Administrative and service accounts and certificates required for deployment (Duet Enterprise)

 

Applies to: Duet Enterprise for Microsoft SharePoint and SAP Server 2.0

We recommend that you create the service and user accounts that you will need before you start to install Duet Enterprise. For example, you will need a service account for the Web application that is used for the Duet Enterprise sites and one or more service accounts that are used for communications between the SharePoint farm and SAP system. You will also need an SSL certificate to configure secure communications between the Web application for the Duet Enterprise sites and the SAP system. An SAP administrator will also provide an SSL certificate for which you must create a trust relationship on the SharePoint environment.

In this article:

  • Accounts needed to deploy thisProduct_2nd_NoVer

  • Certificates needed to secure thisProduct_2nd_NoVer

  • Create a managed account

Accounts needed to deploy Duet Enterprise

The following sections describe the accounts that are used to deploy Duet Enterprise. The tables describe the accounts that you will have to provide as you complete the deployment process.

Note

If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the accounts can be recorded in the worksheet.

Install Duet Enterprise

The following table describes the requirements for the account that is used to install Duet Enterprise.

Account Purpose Requirements

Setup user account

The user account that is used to do the following:

  • Run setup.exe

  • Run DuetConfig.exe

This account will be given Execute permission to the Business Data Connectivity service metadata store.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account in the "Setup user account" row of Table 3.

  • A member of the Windows Administrators group on the computer that is running SharePoint Server 2010.

  • A member of the Farm Administrators group on the SharePoint Server farm on which you are installing Duet Enterprise.

  • Full Control permissions on the User Profile Service Application is required to configure profile synchronization using the DuetConfig.exe /configureprofilesynccommand. Note that the account that is used to install Microsoft SharePoint Server 2010 is automatically granted this permission. However, the permission is not automatically granted to all farm administrators.

Configure secure communications between the SharePoint farm and SAP system

The accounts in the following table are required when you create the Web applications for the Duet Enterprise sites.

Account Purpose Requirements

Service account

Used for the Duet Enterprise sites Web application.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account in the "Service account for the Duet Enterprise sites Web application" row of Table 3.

The account must be configured as a managed account in SharePoint Server.

Important

Do not use a user account for this purpose. Doing so can cause SAP workflow tasks to be in an inconsistent state. Instead, we recommend that you use a unique Windows domain account, one that is not used for any other purpose.

Import BDC models

The accounts in the following table are required when you import BDC models. The BDC models that are provided with Duet Enterprise are updated by an SAP administrator to match settings in the SAP system and then provided to a SharePoint administrator who must import them into SharePoint Server.

Account Purpose Requirements

End users who can access the SAP content

Used to specify the user or Active Directory Domain Services (AD DS) group accounts that will be granted Execute permissions to the BDC models.

Note

We recommend that you specify the nt authority\authenticated users Windows group during deployment. This enables all authenticated users to access the SAP content. After deployment, if you want to harden security, you can replace this Windows group with individual user accounts or a different Windows group.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record the user accounts or groups that you want to use in the "Users who can access SAP content" row of Table 3 of the worksheet.

Windows user or group.

Note

This must be a valid domain account or group. SharePoint groups are not supported.

WSDL access account

Used to access and download the SAP WSDLs. This account will be given full permissions on all the BDC models.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), the SAP administrator will provide this account in the "User name for WSDL access" and "Password for WSDL access" rows of Table 2 of the worksheet.

Windows user or group. The WSDL access account is created by the SAP administrator. You must provide the user or group name and associated password.

Synchronize profiles and roles

The account in the following table is required if you plan to configure role synchronization for Duet Enterprise.

Account Purpose Requirements

AD DS account

Used by a SharePoint administrator to synchronize user accounts in AD DS with the User Profile store in the SharePoint Server farm. An SAP administrator also uses this account to pull user accounts from AD DS into the SAP profile store.

Tip

The AD DS administrator can provide this account name.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account name and password in the "AD DS account and password" row of Table 1.

  • A member of the SharePoint Farm Administrators group or a User Profile Service administrator.

  • A minimum of DirSync permissions to AD DS.

Configure reporting

The accounts in the following table are required if you plan to configure the reporting solution for Duet Enterprise.

