Configuring a Content Manager impersonation user

If you installed the WebDAV Connector or the Visio Workflow Server, the installer created a default Windows impersonation user for you. This task describes how to create separate impersonation users for use with these clients.

About this task

The Visio Workflow Connector, the WebDAV integration, and LDAP integration all use impersonation users:

  • The Visio Workflow Connector and the WebDAV integration services run as an impersonation user that impersonates a Content Manager user.
  • LDAP uses an LDAP impersonation user to impersonate a user in an LDAP directory.

For information about creating an LDAP impersonation user, refer to Setting up LDAP integration for Content Manager.

Procedure

  1. Open the IIS Configuration Console by doing the following: Start > All Programs > Administrative Tools > Internet Information Service (IIS) Manager.
    The Internet Information Service (IIS) Manager dialog opens.
  2. Find the local machine name in the tree on the left and navigate to the Application Pools folder. Find the Application Pool called SDL Tridion, right-click it and select Advanced Settings from the context menu.
    The Advanced Settings dialog for this Application Pool opens.
  3. Select the Identity tab and configure the identity of the Application Pool. For maximum security of the webserver, SDL recommends that you use the Predefined Network Service identity.
  4. Confirm and close all IIS Manager dialogs and the IIS Manager.
  5. On the Content Manager server, access the config\ subfolder of the %TRIDION_HOME% folder, and in this location, open Tridion.ContentManager.config for editing.
  6. Within the configuration root element, find the section called tridion.contentmanager.security, and inside that section, the impersonationUsers section.
  7. Create a new subelement within the impersonationUsers section and call it add.
  8. Depending on the type of security model you are using (LDAP or Windows users), the impersonation user type varies. Do one of the following:
    • To create an impersonation user using Windows authentication, add an impersonationType attribute and set it to the value Windows.
    • To create an impersonation user using LDAP authentication, add an impersonationType attribute and set it to the value DirectoryService.
  9. Add a name attribute and set it to the name of the impersonation user. If this user is Network Service, then the impersonation user is NT AUTHORITY\NETWORK SERVICE (or, if you are on a German of French or Spanish version of Windows, the translated equivalent).
  10. Ensure that the user you configured has been added to the local policy called "Bypass traverse checking" by doing the following:
    1. From the Start menu, select Run and type gpedit.msc to open the Local Group Policy Editor.
    2. In the tree view on the left, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
    3. In the list of policies that appears in the content area on the right, right-click the item called Bypass traverse checking and select Properties from the context menu.
    4. In the dialog that opens, check if the user you configured is displayed in the list, and if not, click Add User or Group and add the user in the dialog that opens, then OK to close it.
    5. Click OK to close the dialog, and close the Local Group Policy Editor.