Change SQL server authentication to windows authentication for an existing setup

Products

Data Center Security Server Advanced

Issue/Introduction

How to change SQL server authentication to windows authentication for an existing Symantec Data Center Security (SDCS) setup

Environment

Data Center Security

DCS 6.8 and higher

Resolution

Steps to modify DCS management server configuration:

1. Configure the management server service to use the Windows Domain User account that would be used to Authenticate to SQL Server.

Note: The SDCS management server service by default is configured to use the Local System Account.

2. Create a Domain user or use Windows user account and grant these permissions :

i) Domain User ii) Remote Desktop Users iii) Start, stop and pause all three DCS Manager services (SISManager, UMCCredService and UMCTelemetryService). iv) Read, write permission of DCS installation Directory.

3. Login to SQL server with Administrator privileges and create the login, if the domain user account which would be used to authenticate to the SQL server, does not exist in the SQL Server.

4. To create a login, perform the following steps in the General tab:

a. To populate the Login name field, click Search and select the user.

The Windows authentication option is selected by default.

b. In the Default database drop-down list, select SCSPDB.

c. In the Default language drop-down list, select English.

d. In the Server Roles, select "Public".

Note: You must not select any other role for this user.

5. To assign the required roles to the user, perform the following steps in the Server Roles tab and then click OK.:

A. In the Users mapped to this login section, select the dcsc_umc database.

In the Database role membership for section, select the following roles:

• db_datareader

• db_datawriter

• db_owner

• public

B - In the Users mapped to this login section, select the SCSPDB database.

In the Database role membership for section, select the following roles:

• db_datareader

• db_datawriter

• scsp_ops

• public

Note: Do not select any other role for this login.

- C - In the Securables

- Select

In the Status tab, do the following:

• In the Permission to connect to the database engine section, select Grant.

• In the Login section, select Enabled.

Note: Ensure that the roles and privileges assigned to this login account are identical to the scsp_ops role. The scsp_ops role is created by the management server installer.

7. Make a backup copy of the server.xml file before proceeding.

The server.xml file is present at the following location:

<InstallDirectory>\Server\tomcat\conf

Note: Preserve the backup server.xml file.

8. Open the server.xml file in a text editor.

The server.xml file is present at the following location:

<InstallDirectory>\Server\tomcat\conf

9. In the Database-Console resource tag, do the following:

a. Append the text, ;integratedSecurity=true to the end of the url attribute, or if existing set it to =true from =false

For example:

url="jdbc:jtds:sqlserver://<IP_Address>/SCSPDB;instance=SCSP;integratedSecurity=true"

b. For DCS 6.8.x, DCS 6.9.x, and higher, when using SSL Authentication, set the password to password=""
For DCS 6.7 and below, Delete the “password” attribute/value pair.

c. For DCS 6.8.x, DCS 6.9.x, and higher, when using SSL Authentication, set the username to username=""
For DCS 6.7 and below, Delete the “username” attribute/value pair

10. Perform the same modifications that you made for the “Database-Console” tag to the “Database-Agent” tag, as well "Database-Quartz" if it exists (DCS 6.8 and DCS 6.9).

11. Change the DCS Manager (or CSP Manager) Service properties under the "Log On" tab from Local System to the user you have added the permissions to in SQL.

12. Save your changes to the server.xml file and then start the Symantec Data Center Security or Critical System Protection Service(s).