editor go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Add a REG_DWORD, with the name of the account (Domain\ISAService), and a value(data) of 1

Step 3: Give ISAService account rights on Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADAM_ISASTGCTRL

Using regedit, rightclick this Key, and select permissions. Add DOMAIN\ISAService account with full permissions.

code:
Event Type: Warning
Event Source: ADAM [ISASTGCTRL] General
Event Category: Security 
Event ID: 2521
User:  N/A
Computer: DOMAINCONTROLLER1
Description:
Active Directory was unable to initialize auditing security system. 
It will run with auditing disabled. No security audits will be generated.
 
Additional Data: 
Error value: 
1314 A required privilege is not held by the client.
Step 4: Assign "Generate security audits" privilege to ISAService account.

To fix the warning message 2521, with a little help from ADAM helpfile:

To enable auditing for an ADAM instance running under a service account other than the Network Service account,
you must grant the Generate security audits right to the account that is used as the ADAM service account.

Use "Default Domain Controller Security Policy" snapin : Add user Domain\ISAService to "Generate security audits" item.

code:
Event Type: Error
Event Source: ADAM [ISASTGCTRL] General
Event Category: Internal Processing 
Event ID: 1003
User:  N/A
Computer: DOMAINCONTROLLER1
Description:
Active Directory could not be initialized. 
 
The directory service cannot recover from this error. 
 
User Action 
Restore the local directory service from backup media. 
 
Additional Data 
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in use
Step 5: Account needs full rights to ADAMData directory

Make sure that this new account has full rights on the Directory where ADAM files are stored
(Example: C:\Program Files\Microsoft ISA Server\ADAMdata)

Note : This directory does NOT inherit permissions from higher levels, so assigning rights
to the complete drive or program files directory will not work.

Now If you start the ISASTGCTRL service again, using the ISAService account, the following shows up in eventlog:

code:
Event Type: Error
Event Source: ADAM [ISASTGCTRL] General
Event Category: Internal Processing 
Event ID: 2536
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: DOMAINCONTROLLER1
Description:
The directory server has failed to update the ADAM serviceConnectionPoint object
in the Active Directory. This operation will be retried. 
 
Additional Data 
SCP object DN:
CN={401d891c-d654-454b-9f93-d744cb082bb6},CN=DOMAINCONTROLLER1,OU=Domain Controllers,
DC=domainname,DC=com 
Error value:
5 Access is denied. 
Server error:
00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
 
Internal ID:
339038f 
ADAM service account:
DOMAINNAME\ISAService 
 
User Action 
If ADAM is running under a local service account, it will be unable to update the data in the 
Active Directory. Consider changing the ADAM service account to either NetworkService or a 
domain account. 
 
If ADAM is running under a domain user account, make sure this account has sufficient rights
to update the serviceConnectionPoint object. 
 
ServiceConnectionPoint object publication can be disabled for this instance by setting 
msDS-DisableForInstances attribute on the SCP publication configuration object.
Step 6:

To fix this, go into ADSI Edit and you will find a CN={GUID} under your domain controllers.
Right click it to go into properties, and on the security tab assign the ISAService account full rights to this object .

Unfortunately we're not there yet....

The array members now have difficulty connecting to the configuration server as you will see in Monitoring Alerts,
and the following error in eventlog on the array members:

code:
Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: None
Event ID: 21238
User:  N/A
Computer: ARRAYMEMBER1
Description:
ISA Server cannot connect to the Configuration Storage server domaincontroller1.domainname.com
for one of the following reasons:
- The Configuration Storage server is not available.
- General networking or authentication issues.
- A policy misconfiguration on the array.
For information on resolving these issues, see 
"Troubleshooting installation and connectivity" in the ISA Server help or 
http://go.microsoft.com/fwlink/?LinkId=37487.
--------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
User:  N/A
Computer: ARRAYMEMBER1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/DOMAINCONTROLLER1.DOMAIN.COM.  
The target name used was ldap/DOMAINCONTROLLER1.DOMAIN.COM:2171. 
This indicates that the password used to encrypt the kerberos service ticket is different than 
that on the target server. Commonly, this is due to identically named  machine accounts in the
target realm (DOMAIN.COM), and the client realm.
Please contact your system administrator.
Step 7:

At this time I was pulling my hair out... trying to reboot the servers, with no resolution.
It turned out that in the process, a batchfile was created on the domaincontroller, as described in the chapter
"Administring Service Principal Names" in the ADAM helpfile:

quote:
To register SPNs for ADAM manually in Active Directory, use the dnsdomainname.bat script file
that ADAM setup creates in the data directory of the ADAM instance (Program Files\Microsoft ADAM\instancename\data),
where dnsdomainname represents the name of the DNS domain in which the ADAM instance resides.
Running this batchfile did the trick, Members can connect to storage server and all that was left is to execute steps 2,3,5, 7
on the other Domaincontroller(s) that contain a replica configuration storage server.

Phew... was a rocky ride, hope this info will help-out the next person that wants to do this.

G'luck, Andre.

[ September 04, 2005, 03:26 PM: Message edited by: adenhaan ]



tshinder -> RE: Change Service account for Configuration Storage Server (ISASTGCTRL) (6.Sep.2005 7:38:00 AM)

Hi Andre,

Wow! What a mess!

Good to hear you got it working and for sharing your information with us!

Tom



adenhaan -> RE: Change Service account for Configuration Storage Server (ISASTGCTRL) (7.Sep.2005 9:00:00 AM)

Tom,

Trial and error method is most always ugly [Wink]

I definetely recommend for those who are about to install ISA 2004 EE to create a domain account for the CSS, and have the installation procedure handle all the stuff I had to do manually.
If you want to change it after the fact - like I had to do - it ain't that bad... If you have the pointers from my post above.

Thanks, Andre.



tshinder -> RE: Change Service account for Configuration Storage Server (ISASTGCTRL) (7.Sep.2005 9:11:00 AM)

Hi Andre,

Excellent advice!

Thanks!
Tom



Page: [1]