This article provides information that can help you make a decision on when to use domain or local accounts for the Discovery Center service accounts.
The Active Navigation installation process will permit the use of service accounts that are defined either in the local Windows domain or as local computer accounts. The choice made will affect your options for managing user access to the Discovery Center user interface.
Domain Accounts
If you wish to allow users to use existing domain accounts to authenticate with the Discovery Center user interface then the Discovery Center server system must be joined to the appropriate domain. This will allow the server to successfully validate user credentials when users attempt to log in to the system.
When your system is joined to a domain, we recommend domain service accounts should be used to minimize the likelihood of system configurations from preventing authentication and authorization. If your architecture utilizes a separate database server, then this will require domain accounts to support authentication between the Discovery Center server and the database server.
Local Accounts
When using a local account for the Discovery Center Web Interface Service, you will not be able to use groups that are defined in the local domain to control access to the Discovery Center due to restrictions on evaluating group membership. In such cases, when using groups to control access, you must configure them as local groups in the Discovery Center server system. Alternatively, user accounts either for the local computer or domain can be added explicitly to Discovery Center roles via the User Access tab.
If you choose to use local computer service accounts for a system that is a member of a domain, you must be aware of the limitations and issues that may be encountered:
- Domain groups cannot be used to support the management of Discovery Center roles as outlined in the Domain Accounts segment of this article.
- If users are unable to log-in using a Domain Account and receive 401 errors despite using a valid user name and password then you may need to configure the Active Navigation site in IIS such that only NTLM is used as a security provider.