using active directory accounts with sql server in … intelligence, inc. 7601 interactive way...

Interactive Intelligence, Inc.

7601 Interactive Way Indianapolis, Indiana 46278

Telephone/Fax (317) 872-3000 www.ININ.com

Using Active Directory Accounts with SQL Server in CIC

Technical Reference

Interactive Intelligence Customer Interaction Center® (CIC)

2016 R2

Last updated November 11, 2015 (See Change Log for summary of changes.)

Abstract

This technical reference describes how to use Windows Active Directory accounts in place of Microsoft SQL accounts in CIC.

http://www.inin.com/

Using Active Directory Accounts 2

Copyright and Trademark Information Interactive Intelligence, Interactive Intelligence Customer Interaction Center, Interaction Administrator, Interaction Attendant, Interaction Client, Interaction Designer, Interaction Tracker, Interaction Recorder, Interaction Mobile Office, Interaction Center Platform, Interaction Monitor, Interaction Optimizer, and the “Spirograph” logo design are registered trademarks of Interactive Intelligence, Inc. Customer Interaction Center, EIC, Interaction Fax Viewer, Interaction Server, ION, Interaction Voicemail Player, Interactive Update, Interaction Supervisor, Interaction Migrator, and Interaction Screen Recorder are trademarks of Interactive Intelligence, Inc. The foregoing products are ©1997-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Dialer and Interaction Scripter are registered trademarks of Interactive Intelligence, Inc. The foregoing products are ©2000-2015 Interactive Intelligence, Inc. All rights reserved. Messaging Interaction Center and MIC are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2001-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Director is a registered trademark of Interactive Intelligence, Inc. e-FAQ Knowledge Manager and Interaction Marquee are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2002-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Conference is a trademark of Interactive Intelligence, Inc. The foregoing products are ©2004-2015 Interactive Intelligence, Inc. All rights reserved. Interaction SIP Proxy and Interaction EasyScripter are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2005-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Gateway is a registered trademark of Interactive Intelligence, Inc. Interaction Media Server is a trademark of Interactive Intelligence, Inc. The foregoing products are ©2006-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Desktop is a trademark of Interactive Intelligence, Inc. The foregoing products are ©2007-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Process Automation, Deliberately Innovative, Interaction Feedback, and Interaction SIP Station are registered trademarks of Interactive Intelligence, Inc. The foregoing products are ©2009-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Analyzer is a registered trademark of Interactive Intelligence, Inc. Interaction Web Porta, and IPA are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2010-2015 Interactive Intelligence, Inc. All rights reserved. Spotability is a trademark of Interactive Intelligence, Inc. ©2011-2015. All rights reserved. Interaction Edge, CaaS Quick Spin, Interactive Intelligence Marketplace, Interaction SIP Bridge, and Interaction Mobilizer are registered trademarks of Interactive Intelligence, Inc. Interactive Intelligence Communications as a Service℠, and Interactive Intelligence CaaS℠ are trademarks or service marks of Interactive Intelligence, Inc. The foregoing products are ©2012-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Speech Recognition and Interaction Quality Manager are registered trademarks of Interactive Intelligence, Inc. Bay Bridge Decisions and Interaction Script Builder are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2013-2015 Interactive Intelligence, Inc. All rights reserved. Interaction Collector is a registered trademark of Interactive Intelligence, Inc. Interaction Decisions is a trademark of Interactive Intelligence, Inc. The foregoing products are ©2013-2015 Interactive Intelligence, Inc. All rights reserved. Interactive Intelligence Bridge Server and Interaction Connect are trademarks of Interactive Intelligence, Inc. The foregoing products are ©2014-2015 Interactive Intelligence, Inc. All rights reserved. The veryPDF product is ©2000-2015 veryPDF, Inc. All rights reserved. This product includes software licensed under the Common Development and Distribution License (6/24/2009). We hereby agree to indemnify the Initial Developer and every Contributor of the software licensed under the Common Development and Distribution License (6/24/2009) for any liability incurred by the Initial Developer or such Contributor as a result of any such terms we offer. The source code for the included software may be found at http://wpflocalization.codeplex.com. A database is incorporated in this software which is derived from a database licensed from Hexasoft Development Sdn. Bhd. ("HDSB"). All software and technologies used by HDSB are the properties of HDSB or its software suppliers and are protected by Malaysian and international copyright laws. No warranty is provided that the Databases are free of defects, or fit for a particular purpose. HDSB shall not be liable for any damages suffered by the Licensee or any third party resulting from use of the Databases. Other brand and/or product names referenced in this document are the trademarks or registered trademarks of their respective companies.

