지금 지원 담당자와 채팅
지원 담당자와 채팅

InTrust 11.5.1 - System Requirements

Minimal Rights and Permissions Required for InTrust Operations

InTrust Setup: Common

Operation or Account Permissions or Database Roles Notes

Run InTrust suite setup
(default or extended)

Setup must be launched under the account that:
  • Is a member of the local Administrators group on the computer where it is run.
  • Has a dbo role for all InTrust databases (or access rights for these databases at least as prescribed by this table).
When installing the second (and subsequent) InTrust servers into your InTrust organization, make sure the the setup account is listed as an InTrust organization administrator.

To view and edit the list of organization administrators, do one of the following:
  • In InTrust Deployment Manager, click Manage | Configure Access.
  • In InTrust Manager, open the properties of the root node.
InTrust Server account
  1. Membership in the local Administrators group on the computer where InTrust Server runs
  2. The following security settings must be turned on:
    • Log on as a service
    • Adjust memory quotas for a process
    • Replace a process level token
 

Install an agent

Membership in the local Administrators group on the agent computer

The Admin$ share must exist on the target computer if you are installing the agent using InTrust.

Agent account

One of the following:

  • Membership in the local Administrators group
  • LocalSystem account
 
Run InTrust services under a group managed service account (gMSA)

Before you use a gMSA for running InTrust services, take the following steps:

  1. If you haven't rebooted the InTrust server since you created the gMSA, then reboot it. Otherwise, InTrust won't be able to use the gMSA.
  2. Add the account to the following computer local groups on the InTrust server:
    • Builtin\Administrators
    • AMS Organization Servers
  3. (Conditional) In the unlikely event that the InTrust server is a Windows Server 2012 R2 domain controller, note the known issues for this configuration and apply the workaround described in the Service configured to use gMSA account on a Windows Server 2012 R2-based DC doesn't start article.

After this, you can reconfigure the Quest InTrust Server and Quest InTrust Real-Time Monitoring Server services to run under your gMSA.

If you decide to use a gMSA, use it on all InTrust servers. Otherwise, InTrust tasks containing jobs running on different servers will not work.

  • For access to the configuration database, alert database and audit databases on SQL servers, use SQL Server authentication, because Windows authentication will not work for a gMSA on a SQL server.
  • In all sites where the computers cannot be accessed by a gMSA, override the access credentials with an explicitly specified account. This can be done at site level (in the site properties) or at job level, and so on.
  • You may find that the Log On tab in the properties of the Quest InTrust Server and Quest InTrust Real-Time Monitoring Server has become disabled. To enable it again, run the following in the command prompt:

    sc managedaccount adcrpcs false

    sc managedaccount itrt_svc false

  • Make sure the gMSA has the following user rights:
    • Log on as a service (this is likely set automatically)
    • Adjust memory quotas for a process
    • Replace a process level token
     

InTrust Setup: Extended Deployment Only

Operation or Account Permissions or Database Roles Notes

Install reports from the Knowledge Packs you select

  1. Membership in the local Administrators group on the computer where the reports are to be installed
  2. Content Manager role for the Home folder in SQL Server Reporting Services
  3. System Administrator site-level role in SQL Server Reporting Services (for creating item-level roles and shared schedule)
  • Use the Reporting Services Report Manager to assign the required roles with Security settings for each item you need.
  • To avoid possible problems, Report Packs should be installed under a local administrator account (for that, either log on with such an account, or use the runas command).
Provide automatic creation of Service Connection Point (SCP) by InTrust means

Do the following before the setup:

Create a container "CN=Quest InTrust, CN=System..." and assign the following permissions on this container for the account under which you will run the setup:

  • Create All Child Objects
  • Read Permissions
  • Modify Permissions

-OR-

Specify the following permissions on the "CN=System..." in Active Directory for the account under which you will run the setup:

  • Create All Child Objects
  • Read Permissions
  • Modify Permissions
  • Read All Properties
  • Write All Properties

These permissions must be applied onto This object and all child objects scope.
The account that performs uninstallation of InTrust Server must have the Delete All Child Objects permission on the "CN=Quest InTrust, CN=System..." container to delete the SCP.
If you need to change an account after the InTrust installation, use the adcsrvacc command-line utility. For more details, see Special-Purpose Commands and Utilities.

