How Are CSS Authentication Accounts Defined and Managed?

You can base the configuration of the authentication accounts that are used to stage Commerce Server Staging (CSS) projects on your network and business requirements. There are three main categories of CSS authentication accounts.

  • CSS Service Accounts

  • CSS Management and Administration Accounts

  • Staging Project Accounts

CSS Service Account

The CSS service account is the account assigned to the Commerce Server Staging Windows service when you configure CSS on the server.

This account requires the following permissions:

  • Member of the CSS_SG group. (This is defined when you configure CSS.)

  • (Optional) Database access to the source or destination SQL Server databases. This access is only required when you stage business data projects.

You must define a CSS service account for each CSS server in a staging deployment.

CSS Management and Administration Accounts

Management and administration accounts are accounts that you use to execute CSS functions from either the CSS console or command line. You can grant these accounts permission to perform the following staging tasks by adding them to one of the CSS security groups, CSS Administrators or CSS Operators.

Staging task

CSS Administrators

CSS Operators

Add, remove, and change projects.

Yes

No

Add, remove, and change routes.

Yes

No

Add and remove users to and from projects.

Yes

No

Add and remove servers.

Yes

No

Change server properties.

Yes

No

Start, stop, apply, and rollback staging projects.

Yes

Yes

View project and route properties.

Yes

Yes

Start, stop, and pause the staging service.

Yes

Yes

When you use these accounts to stage business data, these accounts also require database access permissions to the source SQL Server databases.

When you perform tasks from the CSS Microsoft Management Console (MMC) on remote servers, you can specify an MMC authentication account for the remote server. You must add this account to the corresponding CSS security group based on the intended use of staging tasks as outlined in the table earlier in this topic.

For information about the CSS security groups, see How Are Permissions Granted to CSS Authentication Accounts? For information about how to define the MMC authentication account, see How to Connect to a Remote Server.

Staging Project Accounts

For CSS servers to send a replication request to other CSS servers, the CSS service residing on the sending server must set up a connection with the receiving server. This is achieved by using a valid authentication account. This authentication account is referred to as a staging project account. Staging project accounts are used to connect to another CSS server in order to transmit data. These accounts must be members of the CSS Operators or CSS Administrators groups, or be users who have been assigned as administrator or operator with project-level permissions.

When you use these accounts to stage business data, these accounts also require database access permissions to the source SQL Server databases.

Note

You can specify the CSS service account running on the CSS server as a staging project account. If you do this, you must add this account to the CSS Operators or CSS Administrator group on the destination server.

Dd328482.alert_caution(en-us,CS.95).gifImportant Note:

When you create or modify a project through the CSS MMC, the staging project account is used to authenticate the connection to the remote server. This account must belong to the CSS Administrators group on the remote server to perform the task or the task will fail.

CSS supports three methods of specifying the authentication accounts to use when staging projects. These methods, in the order in which they take precedence, are as follows:

  • Destination-level authentication. Destination-level authentication specifies authentication accounts for individual destination servers and the servers that are defined in a route. You can define destination servers in the project or the project can use routes already created for staging.

  • Project-level authentication. Project-level authentication lets you specify an account that can be used for all destination servers that are defined throughout a project. An authentication account defined at this level specifies staging accounts for individual projects. Destination accounts override this account during staging.

  • Default (global) authentication. Default authentication applies to all staging projects unless a project-level or destination-level account is specified. The default authentication account is defined for a CSS server through the CSS MMC. Project-level or destination-level authentication accounts override this account during staging.

    Note

    Each of the accounts specified for each of these levels of authentication should be members of the CSS Administrators or CSS Operators groups on the destination CSS servers. Or, they must be assigned as an operator or administrator with project-level permissions for specific project(s).

The following illustration shows the authentication process that CSS uses to stage projects (files and data) between different servers and environments.

Authentication Process for Commerce Server Staging

Configuring Destination-Level Authentication

You can override the authentication for both project-level and default authentication by configuring the authentication account for each destination for a project or route. Destination-level authentication provides you detailed control and flexibility for connecting to remote servers. This is especially useful if your destination servers are on different domains.

The destination-level authentication account must match an account on the corresponding remote CSS server(s). It must belong to the CSS Operators or CSS Administrators group on the destination server. Or, it must be assigned as an operator or administrator with project-level permissions for the project.

Dd328482.alert_caution(en-us,CS.95).gifImportant Note:

If a destination-level authentication account is defined through the New Project Wizard, the account must belong to the CSS Administrators group on the destination server. This is necessary because the destination-level account will be used to create the project on the destination server, and only members of the CSS Administrators can create projects. If it is not a member, the project creation will fail with access denied on the destination server.

For information about how to configure a project to use destination-level authentication, see How to Configure Destination-Level Authentication.

Project-Level Authentication

You can override the authentication for default authentication by configuring the project-level authentication account. Project-level authentication lets you use different authentication accounts on a project-by-project basis.

As with the destination-level authentication account, the project-level authentication account must match an account on the corresponding CSS remote server(s). It must belong to the CSS Operators or CSS Administrators group on the destination server. Or, it must be assigned as an operator or administrator with project-level permissions for the project.

For information about how to configure a project to use project-level authentication, see How to Configure Project-Level Authentication.

Default (Global) Authentication

The default authentication account authenticates with other CSS servers for deployment when no other authentication information is provided at the project or destination level. It also executes the scheduled tasks if the project has a configured schedule. This means that the default authentication account must match an account that is part of the CSS Operators or CSS Administrators group at all intended destination servers unless it is assigned as operator or administrator with project-level permissions for particular projects.

For CSS staging operations to succeed, the intended destination servers must be able to recognize the credentials that the source server supplies. This means that the credentials that are supplied for the default authentication account must match an account that is available to all intended destination servers. An account is available to a destination server if it meets one of the following criteria:

  • The account is in the destination server’s local user accounts database.

  • The account is in the user accounts database for the domain to which the destination server belongs.

  • The account is in the user accounts database of a domain trusted by the destination server’s domain.

See Also

Other Resources

How to Configure Destination-Level Authentication

How to Configure Project-Level Authentication

How to Change the Default (Global) Authentication Account

How Are Permissions Granted to CSS Authentication Accounts?

Staging Web Sites and Commerce Server Data

What are the Staging Security Configuration Requirements?