Appendix - Run the Gateway using an Active Directory Service Account

By default, the gateway uses the NETWORK SERVICE account to run. To run as a Active Directory service account, you need to make the following changes:

  1. Manually add the Active Directory service account as a login in SQL. Appropriate permissions will be granted automatically if the account exists before the database is created and you create the database with the --service-user and --service-password parameters (see Create the Database). You may also manually grant the permissions after install, but before configuring (see Appendix - Verify the AnyCAGateway DCOM Database).
  2. After installation but before configuration, go to the Services control panel and change the account the service is running as to the desired Active Directory service account.
  3. After installation but before configuration, grant that account permissions on the log directory (default: C:\CMS\logs).

  4. Grant the Active Directory service account read and write permissions on the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Keyfactor\KeyfactorCAGateway\EncryptSerialNumber

  5. If you've already completed some configuration, you may also need to grant that account permissions to the encryption certificate:

    1. Open the Certificates MMC Snap-In for the Local Computer store on the gateway machine. One way to do this is to open an administrative command prompt and execute the following command:

      certlm.msc

    2. Locate the CA Gateway Config Encryption certificate (see Set-KeyfactorGatewayEncryptionCert) in the Personal folder under Certificates (Local Computer) and choose All Tasks->Manage Private Keys….

    3. In the Permissions for private keys dialog, click Add, add the account the service is running as, and grant it Read but not Full control permissions. Click OK to save.

  6. You may need to manually grant permissions in SQL to the NT AUTHORITY\NETWORK SERVICE account on the gateway depending on how you plan to configure the gateway to use the Active Directory service account. To do so, refer to Appendix - Verify the AnyCAGateway DCOM Database as it applies to that account.
  7. You will need to make some further configurations to support Kerberos authentication (see Configure Kerberos with an Active Directory Service Account).
  8. If you wish to support Kerberos delegation, there are some differences in how delegation is configured for the gateway running as an AD service account vs. NETWORK SERVICE (see Configure Delegation When Running the Gateway Service as an Active Directory Service Account).