Required Accounts and Permissions for Installing Forefront Server products
There are several different accounts and permissions that are required for successful installation of Forefront server products. This blog discusses those accounts and permissions, however complex environments may need additional information not covered in this blog and should contact Support for assistance.
1- Forefront Server Security for SharePoint (FSSP)
Accounts needed for installing FSSP:
- Requires an existing domain account with membership in the local Administrators group on the SharePoint server where FSSP is being installed. This account can either be used to log on locally at the server, or to execute setup.exe using the runas command.
Note: This assumes that the local Administrators group is also the SharePoint administrators group
- Remote installations require administrator privileges on the remote computer
Account prompted for during FSSP installation wizard:
- This account must be a member of the local Administrators group on which the SharePoint Portal Server is installed (one who is a local administrator on the web server AND who has System Administrator rights on the database server).
- You cannot use the default "Administrator" account
- The user name must be entered in the format domain or servername\username
- Account must have “Log on as a Service” user right.
- FSSPController service is configured to run under this account
2- Forefront Server Security for Exchange (FSE)
Accounts needed for installing FSE:
- Requires an existing domain account with membership in the local Administrators group on the Exchange server where FSE is being installed. This account can either be used to log on locally at the server, or to execute setup.exe using the runas command.
Note: This assumes that the local Administrators group is also the Exchange Organization Administrators group, under the domain “Microsoft Exchange Security Group”
- Remote installations require administrator privileges on the remote computer
Account prompted for during FSE installation wizard:
- This account must be a member of the local Administrators group on the server where Exchange is installed.
- You cannot use the default "Administrator" account
- The user name must be entered in the format domain or servername\username
- Account must have “Log on as a Service” user right.
3- Forefront Server Security Management Console (FSSMC)
Accounts needed for installing FSSMC:
- Requires an existing domain account with membership in the local Administrators group on the FSSMC server.
Note: This account can either be used to log on locally at the server, or to execute setup.exe using the runas command.
- The user account utilized to install the FSSMC (called the Installation Administrator) is automatically granted access to the FSSMC
Accounts prompted for during FSSMC installation wizard:
- For a Standalone Enterprise Installation, a domain account must be provided during setup that has access to the SQL repository. This account is automatically given access to the FSSMC database user list.
o Account must be given db_owner permissions to the SybariEnterpriseManager and SybariEnterpriseManagerReports databases
§ Databases must exist in a single instance
§ Instance does not need to be exclusive
o If installing on a Primary or Backup role, the user must have sys_admin and local admin role.
Note: FSSMC service will be configured to run under this account automatically
Important: The domain account that is used during setup to access the SQL Repository must have the user right of “Allow Logon Locally” on the front end FSSMC server. In a default configuration, the Users group has the “Allow Logon Locally” right. The User group includes Authenticated Users, so any Domain User would have this right. However, in a hardened environment the Users group may have been removed. If it has been removed, then during setup when clicking Test Connection, the connection test succeeds but after clicking Next, the setup will simply close with no error presented or logged.
- Express Installation does not prompt for any user accounts during the installation wizard.
Accounts created automatically with installation of FSSMC (no user intervention required):
- Express Installation:
o The SMGR_ServerName account is created and the FSSMC service runs under that account
o Account also provides access to local database (automatically)
- All installations:
o SNTF_ ServerName and SUSER_ ServerName accounts are created on FSSMC server
§ FSSMC Web Application runs under the SUSER_ ServerName account and only this account has access to the FSSMC service
§ When deploying agents to FSSP and FSE servers, FSSMC saves the credentials of the SNTF_ ServerName account to the managed FSSP and FSE servers, so that these servers can communicate back to FSSMC as needed.
§ On the FSSMC server, the SNTF_ ServerName account has Local and Remote access for the Access and the Launch and Activation permissions for the Forefront COM Component.
o FSSMC also creates an account on managed servers named SDEP_ ServerNameduring the deployment of the FSSMC agent and uses that account’s credentials to communicate with the managed servers.
§ On the managed servers, the SDEP_ ServerName account has Local and Remote access for the Access and the Launch and Activation permission for the Forefront COM Component.
Other Accounts:
- FSSMC Agent Installation account
o Used to access selected servers and install agent from FSSMC
o Format of domain\username or server\username
o User name and password you provide must have administrative rights as a local administrator to the server or be a domain administrator.
o Can enter one set of credentials for all the servers (by selecting Use these credentials for all) or enter credentials separately for each server.
4- Additional Information
- When configuring Primary and Backup mode installations of FSSMC, SQL must be configured to support Windows Authentication (instead of SQL Authentication) and the account used to access the SQL server must have “Log on as Interactive” privileges on the FSSMC machine.
- Interaction between FSSMC and FSSP servers
o FSSMC utilizes the DCOM interface exposed by the FSSMC agent on the managed server.
o FSSMC Agent responds to the COM+ interface on the FSSMC server.