Devolutions ForumDevolutions Forum

Initial install of Password Server - Database accounts

Initial install of Password Server - Database accounts

avatar
(user deleted)
Disabled

Hello,

We are very interested in Password Server and have downloaded the trail today. I am trying to follow the directions found at https://helpserver.devolutions.net/install_createrdmsinstance.htm.

I thought we needed to create 3 domain accounts VaultOwner, VaultScheduler, and VaultRunner for use in this section. Domain\VaultOwner has sysadmin rights to sql server but it can't connect to the server when I hit the "Test Server" button?

If I try to use the sa account it the test works.. So are those accounts supposed to in face just be SQL server accounts and not Domain accounts granted rights in SQL?

Thanks!

~jake

Devolutions_db_creds.JPG

All Comments (3)

avatar
David Grandolfo

Hello Jake,

If you are creating a domain account the VaultOwner (from the domain) needs to get proper access to the SQL server. Of course, you could also create a VaultOwner directly in SQL, that depends where would you like to manage the accounts. Directly from SQL or through AD.


That said, the helps topic Pre-deployment account for Devolutions Password Server could probably be useful for a deep explanation.


Best regards,

David Grandolfo

avatar
paveljanecek

Hello, we have recently bought the Devolution server and I am right now installing and securing the product.
I got link to Pre-Deployment Account Survey (devolutions.net) but I am still missing the idea how should I configure accounts.

We are using the AzureAD and according the pre-deploy survey I understand, that we should have three SQL accounts.
So the way would be, create those logins via SSMS on sql server and do not assing to DB yet. Then go to devolution server and use button Assign Least Permssion which should add login to Database with only needed permissions.

Or am I completly wrong??

Also how can I connect SQL login with Scheduler Service which is supposed to run under some AD account priviledge.

Thank you

avatar
Richard Boisvert

Hello Pavel,

In an Azure SQL database, you will need to use SQL accounts, and we do recommend having 3 to be able to implement the least privileged principle.

Your assumption is correct, you would create the owner with db_owner rights on the database, and create the other two with no rights, and then use the "Assign Least Permissions" buttons to apply the correct rights.

The SQL account for the Scheduler server is the one we name VaultSchedulerService. When the service is installed, it would use LocalService, not an AD account.

The only AD account is VaultADReader, and it is only used if you want to implement domain authentication. Most often, with an Azure SQL, you would implement Microsoft/O365 authentication, however: https://kb.devolutions.net/kb_azure_portal_configuration_guide_microsoft_authentication.html

Best regards,

Richard Boisvert