Windows: Running the IdP Daemon as a separate account

As installed the SHIBD_IDP system service runs as the “Local System Account”. For obvious reasons, it is preferable to run the service with as few permissions and privileges as possible. In particular it is important to deny the service the option of writing to the IdP’s own configuration.

This is done after (every) installation and is quite easy to achieve. There are three steps:

• Create an appropriate account

• Add appropriate ACEs to various system objects

• Arrange for the service to run as this user.

Create an Appropriate Account

The created account should have as few privileges and permissions as possible. In particular:

• The account should be a Member of “Users”, but not “Administrators” (of any flavor)

• The account should have the following Rights

  • Log on As service

  • Deny log on as batch job

  • Deny log on locally

  • Deny log on through Remote Desktop Services

Add Appropriate ACEs to various System Objects

How to do this manually

1. Open Regedit. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\shibd_idp

   • Right click, Permissions, Add.. , enterSHIBD_USER, then click “Check Names”, click OK

   • Allow READ, but NOT full control

2. Open Explorer,  Right Click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\start.d

   • Permissions Tab, Advanced, Continue (as elevated)

   • Add, Select a Principal, enter SHIBD_USER, then click “Check Names”, click OK

   • Make sure “Type” is “allow” and “Applies to” is “This folder, subfolder and files”

   • Make sure that “Read&Execute”, “List Folder Contents” and “Read” are checked and nothing else,

   • OK, OK

   • Dismiss window

3. Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\conf

4. Repeat the above for C:\Program Files (x86)\Shibboleth\IdP\credentials

5. Open Explorer,  Right click on C:\Program Files (x86)\Shibboleth\IdP\jetty-base\logs

   • Permissions Tab, edit…

   • Add, Select a Principal, enter SHIBD_USER, then click “Check Names”, click OK

   • Select on “Full control” and then OK

   • Dismiss window

6. Repeat for C:\Program Files (x86)\Shibboleth\IdP\IdP\jetty-base\tmp

7. Repeat for C:\Program Files (x86)\Shibboleth\IdP\logs

   • You may get warning about “permissions being mis ordered”. Click on “Edit”, then “Reorder” before continuing as above

8. Repeat for C:\Program Files (x86)\Shibboleth\ProcRun\log

In Summary

Arrange for the service to run as SHIBD_USED

• Open the services control panel (Control Panel\All Control Panel Items\Administrative Tools\services)

• Find the Shibboleth IdP Daemon and double click

• Select the “Log On” tab.

• Click on “This account” and fill in the user details

• Stop and restart the service

Testing and Debugging

The service should restart without problems. You should check (with task manager) that the it is running under the correct account.

As usual failure to start should be debugged by checking the logs:

1. If idp-process.log is being written to, then the change has been successful

2. Otherwise , if the jetty logs (IdP\jetty-base\logs) are being written then the issue is with Jetty and those logs will help

3. Otherwise, if the procrun logs (Procrun\log) are being written, then they will help

4. Otherwise, consult the Windows Even log.

If you are using any new or non standard locations (for instance to cache metadata), then you may need to add ACE’s to allow Jetty and the IdP access.

Updating (IdP versions 4.2 and earlier)

You have to redo the setting of the ACLs and the setting of the service account after every update.