Under Construction |
As installed the SHIBD_IDP system service runs as the “Local System Account”. For obvious reasons, it is preferable to run the service with as few permissions and privileges as possible. In particular it is important to deny the service the option of writing to the IdP’s own configuration.
This is done after (every) installation and is quite easy to achieve. There are three steps:
Create an appropriate account
Add appropriate ACEs to various system objects
Arrange for the service to run as this user.
Throughout we will use the id SHIBD_USER
to refer to the created user. Obviously this can be any identifier you want.
Throughout we will use the id SHIBD_USER
to refer to the created user. Obviously this can be any identifier you want.
Users of Active Directory should consider service accounts and in particular “group Managed Service Accounts”
Users of Active Directory should consider service accounts and in particular “group Managed Service Accounts”
The created account should have as few privileges and permissions as possible. In particular:
Needs reviewed by someone with AD / Windows System Admin expertise |
The account should be a Member of “Users”, but not “Administrators” (of any flavor)
The account should have the following Rights
Log on As service
Deny log on as batch job
Deny log on locally
Deny log on through Remote Desktop Services
Open Regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\shibd_idp
Right click, Permissions, Add.. , enterSHIBD_USER
, then click “Check Names”, click OK
Allow READ, but NOT full control
Open Explorer, Right Click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\start.d
Permissions Tab, Advanced, Continue (as elevated)
Add, Select a Principal, enter SHIBD_USER
, then click “Check Names”, click OK
Make sure “Type” is “allow” and “Applies to” is “This folder, subfolder and files”
Make sure that “Read&Execute”, “List Folder Contents” and “Read” are checked and nothing else,
OK, OK
Dismiss window
Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\conf
Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\credentials
Open Explorer, Right click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\logs
Permissions Tab, edit…
Add, Select a Principal, enter SHIBD_USER
, then click “Check Names”, click OK
Select on “Full control” and then OK
Dismiss window
Repeat for C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\tmp
Repeat for C:\Program Files (x86)\Shibboleth\IdP\logs
You may get warning about “permissions being mis ordered”. Click on “Edit”, then “Reorder” before continuing as above
Repeat for C:\Program Files (x86)\Shibboleth\ProcRun\log
Object Type | Name | ACE to add |
---|---|---|
RegistryKey | HKLM\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\shibd_idp | READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\jetty-base\start.d | READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\IdP\conf | READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\IdP\credentials | READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\logs | READ/WRITE/DELETE/CONTROL for READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\IdP\logs | READ/WRITE/DELETE/CONTROL for READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\ProcRun\log | READ/WRITE/DELETE/CONTROL for READ for SHIBD_USER |
Directory | C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\tmp | READ/WRITE/DELETE/CONTROL for READ for SHIBD_USER |
Open the services control panel (Control Panel\All Control Panel Items\Administrative Tools\services)
Find the Shibboleth IdP Daemon
and double click
Select the “Log On” tab.
Click on “This account” and fill in the user details
Stop and restart the service
The service should restart without problems. You should check (with task manager) that the it is running under the correct account.
As usual failure to start should be debugged by checking the logs:
If idp-process.log
is being written to, then the change has been successful
Otherwise , if the jetty logs (IdP\jetty-base\logs
) are being written then the issue is with Jetty and those logs will help
Otherwise, if the procrun logs (Procrun\log
) are being written, then they will help
Otherwise, consult the Windows Even log.
If you are using any new or non standard locations (for instance to cache metadata), then you may need to add ACE’s to allow Jetty and the IdP access.
You have to redo the setting of the ACLs and the setting of the service account after every update.