- Database Security Requirements
- Taking Ownership of the JAMSRequests Queue
- Configuring the JAMS Web Client
- Security Policy Requirements
The JAMS services are set to run under the LocalSystem account by default though there may be a need to change this to a Windows Domain based account.
NOTE: Users are always recommended to leave the JAMS Executor running as local system.
NOTE: After a JAMS upgrade, the accounts will be reset back to Local System, and will need to be updated.
The Service Control Application (services.msc) can be used to change the account that the JAMS Scheduler and JAMS Server services run under.
This may be done in order to control the Network and Database access.
If the Accounts used for the Services are changed, the Security Settings may also need to be updated on:
- The C:\Program Files\MVPSI\JAMS\Scheduler folder
- C:\Program Files\MVPSI\JAMS\Scheduler\JAMSScheduler.log
- MSMQ JAMSRequests Private Queue
- The SQL Server
- The JAMS Database
- The JAMSSite Application Pool Identity
Database Security Requirements
Permissions may need to be re-added to allow the services account to reconnect to the Database.
Here is an example of a SQL query which will grant an account access to a particular role:
exec sp_grantlogin @loginame='YourDomain\YourADAccountName' exec sp_grantdbaccess @loginame='YourDomain\YourADAccountName', @name_in_db='JAMSServiceAcct' exec sp_addrolemember @rolename='JAMSApp', @membername='JAMSServiceAcct'
Take Ownership of the JAMSRequests Queue
For the MSMQ JAMSRequests Private Queue, the security on the queue may need to be modified to grant the domain account full access to the queue. In order to do that, there may be the need to Take Ownership of the jamsrequests queue. The JAMS Services must be shutdown before taking ownership of the queue.
- Open Computer Management. This can be done by running compmgmt.msc from the command line.
- Navigate to Private Queues, located at Services and Applications -> Message Queuing.
- Expand Private Queues, then select the jamsrequests queue.
- Right-Click on the jamsrequests queue and select Properties from the drop-down list.
Additionally, users can access queue properties by selecting the queue and using the More Actions option in the Actions pane.
- From the Properties dialog that appears, navigate to the Security tab, then select the Advanced security permissions.
- use the Change option next to the listed queue owner to access the change user options. Set the owner as needed.
Note: If for any reason this process fails on Windows Server 2012, the below workaround can be utilized.
Private Queue information is stored on the server within the folder C:\Windows\System32\msmq\storage\lqs. Open all the files to find the one that stores the information for your specific queue. The name of the queue is stored within the Label field:
- Create a dummy queue with the security setup such that the user can edit the queue
- Open the configuration file from the lqs folder for the new queue and look for the Security field
- Copy the value from the newly created queue to the old queue which the user could not edit
- Save that file and restart the MSMQ service.
The Message Queuing section in Windows Server is located in the Features section of the Server Manager console. The jamsrequests private queue can be found there.
Permissions to the jamsrequests private queue can be adjusted by right clicking -> Properties -> Security
Add the domain account you wish to use to the Permissions list for the jamsrequests Private Queue - it will require Full Control.
JAMS Web Client
Additional configuration is required for the JAMS Web Client to properly authenticate with the JAMS Services.
- Change the JAMSSite Application Pool Identity to the User which is running your JAMS Server Service.
- Restart the IIS Services.
Security Policy Requirements
Local Security Policies should also be granted for the Domain Account:
- Log on as a Batch Job
- Log on as a Service
- Adjust memory quotas for a process
- Bypass traverse checking
- Replace a process level token
If the Domain Account is not in the Administrators group, the following additional steps will need to be taken:
A specific Active Directory Group will have to be created, and added to the Common.config (located in C:\Program Files\MVPSI\JAMS\Scheduler by default) to include:
<add key="AuthorizedGroup" value="Domain\YourGroup" />
The Domain Account will need to be added to the following Local Groups on your JAMS Scheduler:
Performance Log Users
Performance Monitor Users