Hi,
My first post on this forum but I read it almost everyday.
Nice to meet you ! :)
----------------------------------------------------------------------------------------
I'm having trouble trying to set up Sage CRM 7.1 (actually i7.5 french version but the core is equal to v7.1 EN) with Windows user authentication, Database connection through IIS NT Integrated security, and the way tomcat services connect to the DB.
1) I expose my first problem :
My customer has high security principles regarding how applications and users should connect to the DBs.
Their major requirement is that SQL Server should not allow connections through SQL users (for instance, sa login is disabled). It's ok for the setup process, but once CRM is installed we must find a way for CRM to be able to connect using a dedicated Windows account that has dbowner rights on the CRM database.
How can I manage to setup this properly ?
We have succeeded by changing the account that runs the application pools for CRM and CRM rewriter and checking the appropriate option in the Admin/System parameters/Database/Use Integrated NT Windows security. It works for all SageCRM standard accesses to the database it seems, but...
Issue #1.1 :How can we do the same for tomcat services ?
When we looked a little deeper in the SQL Server logs we can clearly see that Tomcat still uses its own default "sa" sql login credentials.
Ok no problem let's change the jdbc settings file in the tomcat/webapps/web-inf folder and let's restart the services we thought. (I put the login "sa" and "password" lines in comment and added in the connectionstring "Integrated Security=SSPI" (but I suppose I'm wrong).
But then the tomcat logs tells us that this config is wrong. So once again how to do this properly?
I read a lot about this but it's always general and very detailed so it's a lot of waisted time. Maybe a detailled article could help a lot of partners all around the world ?
Issue #1.2 : We found some errors in the SQL Logs something that lead us to this article :
Did anyone had this kind of connection error ?
EDIT : What I'm thinking now by reviewing my questions before posting it is that in IIS I let both Anonymous logon & Windows authentication enabled. Is it correct or not ?
2) Now my second issue : Allowing Windows Users authentication in SageCRM.
I created two different crm logins with the same names than the corresponding AD users, set up properly the default domain name and the parameter Admin/Users/User settings/Use automatic IIS login session to Yes.
Once done I tried to login and it worked. No need to specify the password anymore the login is automatic. Very nice but...
As soon as I tried to login with another Windows session using the other crm user associated with the other windows login, I found out that I was still connected with the previous login...
Strange behaviour but you need more explanations...
In fact I had the following settings in CRM & IIS
- the first crm account (= the first Windows login) is the one that is parametered in the crm application pool (lets call this Windows account CRMPoolAccount).
- This CRMPoolAccount has the rights to connect to the CRMDB & is Domain admin.
- This CRMPoolAccount is a CRM login too.
- Use automatic IIS login session to YES + default domain specified
- IIS CRM Application pool that runs with CRMPoolAccount account (and the same the CRM Rewriter application pool)
- Use Integrated NT Windows security for Database connection in sagecrm is parametered.
Where did I miss something for this second issue ?
PS : Our server is 2008R2 64bits, with IIS 7.0
Thanks in advance for your ideas.
Valérian