DISCLAIMER INTERACTIVE INTELLIGENCE (INTERACTIVE) HAS NO RESPONSIBILITY UNDER WARRANTY, INDEMNIFICATION OR OTHERWISE, FOR MODIFICATION OR CUSTOMIZATION OF ANY INTERACTIVE SOFTWARE BY INTERACTIVE, CUSTOMER OR ANY THIRD PARTY EVEN IF SUCH CUSTOMIZATION AND/OR MODIFICATION IS DONE USING INTERACTIVE TOOLS, TRAINING OR METHODS DOCUMENTED BY INTERACTIVE.

Interactive Intelligence, Inc. 7601 Interactive Way Indianapolis, Indiana 46278 Telephone/Fax (317) 872-3000 www.ININ.com

http://wpflocalization.codeplex.com/

http://www.inin.com/


Table of Contents Copyright and Trademark Information ............................................................................2

Create domain user accounts ...............................................................................................4

Create domain group accounts ............................................................................................5

Install the SQL Database .......................................................................................................5

Add AD accounts to SQL Server ...........................................................................................6

Set SQL Permissions ................................................................................................................7

Allow Execute right ..................................................................................................................8

Disable the standard SQL Accounts ...................................................................................8

Configure CIC SQL Server Database ..................................................................................9

Post Installation Considerations .........................................................................................9 Verify the CIC reporting configuration settings ................................................................... 10 Enable C2 audit tracing ............................................................................................................ 11 Disable the named pipes protocol .......................................................................................... 11

Change Log ............................................................................................................................... 13


Introduction An organization can use Windows Active Directory (AD) accounts in place of the default SQL accounts that Customer Interaction Center (CIC) creates. This document explains how to use Corporate Windows Domain or Active Directory users in CIC reporting and client applications.

IC Setup Assistant uses SQL SA Admin accounts to generate SQL user accounts and passwords, establish permissions for those accounts, and create the IC database tables. You can create the AD group and AD user accounts defined in this document before you run IC Setup Assistant. You use those AD accounts during the database portion of the IC Setup Assistant without further modifications after you complete the IC Setup Assistant.

If you already completed the IC Setup Assistant, you can use this document to create the AD accounts in your AD domain and in SQL Server. Then you rerun IC Setup Assistant and make database configuration changes. For more information about IC Setup Assistant, see the IC Setup Assistant Help.

IC Setup Assistant creates database tables to store information for the Call Detail Report and other reports. CIC collects this information during a call, chat, or other ACD/Non ACD Group or user activity. The SQL Server that CIC uses does not contain any private personal information or CIC configuration settings. CIC can just as easily run without the SQL Server database component or just collect the information as Comma Separated Value (CSV) information.

To use AD accounts in place of the default SQL accounts in CIC, complete the following:

1. Create domain user accounts. 2. Create domain group accounts. 3. Install the SQL Server database. 4. Add AD accounts to SQL Server. 5. Set SQL permissions. 6. Allow Execute right. 7. Disable the standard SQL accounts. 8. Configure CIC SQL Server database. 9. Post installation considerations.

Create domain user accounts For the solution to work properly within your AD domain, you must segment the administrator, supervisor, and user accounts into definable roles to establish the correct access controls and system permissions for CIC and the operating system. Create the following AD user accounts by using the Active Directory Add Users and Computers tool on your domain controller.

Domain User Description

Domain\ICAdmin A domain user that is the IC master admin for CIC. This account acts as a member of the administrator group for the local servers on CIC, Interaction Media Server, and Interaction SIP Proxy servers if the ICService account becomes compromised or locked.

Domain\ICService CIC, the Interaction Media server, and Interaction SIP Proxy servers use this account as a service account for installation and updates. Make the ICService account a member of the administrator group for each local server.

Domain\ICDatabase The database server uses this service account as part of the local administrator group on the database server.


Notes:

• This document uses the term domain to refer to the name of the onsite domain.

