Groups & Service Accounts

Estimated reading: 3 minutes 476 views

The final step before the Gateway web services can be deployed involves the creation of service account(s) and groups used to run the application pools for the Gateway services.

These service accounts can be created on the Gateway server or, if available, within Active Directory. If a single Gateway is deployed either option can be chosen, but should multiple Gateway servers be deployed, the use of Active Directory as a central authentication and authorization store is recommended.

The services, accounts, groups and permissions required for the integration into credential repositories can be found in the integration guide for each system.

Information All user and group names are provided as examples of possible naming conventions. These can, however, be aligned to your naming convention. Please take note of the user and group names to provide these to the deployment partner or MyPass Cloud engineer.

MyPass Gateway Administrators Group

This group controls the access for local / domain users who perform administration and configuration tasks on the Gateway.

Group Type: Active Directory Security Group or Local Computer Group
Group Name Example: MP-GWGroup

MyPass Gateway Server IIS Application Pool Account

This account is required to host the Microsoft Internet Information Services (IIS) application pool in which the Gateway web services application will run. The Gateway installer will create this account during the setup process. Please ensure the account executing the installer has the appropriate permission to create an account in the specified target repository (either Active Directory or the local server)

Account Type: Active Directory User Account / Local Computer User Account
Account Name Example: MP-IISUser
Account Permission:
- If the gateway server is not domain joined (local computer), the account must be part of the Users and the IIS_IUSRS groups on the local server.
- If the gateway server is domain joined (member server), the account must be part of the Domain Users and IIS_WPG security group within Active Directory
- Additional Special Permissions: Log on as a batch job

MyPass Gateway Service Account

This account is required to perform all administration and configuration on the Gateway.

Account Type: Active Directory User Account / Local Computer User Account
Account Name Example: MP-GWUser
Account Permissions:
- If the gateway server is not domain joined (local computer), the account must be part of the Users group on the local server.
- If the gateway server is domain joined (member server), the account must be part of the Domain Users security group within Active Directory
- Additional Special Permissions:
  - Log on locally (on the gateway server(s))
  - Member of the MPGWGroup group (custom group created above as part of the “MyPass Gateway Administrators Group”)