About Integrated Security

Issuetrak sites have traditionally been deployed using a combination of SQL credentials and various Windows accounts that had ownership over the product's web folder, IIS application pools, Windows Services and Scheduled Tasks.  The release of Issuetrak 14.6 introduced support for Windows Integrated Security (referred to henceforth as Integrated Security), which allows for sites to be deployed and run entirely by one Windows account. 

There are multiple benefits to utilizing Integrated Security for an Issuetrak site.  Some of them are:

  • Bolstered Security
     
  • Improved Interoperability with clustered environments
     
  • Conformance with best practices for environments that are heavily dependent on Windows domain authentication and integration

What's done differently when an Integrated Security site is deployed?

Lots of things!

  1. The connection strings for MVC, API, and Classic sites are deployed so that they reference the Integrated Security user that you selected during deployment
     
  2. The sites that use Integrated Security in IIS are placed in a common application pool that runs under the authority of the Integrated Security user
    1. When deploying new Integrated sites via the IDM, the API applications will be placed in an "Issuetrak Integrated API Pool" and the MVC applications will be placed in "Issuetrak Integrated Main Pool"
       
  3. Windows Services and Scheduled Tasks are deployed to run as the Integrated Security user
     
  4. The web folder permissions are set to the Integrated Security user


Requirements

Make sure your environment can meet these needs beforehand. 

The Integrated Security user that you designate needs to be a Domain-authenticated service account and:

  1. Exist before deploying the site
  2. Have "Access this computer from the network" rights for BOTH Web and SQL servers
  3. Have "Log on as a service" rights on the Web and SQL servers
  4. Have "Log on as a batch job" on the Web server

Additionally:

  • If you have a single site using Integrated Security, then all sites on the same version as that site must also use Integrated Security if the site takes advantage of any of the default Issuetrak scheduled tasks and services.  See "Caveats and Limitations" further down for more details.

Caveats and Limitations

There are some things that you should be aware of before deploying a site with Integrated Security. 

  1. All sites using Integrated Security on a server for the same Issuetrak version must use the same Integrated Security user.

    This is because all sites on a given version are processed by that version's set of scheduled tasks and services, which are all deployed to run as one particular user. That user needs to have access rights to all of the sites running that version, which necessarily means that the account running these tasks and services must be the same Integrated Security user. 
     
  2. In addition to the point above, non-Integrated Security sites coexisting with the same version of sites that use Integrated Security will have scheduled tasks and services processing for their site that are running as the Integrated Security user.
     
  3. Sites running the same version but without Integrated Security CANNOT share the same application pool in IIS.