• The system uses these domain\IC User accounts for functionality checks after you install CIC 2015 R1 or later and complete IC Setup Assistant. Once you complete the initial functionality checks and CIC sends and receives calls, you can disable these accounts. You create and use the normal domain user (Windows) accounts for the CIC user accounts.

Create domain group accounts The following groups provide user and security rights for application access. Create the following domain group accounts.

Domain Group Description

Domain\IC DataOwner This account group is a DBA for the I3_IC database tables. To this domain group, add users that require DBA access to this database.

Domain\IC DataReader

This account group is a Database Reader group for the I3_IC database. To this database group, add users that require access to IC Business Manager, Interaction Recorder client, or reporting information.

Domain\IC DataWriter This account group is a Database Writer group for the I3_IC database. To this domain group, add users that require write access to the database.

Domain\IC Admins This IC Administrator group is for ACL rights on shares on the IC server. Default members: ICAdmin and ICService.

Domain\IC Audit This domain group is for auditing purposes. Default member: ICAuditor1.

Domain\CICAdminGrp This account group includes the individuals that are members of the CIC Administrators role in Interaction Administrator. Add these AD users to this group so that when they use their CAC/Smart Card to log on to the server they have the appropriate CIC permissions.

Install the SQL Database Follow the standard installation instructions for the Microsoft SQL Server 2008 R2 and later. The installation wizard guides you through the process. You can use an existing SQL Server in your environment as long as your database server meets the minimum requirements for the SQL Server for CIC. Refer to http://testlab.inin.com/ for information about requirements for SQL Server.

Notes:

• When the wizard asks you to provide account information to use for the service account, enter the Domain\ICDatabase account.

• For a standard SQL installation, locate the SQL Server application and the related files on the first or Operating System partition (C:\Drive) with the database files on the second partition (D:\Drive).

• During the initial database setup, verify that the installation allows both SQL and Windows Authentication. In a later stage, you can disable SQL Authentication.

• After you complete the database install, verify the database service account by using the Services Control Panel in Windows. To determine that SQL Server is running under the Domain\ICDatabase account, display the properties for the MSSQLServer process as shown

http://testlab.inin.com/


in the following example:

Add AD accounts to SQL Server Previously, you created the domain user and group accounts that use specific permissions in SQL Server. Next, you add the AD accounts to SQL Server by using the SQL Server Admin Console. The following users are Windows accounts and not SQL accounts.

To create accounts:

1. Log on to the SQL Server Management Studio.

2. Select Security, Logins, and then create the following users and groups.

Domain Group Description

Domain\IC DataOwner This account group is a DBA for the I3_IC database tables. To this domain group, add users that require DBA access to this database.

Domain\IC DataReader This account group is a Database Reader group for the I3_IC database. To this database group, add users that require access to IC Business Manager, Interaction Recorder client, or reporting information.

Domain\IC DataWriter This account group is a Database Writer group for the I3_IC database. To this domain group, add users that require write access to the database.

Domain User Description

Domain\ICAdmin This account group is a DBA for the I3_IC database tables. To this domain group, add users that require DBA access to this database.

Domain\ICService The IC server uses this account as a Database Reader/Writer account.

Domain\ICDatabase The database server uses this service account as part of the local administrator group.


Set SQL Permissions After you create the user and groups accounts in SQL Server, you set the permissions for these accounts. To set permissions for the groups and accounts, open the user or group in SQL Server Management Studio and select User Mapping.

Important

Verify that you:

• Added the users to the correct database domain groups.

• Added the domain groups to the appropriate database roles.

• Set the correct security settings for the I3_IC database.

Add the following groups with the appropriate roles.

Group Name Security Role/Right Comments

Domain\ICAdmin db_owner Only used for applying service updates and system maintenance. Account disabled during operational hours.

Domain\ICService db_datareader, db_datawriter Used by the server to insert and query records.

Domain\ICDatabase db_owner Set this group to database administration rights at the SQL Server level with the same permissions as the SA account.

Domain\IC DataOwner db_owner Set this group to database administration rights at the SQL Server level with the same permissions as the SA account.


Group Name Security Role/Right Comments

Domain\IC DataReader db_datareader and EIC_READ Set this group to read-only permissions for the I3_IC database.