Account Purpose Requirements

Report publisher account

Used to authorize reports to be sent from the SAP system to SharePoint Server. The account will be granted the Full Control permission to the Report Publisher URL.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account name and password in the "Report publisher account" row of Table 3.

This user account and password will be given to the SAP administrator to use as the Report Publisher account on the SAP system. Because of this, we recommend that you create an account specifically for this purpose instead of using a person’s user account.

Configure SAP workflows

The account in the following table is required if you plan to configure Duet Enterprise Workflow sites in SharePoint Server.

Account Purpose Requirements

Service account

Used for all workflow transactions between SharePoint Server and the SAP environment. SharePoint Server only accepts requests from the workflow service account. This is also the only account that can send protocols to the SAP system.

Worksheet step: If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account in the "Workflow publisher account" row of Table 3.

A member of the SharePoint Owners group of all workflow sites.

Important

Do not use the same account that is used as the application pool account for any Web applications. Specifically, this cannot be the same account that you entered in the “Service account for the Duet Enterprise sites Web application" row of Table 3 of the Deployment worksheet. Using the same account can cause SAP workflow tasks to be in an inconsistent state. Because of this, we recommend that you use a unique Windows domain account, one that is not used for another purpose.

Certificates needed to secure Duet Enterprise

All network calls between the Web application that is configured for Duet Enterprise sites and the SAP system are made over Secure Sockets Layer, (HTTPS). In addition, a SharePoint administrator must export the Security Token Service (STS) certificate and give it to an SAP administrator to configure a trust relationship on the SAP system. This process enables tokens that are sent from the SharePoint Security Token Service to be verified after they arrive on the SAP system. The SharePoint administrator must also configure a trust relationship with an SSL certificate that the SAP administrator has used to secure the Web service that is used by Duet Enterprise. To support this, the following certificates are required.

The following certificates are used in securing Duet Enterprise:

  • A SharePoint administrator must get or create an SSL certificate for the Web application that will be configured for Duet Enterprise. Note that a Web application on which Duet Enterprise solutions are enabled must be extended to enable a configured zone to use the HTTPS protocol (SSL) and Basic authentication. This SSL-configured zone, called the SAP-facing zone in this article, is used for all communications with the SAP system. An administrator of the server that is running SharePoint Server 2010 must bind this SSL certificate to the SAP-facing zone of the Web application and give the certificate to an SAP system administrator so that it can be trusted on the server that is running SAP NetWeaver.

  • The SharePoint administrator must export the Security Token Service (STS) certificate and give it to the SAP system administrator. The SAP system administrator will use the STS certificate to establish a one-way trust relationship with the Security Token Service.

  • An SAP system administrator must give the SSL certificate that is used to secure the Web service that is used by Duet Enterprise to the SharePoint administrator, who will configure a trust relationship for that certificate. This enables the Duet Enterprise sites to accept information from the SAP environment.

Note

For step-by-step instructions about how to obtain and use these certificates, see Configure secure communications between the SharePoint and SAP environments (https://go.microsoft.com/fwlink/p/?LinkId=205812).

Create a managed account

If the Web application that you will use for Duet Enterprise sites does not already exist, you will need a managed account to assign to the application pool that will be used by the Web application that you will create later.

A managed account is an AD DS user account whose credentials are managed and stored within SharePoint Server. To create a managed account, you register an AD DS account with SharePoint Server.

To determine the AD DS user account

  • Before you can create a managed account, you will first have to determine the AD DS user account that you want to use. We recommend that you ask the AD DS administrator to do the following.

    1. Create an account specifically for this purpose, instead of using a user’s account.

    2. Configure the account to have a non-expiring password.

    If you are using the Deployment worksheet (https://go.microsoft.com/fwlink/p/?LinkId=205392), record this account in the "Service account for the Duet Enterprise sites Web application" row of Table 3 of the worksheet.

To register a managed account

  1. Verify that you have the following administrative credentials:

    • You must be a farm administrator to complete this procedure.
  2. On the Central Administration Web site, in the Security section, click Configure managed accounts.

  3. On the Managed Accounts page, click Register Managed Account.

  4. In the Account Registration section of the Register Managed Account page, enter the service account credentials.

    Note

    We recommend that you do not enable automatic password change feature for service accounts.

  5. Click OK.