Change The Account Running JAMS

Follow

The JAMS services are set to run under the LocalSystem account by default though there may be a need to change this to a Windows Domain based account.


NOTE: Users are always recommended to leave the JAMS Executor running as local system.



NOTE: After a JAMS upgrade, the accounts will be reset back to Local System and will need to be updated.


The Service Control Application (services.msc) can be used to change the account that the JAMS Scheduler and JAMS Server services run under.

This may be done in order to control the Network and Database access.

If the Accounts used for the Services are changed, the Security Settings may also need to be updated on:

  • The C:\Program Files\MVPSI\JAMS\Scheduler folder
  • C:\Program Files\MVPSI\JAMS\Scheduler\JAMSScheduler.log
  • MSMQ jamsrequests and jamsrequestssubmitcancel private queues
  • The SQL Server
  • The JAMS Database
  • The JAMSSite Application Pool Identity

Database Security Requirements

Permissions may need to be re-added to allow the services account to reconnect to the Database. 

Here is an example of a SQL query which will grant an account access to a particular role:

exec sp_grantlogin @loginame='YourDomain\YourADAccountName'

exec sp_grantdbaccess @loginame='YourDomain\YourADAccountName', @name_in_db='JAMSServiceAcct'

exec sp_addrolemember @rolename='JAMSApp', @membername='JAMSServiceAcct'

Take Ownership of the MSMQ Queues

For the MSMQ jamsrequests and jamsrequestssubmitcancel private queues, the security on the queues may need to be modified to grant the domain account full access to the queues. To do that, you may  need to Take Ownership of the queues. The JAMS Services must be shutdown before taking ownership of a queue.

  1. Open Computer Management. This can be done by running compmgmt.msc from the command line.
  2. Expand Services and Applications and then expand Message Queueing
  3. Expand Private Queues and then select the jamsrequests queue.
  4. Right-click the jamsrequests queue and select Properties.
    Additionally, users can access queue properties by selecting the queue and using the More Actions option in the Actions pane.
  5. From the Properties dialog, click the Security tab.
  6. Click Advanced.
  7. Click Change next to the listed queue owner to access the change user options. Set the owner as needed.
  8. Repeat these steps for the jamsrequestssubmitcancel queue.

NOTE: If this process fails on Windows Server 2012, use the workaround below.


Private queue information is stored on the server within the folder C:\Windows\System32\msmq\storage\lqs. Open all the files to find the one that stores the information for your specific queue. The name of the queue is stored within the Label field: 

  • Create a dummy queue with the security setup such that the user can edit the queue
  • Open the configuration file from the lqs folder for the new queue and look for the Security field
  • Copy the value from the newly created queue to the old queue which the user could not edit
  • Save that file and restart the MSMQ service.

The Message Queuing section in Windows Server is in the Features section of the Server Manager console. The private queues can be found there.

Adjust permissions to a private queue by right clicking the queue, selecting Properties, and then clicking the Security tab.

Add the domain account you want to use to the Permissions list for the private queues.  It will require Full Control.

JAMS Web Client

Additional configuration is required for the JAMS Web Client to properly authenticate with the JAMS Services.

  • Change the JAMSSite Application Pool Identity to the User which is running your JAMS Server Service.
  • Restart the IIS Services. 

mceclip0.png

mceclip1.png

Security Policy Requirements

Local Security Policies should also be granted for the Domain Account:

  • Log on as a Batch Job
  • Log on as a Service
  • Adjust memory quotas for a process
  • Bypass traverse checking
  • Replace a process level token

If the Domain Account is not in the Administrators group, the following additional steps will need to be taken:

A specific Active Directory Group will have to be created, and added to the Common.config (located in C:\Program Files\MVPSI\JAMS\Scheduler by default) to include:

<add key="AuthorizedGroup" value="Domain\YourGroup" />

The Domain Account will need to be added to the following Local Groups on your JAMS Scheduler:

Performance Log Users
Performance Monitor Users

 

Have more questions? Submit a request

Comments