Installing Interact using Windows Authentication

The account used when running the installation must have the relevant SQL Server permissions to carry out the installation, that is, membership in either the sysadmin or dbcreator fixed server roles.

If Windows Authentication is chosen during the installation process, a Windows service account must be used for the application pools and services that has the necessary permissions to execute the tasks and processes during normal operation. The Windows service account will need:

  • The ability to perform the SQL database processes, see Minimum SQL permissions.
  • Permissions for the required certificates.
  • Ownership over the IIS Application Pool.
  • Ownership over the Windows services installed by Hub and Interact.

You must assign the application pools and services to use Windows accounts before creating an environment in Hub. If you assign the accounts after creating an environment, you may experience performance issues, for example, forms created using the Interact plugin may not display to users in Interact.

Assigning the Windows service account as an owner on certificates

The Windows service account needs to be granted permissions to the BluePrismCloud certificates. To do this:

  1. On the web server, open the Certificate Manager. To do this, type Certificates in the search box on the Windows taskbar, and then click Manage Computer Certificates.
  2. In the navigation pane, expand Personal and click Certificates.
  3. Follow the steps below for both the BluePrismCloud_Data_Protection and BluePrismCloud_IMS_JWT certificates:

    1. Right-click the certificate and select All Tasks, and click Manage Private Keys....

      The Permissions dialog for the certificate displays.

    2. Click Add, then enter the service account and click OK.

    3. With the service account selected in the Group or user name list, ensure that Full control is selected in the Permissions for {account name} list.

    4. Click OK.

      The service account now has access to the certificate.

Assigning a Windows service account to the application pool

By default, the application pools are created with the identity ‘ApplicationPoolIdentity’. After the installer has completed, the Windows service account will need to be allocated to manage the application pools. To do this:

  1. On the web server, open Internet Information Services (IIS) Manager.
  2. In the Connections panel, expand the host and select Application Pools.
  3. Review the Identity column values.

    The identity for an application pool should match the specific Windows service account.

  4. For any application pools that have ApplicationPoolIdentity in the Identity column, right-click the row and select Advanced Settings....

    The Advanced Settings dialog displays.

  5. Select the Identity setting then click the ... (ellipsis) button:

  6. In the Application Pool Identity dialog, select Custom account and then click Set....

    The Set Credentials dialog displays.

  7. Enter the credentials for the required Windows service account and click OK.
  8. Repeat for any applications pools that need changing.
  9. Restart the RabbitMQ Service.
  10. Restart all application pools.
  11. Restart IIS.

If there are issues with the Audit Service, make sure that the Windows service account has access to the Audit Service Listener as well as the Audit Database.

Assigning a Windows service account to a service

The Windows service account needs to be allocated to manage the following services:

  • Blue Prism - Audit Service Listener
  • Blue Prism - Log Service
  • Blue Prism - Submit Form Manager

To do this:

  1. On the web server, open Services.
  2. Right-click the service and click Properties.

  3. On the Log on tab, select This account and then either enter the account name or click Browse to find the account you want to use.

  4. Enter the password for the account and click OK.
  5. In the Services window, right-click the service and click Restart.
  6. Repeat for the other Blue Prism services.