Domain\IC DataWriter db_datawriter Set this group to read and write permission for the I3_IC database.

Allow Execute right Interaction Recorder uses stored procedures to insert records in the database. For the IC server to execute these stored procedures, execute the following command against the I3_IC Database. Use the name you used to create the IC database.

Use the following format for the command and replace DOMAIN with the actual domain name:

GRANT EXECUTE TO [DOMAIN\ICService]

For example:

Grant EXECUTE TO [Holland\ICService]

The following illustration shows the command to execute against the I3_IC database.

Disable the standard SQL Accounts During the creation of the I3_IC database, the database creation script creates several SQL accounts in the system. Disable the following SQL accounts since the system no longer requires these accounts to be operational.

User Name Description

IC_Admin This user account no longer required by the system.

IC_User The IC server uses this account as a Reader/Writer account.

IC_Readonly The database server uses this service account in the local administrator group.

SA This account enables complete control of SQL Server and all the databases, users, and permissions.


To disable an account:

1. Log on to the SQL Server Management Studio.

2. Select Security, Logins. Right-click an account and select Properties.

3. Select Deny under Permission to connect to database engine.

4. Select Disabled under Login.

The following illustration shows the settings to disable a SQL account.

Configure CIC SQL Server Database Next, run IC Setup Assistant. In the database portion of IC Setup Assistant, use the AD accounts that you created. Once the IC Setup Assistant completes, you do not need to modify any other CIC settings.

Post Installation Considerations After you install CIC and create the I3_IC database, you can complete the SQL Server configuration.

Note: Before you modify the SQL Server configuration, verify:

• Whether to allow or open firewalls 1433 TCP and 1434 UDP ports on your network and computers so that supervisor and user workstations can access SQL Server.

• That the domain users and groups that you created now exist in the domain and in SQL Server. Verify that you added the domain users that require access to IC Business Manager, Interaction Recorder client, or reporting information to the appropriate group.

To complete the SQL Server configuration:

1. Verify the CIC reporting configuration settings.

2. Enable C2 Audit tracing.


3. Turn off the named pipes protocol.

Verify the CIC reporting configuration settings There are several settings in the Interaction Administrator to verify in order to make sure that the system and users use Windows Authentication to authenticate with the database.

Open Interaction Administrator and select IC Data Sources under System Configuration. The following illustration shows the data sources.

Verify the following data sources use Windows Authentication to connect with the database:

• IC Contacts

• IC Report Logging

• IC Report Logs

• IC Tracker

Verify that the connection information uses the following connection string: Driver= {SQLServer};Database=I3_IC;Server=’SERVERNAME’;NETWORK=dbmssocn;Trusted_Connection=Yes

Replace ‘SERVERNAME’ with the actual server name of the database server.

The system uses the Domain\ICService account to connect to the database. Each user that runs a report from their workstation uses their own account to connect to the database. You can grant access for a user, by making their domain account a member of the Domain\IC DataReader group.


Enable C2 audit tracing Enable C2 auditing tracing to configure SQL Server to record both failed and successful statements and objects access attempts. This information can help you identify and profile system activity and track possible security policy violations. C2 auditing saves a large amount of event information to the log file. If the data directory that includes the log file runs out of space, SQL Server shuts down. If your company requires the use of C2 audit tracing, you can enable C2 audit tracing.

To enable C2 Audit tracing:

1. Open the Microsoft SQL Server Management Studio, and open the properties dialog of the server object.

2. Select the Security page.

3. Select Enable C2 auditing tracing under Options.

Disable the named pipes protocol If your company does not require the use of named pipes protocol, you can disable named pipes on SQL Server.

To disable the named pipes protocol on SQL Server:

1. Log on to SQL Server and start the SQL Server Configuration Manager.

2. Select SQL Server Configuration manager > SQL Server Network Configuration.

3. Disable the named pipe protocol in the following configuration containers:

• SQL Native Client 10.0 Configuration (32bit)

• SQL Server Network Configuration


• SQL Native Client 10.0 Configuration

4. Double-click Named Pipes. The Named Pipes Properties screen appears.

5. From Enabled, select No.

6. Click OK.


Change Log

Change Date

New document. 11/11/2015

using active directory accounts with sql server in … intelligence, inc. 7601 interactive way...

Documents