Please Share your Product Ideas with us!

All ideas are welcome. Just because the Idea doesn't make it into the product immediately does not make it a bad idea.

DSP framework needs to be able to run using a Windows AD service account instead of a SQL login

Currently DSP has a hard requirement to use a SQL login as it's service account to allow the application to talk to the DB server.  For years this has been a contention with many clients.  In North America at least 50% of the time with new installs/new customers this is an issue to discuss.  For many customers they have great controls and comfort with how to monitor/manage AD user accounts but not with local SQL user logins.

 

DSP needs to be able to leverage an Active Directory account as the service account used to allow the application to talk to the DB server.  For higher security customers we will update the web.config to use integrated authentication for the web server, this eliminates some of the SQL login traffic but not all of it.  We further mitigate this by always setting up the login with a highly complex password, we don't give out the password to anyone (Syniti, customer, etc), and we require all users accessing SQL to have dedicated logins.

 

Here are the specific types of accounts I feel that DSP should support using as a service account:

  • SQL Login - this is what we use today, it works and there is still a need for it (i.e. Cloud SKU)
  • AD user account - A service account that is an AD account that looks and feels like a typical user.  This is what we run into as a service account at most customers.  i.e. POCLAB\SVCAccountDSP
  • Application Server as the service account - In AD a computer object is an account much like a user and can be granted permissions.  i.e. POCLAB\DSPServername$
  • Group Managed Service Account - This is a key one to have working and in many ways is a hybrid of the previous two.  In this situation the account password is managed by AD and kept in sync with the authorized servers.  We have used this internally on high security systems for SQL and IIS app pool service accounts.  It provides more granularity than the App Server entry above as well as more security as there is a password that is changed and managed by AD in the background.  i.e. POCLAB\GMSA$

GMSA reference:  https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

 

  • Jake Cohen
  • Nov 13 2019
  • Shipped
  • Nov 14, 2019

    Admin response

    Thanks for logging Jake. PM will reach out to discuss in more detail after the calls this week.