 

Repository Viewer

Operation Permissions Notes
Create custom search folders and scheduled reports in Repository Viewer The account must be listed as an InTrust organization administrator. To view and edit the list of organization administrators, do one of the following:
  • In InTrust Deployment Manager, click Manage | Configure Access.
  • In InTrust Manager, open the properties of the root node.
Open a production repository in Repository Viewer
  • On the repository folder, for the account used to open Repository Viewer:
    • Read file system permission
    • If the repository folder is shared: Read share permission.
  • InTrust Server service account must have the Read file system permission on the index folder
  • Active Directory delegation must be enabled for the following:
    • The account of the InTrust server that manages the repository
    • The user account that Repository Viewer is running under
  • The user account that Repository Viewer is running under must be a member of the computer local AMS Readers group on the InTrust Server that manages the repository and on the InTrust server that Repository Viewer connects to (these may be two different servers).
  • If the value of the IDX_IndexAccessCheckMode is 1 (not the default 0), then the file system and share permissions required for the repository are also required for the index. This is because index access permissions are verified using a file in the repository. The InTrust Server service account should be granted Read and Modify file system permissions to the repository folder (Read and Change share permissions if the repository folder is shared).
  • If the repository is Centera-based, the user account that Repository Viewer is running under must have the Modify share permission on the network share that this repository uses.
  • When InTrust components are installed in an Active Directory environment that places limitations on allowed Kerberos encryption protocols, the following requirements must be met in order to ensure successful communication between components:

    • Ensure Kerberos encryption protocol limitations are applied not only on the InTrust hosts, but also on the domain controller where Key Distribution Center (KDC) is located.
    • If the above configuration is not possible, then all domain user accounts used for InTrust components execution must be explicitly configured to support Kerberos encryption options in accordance with the Kerberos encryption protocols limitations applied.

      NOTE: The communication error "A security package specific error occurred" is a likely indicator of missing above requirements.

  • Make sure all InTrust servers in the organization have the agent communication port (900 by default) and InTrust Server management port (8340 by default) open for inbound traffic.
  • For convenience, make an Active Directory group a member of the local AMS Readers group, and use membership in the Active Directory group to control repository access.
Open an idle repository in Repository Viewer Both on the repository folder and on the index folder, for the account used to open Repository Viewer:
  • Read file system permission
  • If the repository and index folders are shared: Read share permission
 

Extended InTrust Features

Operation Permissions or Database Roles Notes
Use the InTrust Manager snap-in Membership in the AMS Readers computer local group on the InTrust Server To view InTrust configuration objects in InTrust Manager, a user must be a member of the AMS Readers local group on the InTrust Server, or an InTrust organization administrator (included in the list in the properties of the root node in InTrust Manager).
Access the configuration database ADCCfgUser role for the configuration database This role is created by setup or by the configdb.sql script and is granted the following permissions:
  • CREATE TABLE (at the database level)
  • INSERT,SELECT,DELETE,UPDATE on all user tables in the database
  • EXECUTE on all user stored procedures in the database

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Gather events from site computers without agents
  1. Full control permission to the InTrust Server installation folder.
  2. Access this computer from the network
  3. Manage auditing and security log (required to gather the Security log only)
To gather events from an event log with event log security through a GPO or registry settings, Read access permission must be given in the ACE of appropriate log(s) to the account used to run a job. For details refer to Microsoft KB article How to set event log security locally or by using Group Policy.
Gather events from site computers with agents Full control permission on the InTrust Server installation folder.

 

Store events in a repository Modify share permission on the network share that the repository uses. If a repository is accessed under the account specified explicitly (for repository, job or task account), membership in AMS Readers computer local group on the InTrust Server and Log on as a batch job right on the InTrust Server is required for that account.
Consolidate repositories
  1. Full control permission to the InTrust Server installation folder.
  2. Read permission to the source repository
  3. Modify permission to the target repository
  4. Permissions to log on to the InTrust server that indexes the source repository.
Import data from a repository
  1. Full control permission to the InTrust Server installation folder.
  2. Read permission to the repository
Clean up a repository Modify permission to the repository
Store events in an audit database (gathering or import) InTrust Gathering role for the Audit Database

This role is created by setup or by the auditdb.sql script.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Clean up an audit database To clean up all events

db_owner role for the audit database
 
To clean up part of the events (for specific time periods)

InTrust AuditDB Cleanup role for the audit database

This role is created by setup or by the auditdb.sql script.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Run reporting job or work with reports in Knowledge Portal (without using Report Builder)
  1. Content Manager role for the QKP\SharedDatasources folder and for the folder where the report is located (under \QKP folder) in SQL Reporting Services.
  2. Browser role for the Home folder in SQL Reporting Services.
  3. Reporting Console User role for the account that will be used to connect to the database.
  4. Read permission for the %WinDir%.
 
