Environment
Situation
How do you move from using SQL authentication to Windows authentication?
Resolution
Migrating a Sentinel 5 system from using SQL Authentication to Windows Authentication
Note: These instructions assume you are still using the same database and just reconfiguring this database to use Windows Authentication Only rather than Mixed-Mode Authentication (Windows Authentication and SQL Authentication).
1.Create Windows Domain logins for the following default users: esecdba, esecapp, esecadm, esecrpt. Also, create a Windows Domain login for any of the users created throughSentinel Control Center after installation that were specified as a "Local” user (as opposed to "Domain”).
2.On the maching running DAS, stop the following services:
§eSecurity
§eSecurity Communication
3.Wait a while for the services to stop.
4.Add the Windows Domain
logins to the SQL Server by going to {DB Server}\Security\Logins in
Enterprise Manager and clicking the Action New Login. For each Windows Domain login added to SQL
Server, copy the DB permissions from the corresponding SQL Server
Authentication user.
5.For each Windows
Domain login added to SQL Server, copy the settings in the "Server
Roles” and "Database Access” tabs from the properties of the SQL
Authentication user to the corresponding Windows Authentication
user.
6.In the ESEC database, update the USERS table for each Windows Domain login added that has a corresponding row in the USERS table (esecdba and esecapp will not have rows in the USERS table). You must update the following columns for each row that was a SQL Authentication user but you are now making a Windows Domain user:
a.NAME – Change this to the name of the Windows Domain login that is replacing the SQL Authentication login. This must be the full Windows Domain login, including the domain name (e.g. – esecurity\esecadm)
b.UPPER_NAME – Change this to the upper case version of the Windows Domain login that is replacing the SQL Authentication login. This must be the full Windows Domain login, including the domain name (e.g. – ESECURITY\ESECADM).
c.DOMAIN_AUTH_IND – Set the value in this column to 1.
7.For all the usernames updated in Step 6, also modify the username in the following tables to match the value put in the NAME column in the USERS table:
a.In the ESEC database:
i.CONFIGS – update the USR_ID column
b.In the ESEC_WF database:
i.UserTable – update the userid column
ii.ResourcesTable – update the Username and Name columns.
8.Change the SQL Server
to use Windows Authentication Only. To
get to this dialog right click on the database server and select
Properties.
9.Delete the SQL Authentication logins from {DB Server}\Security\Logins.
10.Make the esecapp Windows Domain User local admin/poweruser on the machine running DAS.
11.On the machine running DAS, update the eSecurity service to run as the esecapp Windows Domain User.
12.On the machine running DAS, update the all container xml files in the directory %ESEC_HOME%\sentinel\config to specify to use the Windows Domain account. For Sentinel v5.0.x, the files you need to update are:
§activity_container.xml
§alertcontainer.xml
§attackcontainer.xml
§das_query.xml
§das_binary.xml
§das_cmd.xml
§workflow_container.xml
§das_rt.xml (for 5.1.x)
Here you will need to wipe out the username and password value, so set properties as below:
<obj-component id="ConnectionManager">
<class>esecurity.base.ccs.comp.dataobject.ConnectionManagerclass>
<propertyname="username" />
<propertyname="password" />
…
13.On the maching running DAS, start the following services:
§eSecurity Communication
§eSecurity
14.Wait a few minutes for the services to start.