Overview
In some situations, like when using an external SQL server or to follow specific appliance security rules, the Carousel application might need to be ran under a service account. Switching from the default of "Local System" or "Local Service" to a service account is non-destructive but does require a few steps.
Active Directory Requirements (Optional)
If the service account is an Active Directory account then the Carousel server must first be joined to the domain. The service account must be added as a user and put in the Administrator group. All future updates will need to be ran as the service account, so also adding it to the Remote Desktop Users group might come in handy. It is also very important that the service account not be a domain admin.
Process
Step 1: Turn off the required services
Open services.msc and turn off the following services. The web interface will produce errors while these are off.
- Carousel
- Carousel Rendering
- RabbitMQ
Step 2: Set the services to run as the service account
While still in services.msc right-click the Carousel server and click the Log On tab. Select the option for This Account and click "Browse..." Enter the object name for the account you want to run the service as. For example, if we had an account called CarouselSA on the Tightrope domain we would enter tightrope\CarouselSA or CarouselSA@trms.com, then click Check Names. Depending on the security profile, you might be asked to authenticate with the domain with a domain admin account. Press OK then Apply, the password for the service account will be requested. You will be warned that the service will be given Log On rights, accept the warning. Repeat these steps for the Carousel Rendering service as well. However, do not change RabbitMQ and do not turn the services back on.
Step 3: Set IIS Application Pools to run as the service account
Open "Internet Information Services (IIS) Manager" (or Run inetmgr) and click Stop on the right under Manage Server. On the left under Connections expand the server node and click Application Pools. You will likely see more application pools than are being used, use the Applications column to determine which Application Pools are being used. Do the following steps for all Application Pools that run applications: Right-click the Application Pool and select "Advanced Settings...", scroll down to the Process Model section and click the value next to Identity, and then click the three dots [...] that show up next to the name. An Application Pool Identity window will pop up, change the selection to Customer Account and press "Set..." to get the credentials window. For username set the domain\serviceaccount name, in our example we would use trms\CarouselSA and enter the password. This will not check that the name or password is correct a this point. If the Application Pools do not start later when we start IIS again, check the credentials again. Press OK, OK and OK again to apply the settings. Repeat this for each Application Pool running applications.
Warning: This guide assumes that only Carousel is installed, if you have other applications that use IIS ensure that those application pools are not changed as you will likely break those other applications. You can see what applications each Application Pool is running by clicking it and selecting "View Applications" under the action menu.
Step 4: Give the service account do_owner rights to the Carousel databases
Open Microsoft SQL Server Management Studio (or Run SSMS) if you use an external SQL server, you might require a BDO to assist with this step. Authenticate and connect to the SQL instance, then expand the instance node on the left under Object Explorer, right-click Logins and select "New Login..." ensure that Windows authentication is selected.
Next to "Login name" click "Search..." and you'll be greeted by the same account object dialog as in step 2. Enter the service account name, click Check Names and press OK. On the left click User Mapping. Check the box for the FrontDoor50 database and under the role membership list on the bottom check "db_owner", check Carousel50 and do the same. Press OK.
Step 5: Turn on all the required services
Open services.msc and turn on the following services:
- World Wide Web Publishing Service (we turned this off in inetmgr in step 3)
- RabbitMQ
- Carousel
- Carousel Rendering
Open a browser and connect to Frontdoor, ensure you can log in, if successful, close out inetmgr and ssms. Remember that from now on you must log into the Carousel server's Windows desktop as your service account when updating.