3

I am bringing up AppXtender Workflow Manager. One of the instructions is to create an Impersonation Service Account. I have never heard of such. What is it and how do I create an impersonation service account on Windows Server?

Zoredache
  • 128,755
  • 40
  • 271
  • 413
hanleyhansen
  • 257
  • 2
  • 4
  • 11

1 Answers1

3

Your app is just looking for a user account to run as. You'll probably find that you need to assign some special permissions to the account later in the directions.

If you're domain is operating a 2008 R2 level, then you'll probably want a Managed Service Account. It's more complicated, but it changes it's own password and is generally more secure.

If that's too complicated or you're not at R2 level, then you'll just create a typical User Account in ADUC. Manual password picking and rotation would then be necessary (or not, if you're in one of those environments).

Note: Generally when people ask about impersonating accounts it's some sort of kerberized middleware, where passing the service ticket from the client's authentication to a back-end app wouldn't work as the middleware doesn't have the TGT from the client. If that sounds complicated, it is. It's a royal PITA to setup and keep working too.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • The instructions state to set the account to "user cannot change password" and "never expires". I wonder if just creating a new user and putting him in the administrator group would be enough. The instructions state to change some Local Security Policy rights to the administrators group and I do have to add the impersonation service account to the administrators group anyway. I was just wondering if it took a specific process to impersonate a service account. – hanleyhansen May 16 '12 at 14:21
  • It sounds like your app doesn't support Managed Service Accounts or Best Practices; so you're going to be stuck with a normal user account. Try to keep the password as long/complicated as possible as it'll likely be a security weak point as long as it's around. – Chris S May 16 '12 at 14:23
  • Ok thanks. I'll go through the rest of the instructions to see if it works. – hanleyhansen May 16 '12 at 14:25