  • For a reporting job, this account is specified when setting the Credentials in the job properties.
  • For account that will be used to work with the Knowledge Portal, use Data Source properties to assign the required credentials.
  • If you use a gMSA for running your InTrust services:
    • SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.
    • Make sure the gMSA has sufficient permissions on your reporting server; for example, add it to the BUILTIN\Administrators group.

Note that this account must belong to the same domain where SSRS (hosting Knowledge Portal) is installed, otherwise membership in the Authenticated Users group (for SRS' domain) is required.

Add reports to a reporting job
  1. Read permission for the %WinDir%.
  2. db_datareader role for the database selected as the data source for reporting.
  3. For the Home folder in Reporting Services: Browser role.

 
Run reporting job using Import objects from the repository option Rights and permissions required for both import and reporting jobs, sufficient rights for connection to the audit database. For detailed list of rights and permissions required and security settings their usage depends on, refer to the Reporting Job topic.
Create reports interactively using Report Builder System User or System Administrator role for the web site where the Knowledge Portal application runs. This role can be assigned using SQL Reporting Services Report Manager (site-level security settings).
Store alerts in an alert database InTrust Real-Time Monitoring role for the alert database

This role is created by setup or by the alertdb.sql script.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Clean up an alert database InTrust AlertDB Cleanup role for the Alert Database

This role is created by setup or by the alertdb.sql script.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Manage alerts from InTrust Monitoring Console InTrust Monitoring Console role for the alert database

This role is created by setup or by the alertdb.sql script.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Create and edit a profile in Monitoring Console On the computer where Monitoring Console runs:
  • Administrator role for COM+ System Application
  • Membership in the InTrust Alerting Admins local group
If you are using a computer with User Account Control turned on to open the Monitoring Console Administration page, Internet Explorer must be started using the Run as administrator command.
To check if you have the Administrator role, open the Component Services MMC snap-in on the computer with Monitoring Console, and view the Computers | My Computer | COM+ Applications | System Application | Roles | Administrator | Users node.
Connect to an alert database or audit database using SQL Server authentication For a profile to use SQL Server authentication when connecting to the alert database, the Run As account should be included into local Administrators group on the computer where the Monitoring Console is installed.

If you use a gMSA for running your InTrust services, then SQL Server authentication is the only authentication option. Windows authentication will not work for a gMSA on a SQL server.

Perform indexing of idle repository with standalone IndexingTool.exe Both on the repository folder and on the index folder, for the account that perform indexing:
  • Read and Modify file system permissions
  • If the repository and index folders are shared: Read and Change share permissions
 
Perform indexing of a production repository
  • On the index folder, for the InTrust Server account:

    Read and Modify file system permissions. If the index folder is shared: Read and Change share permissions.
  • On the repository folder, for the indexing account: Read and Modify file system permissions. If the repository folder is shared: Read and Change share permissions.
  • Active Directory delegation must be enabled for the following:
    • The account of the InTrust server that manages the repository
    • The user accounts that perform indexing
  • The user account that performs indexing must be a member of the computer local AMS Readers group on the InTrust Server that manages the repository and on the InTrust server that Repository Viewer connects to (these may be two different servers).
  • If the value of the IDX_IndexAccessCheckMode is 1 (not the default 0), then the file system and share permissions required for the repository are also required for the index. This is because index access permissions are verified using a file in the repository. The InTrust Server service account should be granted Read and Modify file system permissions to the repository folder (Read and Change share permissions if the repository folder is shared).
 

For information on specifying the accounts, permissions and database roles, see the Deployment Guide. For details about configuration scripts, see the Upgrade Guide.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택