Documentation Center

ISHSTS with Windows Authentication

You need to perform several settings before ISHSTS can provide Windows Authentication. Both server and SQL server database must be properly configured. You can either make these settings manually or use the scripts provided with the package.

ISHSTS is automatically configured through the installation.

InstallTool creates an application pool such as TrisoftAppPoolISHSTS based on the input parameter infosharestswebappname. The application pool is assigned an identity based on the input parameter osuser. This user is responsible for hosting the endpoints provided by ISHSTS

For Windows Authentication endpoints to work, the following changes based on the requirements of Service Principal Names defined in the Active Directory must be made, either manually or through a script.
Application pool identity
A change of the application pool identity in order to use the integrated ApplicationPoolIdentity. This changes the user who hosts the endpoints to an account that the correct Service Principal Names is assigned to. The expected Service Principal Names are
  • http/baseurl
  • host/baseurl
Read permissions

Read permissions to the token signing certificate's private key are assigned to the IIS AppPool\infosharestswebappname. The token signing certificate in ISHSTS is configured through the InstallTool parameterissuercertificatethumbprint

Read/write permissions to the three target installation paths defined in the input parameters are assigned to the IIS AppPool\infosharestswebappname:
  • webpath
  • datapath
  • apppath
Integrated authentication
If the database is SQL Server and the connection string utilizes integrated authentication then we grant the computer account permissions to the database.

The only permission required is SELECT