Alexander Anikin's blog

My personal blog

Sharepoint Service Account’s Permisions for Office Web Apps

with one comment

I had some  investigations about Sharepoint account permissions and rights.

What I have: Windows Server 2008 R2 (included in AD, with Service Packs), SharePoint Foundation 2010 (very important – with update kb2394323) , Office Web Applications (very important – with update KB2346411  – this update has a lot for changes for OWA, and big changes in PowerPoint) .

I have simple account’s configuration:
domain\ow_site – web-applicaiton pool
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies (if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service  

domain\ow_services – services pool (by default: SharePoint Services Default Pool: Word, PowerPoint, Excel and etc.; we can definitely do separate account for services)
Domain Groups Member Of: Domain Users, and rights for reading other users account if needed.
Local Server: Administrators, (WSS_WPG and others adding automatically at creation time of managed accounts)
Local policies(if needed for any reasons – ex. specific authentication with http-module): Act as part of operating system, Logon as service

Comments:

1. Excel Services account should be in local Administrators when it’s working in File Access Method – Impersonation. (more info https://aanikin.wordpress.com/2010/11/13/excel-services-file-access-method-impersonation/)

2. After Security  Update KB2346411 PowerPoint Service needs thats web-applications pool acoount must be member of Local Administrators group. (As i think something with local policies.)

3. After Security  Update KB2346411 PowerPoint service account must have rights for writing to web-application content db:

Adding ow_services account db_owner role for  web-application content DB
a. Getting database name in Central Administration->Application Management->Manage content database – choose created Office Web Application at upper right corner. Copy DB_NAME for this application
b. Create config.sql file:
use [DB_NAME]
go
create user [DOMAIN\svc_ow_services] from login [DOMAIN\svc_ow_services]
go
sp_addrolemember ‘db_ownew’, ‘DOMAIN\svc_ow_services’
c. Run the command as administrator in the same folder with config.sql:
“C:\Program Files\Microsoft SQL Server\100\Tools\Binn\”sqlcmd –S localhost\SHAREPOINT –i config.sql
d. Do iisreset /noforce

Advertisements

Written by Alex Anikin

December 21, 2010 at 1:41 pm

One Response

Subscribe to comments with RSS.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: