About Integrated Security

Issuetrak sites have traditionally been deployed using a combination of SQL credentials and various Windows accounts that had ownership over the product's web folder, IIS application pools, Windows Services and Scheduled Tasks.  The release of Issuetrak 14.6 introduced support for Windows Integrated Security (referred to henceforth as Integrated Security), which allows for sites to be deployed and run entirely by one Windows account.

There are multiple benefits to utilizing Integrated Security for an Issuetrak site.  Some of them are:

  • Bolstered Security
     
  • Improved Interoperability with clustered environments
     
  • Conformance with best practices for environments that are heavily dependent on Windows domain authentication and integration

What's done differently when an Integrated Security site is deployed?

Lots of things!

  1. The connection strings for MVC, API, and Classic sites are deployed so that they reference the Integrated Security user that you selected during deployment.
     
  2. The sites that use Integrated Security in IIS are placed in a common application pool that runs under the authority of the Integrated Security user.
    1. When deploying new Integrated sites via the IDM, the API applications will be placed in an "Issuetrak Integrated API Pool" and the MVC applications will be placed in "Issuetrak Integrated Main Pool".
       
  3. Windows Services and Scheduled Tasks are deployed to run as the Integrated Security user.
     
  4. The web folder permissions are set to the Integrated Security user.


Requirements

Make sure your environment can meet these needs beforehand. 

The Integrated Security user that you designate needs to be a Domain-authenticated service account and:

  1. Exist before deploying the site
  2. Have "Access this computer from the network" rights for BOTH Web and SQL servers
  3. Have "Log on as a service" rights on the Web and SQL servers
  4. Have "Log on as a batch job" on the Web server

Additionally:

  • If you have a single site using Integrated Security, then all sites on the same version as that site must also use Integrated Security if the site takes advantage of any of the default Issuetrak scheduled tasks and services.  See "Caveats and Limitations" further down for more details.

Caveats and Limitations

There are some things that you should be aware of before deploying a site with Integrated Security. 

  1. All sites using Integrated Security on a server for the same Issuetrak version must use the same Integrated Security user.

    This is because all sites on a given version are processed by that version's set of scheduled tasks and services, which are all deployed to run as one particular user. That user needs to have access rights to all of the sites running that version, which necessarily means that the account running these tasks and services must be the same Integrated Security user. 
     
  2. In addition to the point above, non-Integrated Security sites coexisting with the same version of sites that use Integrated Security will have scheduled tasks and services processing for their site that are running as the Integrated Security user.
     
  3. Sites running the same version but without Integrated Security CANNOT share the same application pool in IIS.

Using a gMSA Account

You can use a gMSA account to deploy sites using the same mechanism as Integrated Security. The same limitations apply as above, but there are two differences in how the account should be specified to the deployment tools:

  1. You must specify the gMSA account as the Integrated Security user, and it must contain a trailing $.
  2. The password field for the account, where prompted, must be left blank.

Upgrading or Re-Deploying a Site With Integrated Security

Download the Issuetrak distribution to the web server, then perform the following steps:

  1. Right-click the file Issuetrak.Deployment.Manager.exe and choose Run as Administrator.
  2. You will be prompted to accept Issuetrak's Terms of Service at this location. Choose Continue to accept the Terms of Service and proceed with your usage of the IDM.
  3. Choose Go to the Sites Explorer.
  4. In the upper left corner, click "Add Sites for Deployment" and then By Scanning for Existing Issuetrak Sites.
  5. The IDM will scan for existing sites, and will prompt for administrative SQL credentials. You may choose to use Windows authentication if your account has SQL admin rights, or simply enter the credentials for a SQL admin account. Afterward, click Authenticate.
  6. The IDM will populate a list of valid Issuetrak sites that are available to be upgraded.
    1. Select any number of sites that you wish to upgrade.
    2. Note that sites with the same version and build number as the current release are eligible to have the upgrade run against them.
    3. If any site has the message "There was a problem retrieving License details" then please see this article for additional steps.
  7. Click Export Selected
  8. Choose a location and a filename to save the JSON to. 
  9. Open the JSON you just saved and scroll to the "Database" section. 
  10. Change the value for "SiteAuthenticationType" from Sql to Windows.
  11. Set the value for "IntegratedSecurityUser" to the domain service account that you want your site to run under the authority of.  This must be specified in "Domain\\UserID" format in order to be valid. 
  12. Set the value for "IntegratedSecurityPassword" to the password for the domain service account you specified above. 
  13. Blank out the values for the following keys:
    1. ClassicUserName
    2. ClassicUserPassword
    3. MvcUserName
    4. MvcUserPassword
    5. ApiUserName
    6. ApiUserPassword
       
  14. Scroll up to the "Application" section.
  15. The values for "ClassicAppPoolName" and "MvcAppPoolName" should match, and the application pool they are in should be distinct from other running Issuetrak sites that do not use Integrated Security.

    As a best practice, "ApiAppPoolName" (if present) should not be in the same app pool as any Classic and Mvc applications. If you have other Issuetrak sites running on this server that you aren't upgrading yet, then you should set these values to an application pool that is unique and won't be used by other sites. 

    In this example, we will enter the value of "INTEGRATED" for the Classic and Mvc app pool names, and "INTEGRATED-API" for the API app pool.
  16. Find and set "ShouldReapplyIntegratedSecurityUser" to True.
  17. Find and set "RepairAllObjects" to True.
  18. Save the modified JSON. 
  19. Right-click the file Issuetrak.Deployment.Manager.exe and choose Run as Administrator.
  20. You will be prompted to accept Issuetrak's Terms of Service at this location. Choose Continue to accept the Terms of Service and proceed with your usage of the IDM.
  21. Choose Go to the Sites Explorer.
  22. In the upper left corner, click "Add Sites for Deployment" and then From a Configuration File.
  23. Navigate to the modified JSON and open it.
  24. Under Deployment Options, decide what contexts to deploy, and whether to perform a backup of each site's respective database and web folder.
    • You can also choose to install the API or API v2 at this stage if it hasn't previously been installed.  If you or your organization are interested in developing a web application that interacts with your Issuetrak instance, this would facilitate that goal.
  25. Under View Options, choose Show IDU Output.
  26. Select your site and then click Deploy.

The IDM will begin to carry out the upgrade, and its output at the bottom of the window will tell you what it's doing and whether it succeeded at each step.