Provisioning Services uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.
- Configuration wizard user permissions
- The following MS SQL permissions are required for the user that is running the Configuration wizard:
- dbcreator for creating the database
- securityadmin for creating the SQL logins for the Stream and SOAP services .
If you are using MS SQL Express in a test environment, you can choose to give the user that is running the Configuration wizard sysadmin privileges (the highest database privilege level).
Alternatively, if the database administrator has provided an empty database, the user running the Configuration wizard must be the owner of the database and have the View any definition permission (set by the database administrator when the empty database is created).
Service account permissions
The user context for the Stream and SOAP services requires the following database permissions:
- Execute permissions on stored procedures
Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services user account using the Configuration wizard. The Configuration wizard assigns these permissions provided the user has securityadmin permissions. In addition, the service user must have the following system privileges:
- Run as service
- Registry read access
- Access to Program Files\Citrix\Provisioning Services
- Read and write access to any vDisk location
Determine which of the following supported user accounts the Stream and SOAP services run under:
Provisioning Services support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.
Because authentication is not common in workgroup environments, minimum privilege user accounts must be created on each server, and each instance must have identical credentials.
Determine the appropriate security option to use in this farm (only one option can be selected per farm and the selection you choose impacts role-based administration):
Console users do not directly access the database.
Minimum permissions required for additional Provisioning Services functionality include:
- Provisioning Services XenDesktop Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
- vCenter, SCVMM, and XenServer minimum permissions
- Permissions for the current user on an existing XenDesktop controller
- A Provisioning Services Console user account configured as a XenDesktop administrator and added to a PVS SiteAdmin group or higher
- Active Directory Create Accounts permission to create new accounts in the Console. To use existing accounts, Active Directory accounts have to already exist in a known OU for selection
- If using Personal vDisks with XenDesktop, the SOAP Server user account must have XenDesktop Full administrator privileges.
- AD account synchronization: Create, Reset, and Delete permissions
- vDisk: Privileges to perform volume maintenance tasks
By default, the Provisioning Services Console, Imaging wizard, PowerShell snap-in and MCLI use Kerberos authentication when communicating with the Provisioning Services SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the Provisioning Services SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Provisioning Services falls back to using NTLM authentication.
The Provisioning Services SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
To work around this permissions issue, do either of the following:
- Use a different account that has permissions to create SPNs.
- Assign permissions to the service account.
||Write Validated SPN
||Write Public Information