- Database Security Requirements
- Taking Ownership of the Queue
- Configuring the JAMS Web Client
- Security Policy Requirements
The JAMS services are set to run under the LocalSystem account by default though there may be a need to change this to a Windows Domain based account.
NOTE: Users are always recommended to leave the JAMS Executor running as local system.
NOTE: After a JAMS upgrade, the accounts will be reset back to Local System and will need to be updated.
The Service Control Application (services.msc) can be used to change the account that the JAMS Scheduler and JAMS Server services run under.
This may be done in order to control the Network and Database access.
If the Accounts used for the Services are changed, the Security Settings may also need to be updated on:
- The C:\Program Files\MVPSI\JAMS\Scheduler folder.
- The C:\Program Files\MVPSI\JAMS\Scheduler\JAMSScheduler.log.
- The local log directory. (The default is C:\ProgramData\JAMS\Logs.)
- The network folder used as the Common Log Location.
- The MSMQ jamsrequests and jamsrequestssubmitcancel private queues.
- The SQL Server.
- The JAMS Database.
- The JAMSSite Application Pool Identity.
Database Security Requirements
Permissions may need to be re-added to allow the services account to reconnect to the Database.
Here is an example of a SQL query which will grant an account access to a particular role:
exec sp_grantlogin @loginame='YourDomain\YourADAccountName' exec sp_grantdbaccess @loginame='YourDomain\YourADAccountName', @name_in_db='JAMSServiceAcct' exec sp_addrolemember @rolename='JAMSApp', @membername='JAMSServiceAcct'
Take Ownership of the MSMQ Queues
For the MSMQ jamsrequests and jamsrequestssubmitcancel private queues, the security on the queues may need to be modified to grant the domain account full access to the queues. To do that, you may need to Take Ownership of the queues. The JAMS Services must be shut down before taking ownership of a queue.
- Open Computer Management. This can be done by running compmgmt.msc from the command line.
- Expand Services and Applications and then expand Message Queueing.
- Expand Private Queues and then select the jamsrequests queue.
- Right-click the jamsrequests queue and select Properties.
Additionally, users can access queue properties by selecting the queue and using the More Actions option in the Actions pane.
- From the Properties dialog, click the Security tab.
- Click Advanced.
- Click Change next to the listed queue owner to access the change user options. Set the owner as needed.
- Repeat these steps for the jamsrequestssubmitcancel queue.
NOTE: If this process fails on Windows Server 2012, use the workaround below.
Private queue information is stored on the server within the folder C:\Windows\System32\msmq\storage\lqs. Open all the files to find the one that stores the information for your specific queue. The name of the queue is stored within the Label field:
- Create a dummy queue with the security setup such that the user can edit the queue
- Open the configuration file from the lqs folder for the new queue and look for the Security field
- Copy the value from the newly created queue to the old queue which the user could not edit
- Save that file and restart the MSMQ service.
The Message Queuing section in Windows Server is in the Features section of the Server Manager console. The private queues can be found there.
Adjust permissions to a private queue by right clicking the queue, selecting Properties, and then clicking the Security tab.
Add the domain account you want to use to the Permissions list for the private queues. It will require Full Control.
JAMS Web Client
Additional configuration is required for the JAMS Web Client to properly authenticate with the JAMS Services.
- Change the JAMSSite Application Pool Identity to the user that is running your JAMS Server Service.
- Restart the IIS Services.
Security Policy Requirements
Local Security Policies should also be granted for the Domain Account:
- Log on as a Batch Job
- Log on as a Service
- Adjust memory quotas for a process
- Bypass traverse checking
- Replace a process level token
If the Domain Account is not in the Administrators group, the following additional steps will need to be taken:
A specific Active Directory Group will have to be created and added to the Common.config (located in C:\Program Files\MVPSI\JAMS\Scheduler by default) to include:
<add key="AuthorizedGroup" value="Domain\YourGroup" />
The Domain Account will need to be added to the following Local Groups on your JAMS Scheduler:
Performance Log Users
Performance Monitor Users