Enabling Impersonation - Application Server - English - Foundation 22.1 - OnBase - external

Application Server

Platform
OnBase
Product
Application Server
Release
Foundation 22.1
License

Both the Web Server and Application Server installers provide the option to enable identity impersonation for both the Web and Application Server.

Note:

By default, the impersonation setting is set to false. The exception to this is if a previous Application Server install was done on your machine, the Impersonation option defaults to the last known setting.

If you enable impersonation for an application, the installer inserts a new identity element into that application's Web.config file and creates the encrypted credential values in the registry. If you did not select the impersonation option, you can configure impersonation manually.

Note:

Full details on creating encrypted account registry keys are available in the Microsoft article: “How to use the ASP.NET utility to encrypt credentials and session state connection strings” available at: http://support.microsoft.com/kb/329290/

Tip:

Impersonation can be configured using the Web Application Management Console. See the Web Application Management Console module reference guide for more information.

For best practices on using impersonation, see the section on IIS and ASP.NET configuration for Web Server autologin in the Web Server module reference guide.

To manually configure impersonation, complete the following steps:

  1. From a command line, change the directory to the location where the aspnet_setreg.exe tool resides. A copy of this tool is provided in the ..\utilities\misc subdirectory in the build distribution package.
  2. Enter the following command, where YourApp is the name of the directory where the Application Server or Web Server is installed, DOMAIN is the domain for the impersonation account, name is the user name of impersonation account, and password is the password for the impersonation account.
    aspnet_setreg.exe -k:SOFTWARE\Hyland\YourApp\Identity -u:"DOMAIN\name" 
    -p:"password"
  3. Open a Run dialog box and enter regedt32.
  4. Grant the application pool's identity account Read permissions to the appropriate registry key.
    • In 32-bit environments, grant the Read permission on: HKLM:SOFTWARE\Hyland\YourApp\Identity\ASPNET_SETREG

    • In 64-bit environments, grant the Read permission on: HKLM:SOFTWARE\Wow6432Node\Hyland\YourApp\Identity\ASPNET_SETREG

    The aspnet_setreg utility automatically stores the encrypted credentials in these keys when impersonation is configured for the Web or Application Server in these environments.

    Note:

    If the application pool is configured to use the built-in ApplicationPoolIdentity account, then the IIS_IUSRS group must be granted Read access to the registry key.

    CAUTION:

    Modify the registry at your own risk. Incorrectly editing the Windows registry can cause serious problems that may require you to reinstall your operating system. Be sure to back up the registry before making any changes to it. For more registry information, see the following Microsoft articles: http://support.microsoft.com/kb/256986 and http://technet.microsoft.com/en-us/library/cc725612.aspx

  5. Open the application's web.config file from the directory where it was installed. By default, server applications are installed in the following locations:
    • Application Server (32-bit): C:\inetpub\wwwroot\AppServer

    • Application Server (64-bit): C:\inetpub\wwwroot\AppServer64

    • Web Server: C:\inetpub\wwwroot\AppNet

  6. Uncomment the <identity> element by removing the <!-- and --> located above and below it.
  7. Ensure impersonate is set to true.
  8. Save the web.config file.
  9. If you are configuring impersonation for the Application Server, grant the impersonated identity account Modify permissions to the OnBase disk group storage locations and other domain locations where resources such as style sheets are stored.