Impersonation users

Explains how to add an impersonation user.

About this task

The Business Connector, Visio Workflow Connector, the WebDAV integration, and LDAP integration all use impersonation users:

  • The Business Connector, Visio Workflow Connector, and the WebDAV integration services run as an impersonation user that impersonates a Content Manager user.
  • LDAP uses an LDAP impersonation user to impersonate a user in an LDAP directory.

If you installed the Business Connector, the WebDAV Connector or the Visio Workflow Server, the installer created a default Windows impersonation user for you. This task describes how to create separate impersonation users for use with these clients. For information about creating an LDAP impersonation user, refer to Setting up LDAP integration for Content Manager.

Procedure

  1. Open the IIS Configuration Console by doing the following: Start > All Programs > Administrative Tools > Internet Information Service (IIS) Manager.
    The Internet Information Service (IIS) Manager dialog opens.
  2. Find the local machine name in the tree on the left and navigate to the Application Pools folder. Find the Application Pool called SDL Web, right-click it and select Properties from the context menu.
    The Properties dialog for this Application Pool opens.
  3. Select the Identity tab and configure the identity of the Application Pool. For maximum security of the Web server, SDL recommends that you use the Predefined Network Service identity.
  4. Confirm and close all IIS Manager dialogs and the IIS Manager.
  5. Start the MMC Snap-in by selecting Programs > SDL Web > SDL Web Content Manager configuration in the Microsoft Windows Start menu.
  6. Navigate to the Impersonation Users section.
  7. Select Impersonation Users and choose New Impersonation User from the context menu.
  8. Depending on the type of security model you are using (LDAP or Windows users), the impersonation user type varies. Do one of the following:
    • For Windows authentication, create an impersonation user of type Windows using the credentials used by the Content Manager SDL Web Application Pool. If this is Network Service, then the impersonation user is NT AUTHORITY\NETWORK SERVICE (or, if you are on a German, French or Spanish version of Windows, the translated equivalent).
    • For LDAP authentication, create an impersonation user of type Directory Service and point to the Directory Service used by the Content Manager. The impersonation user name should match the credentials used by the Content Manager SDL Web Application Pool. If this is Network Service, then the impersonation user is NT AUTHORITY\NETWORK SERVICE (or, if you are on a German of French or Spanish version of Windows, the translated equivalent).
  9. Ensure that the user you configured has been added to the local policy called "Bypass traverse checking" by doing the following:
    1. From the Start menu, select Run and type gpedit.msc to open the Local Group Policy Editor.
    2. In the tree view on the left, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    3. In the list of policies that appears in the content area on the right, right-click the item called Bypass traverse checking and select Properties from the context menu.
    4. In the dialog that opens, check if the user you configured is displayed in the list, and if not, click Add User or Group and add the user in the dialog that opens, then OK to close it.
    5. Click OK to close the dialog, and close the Local Group Policy Editor.
  10. Restart IIS and COM+ to ensure updated settings are used—for performance reasons, the processes that use the MMC Snap-in settings cache them in memory.