Accounts used in an Installation
This topic describes the various accounts that are necessary when installing, configuring and running the product system. For more information on the permissions required for the accounts described in this table, please refer to the topic Required permissions.
Make sure that no accounts used for installing the product have the following two local policies set:
- Deny log on locally
- Deny log on through Remote Desktop Services
Account | Purpose | Practice Recommendation | Other Considerations |
---|---|---|---|
Service Account | The Service Account is the account under which the application service (the " Server" service) runs. | Dedicate a new account for each environment, e.g DEV, TEST, PROD. |
Using single and double quotes (' and ") in the password of your Service Account are unsupported. |
Installation Account | The installation account is the account used by operators to install and configure the product on various servers in a topology | A dedicated Setup account is not required, but using an account that is an administrator on the system is encouraged. Alternatively, you may install the product while logged in as the Service Account, provided that account has the necessary Required permissions to both install and run the product.. |
|
Administrator Account | This account or group is used for basic administration of the Server, such as setting security for the environment, accessing the Management Site, and managing an environment. | Using an Administration Account, or Group, supports separation of service accounts from user accounts. Establish an AD Group for administrative activities that members of the group will perform on components. One principal authority group may be adequate for all areas of the product suite, but it does not preclude additional separation of duties. Consider a different authority group for each environment, i.e. “Nintex DEV Administrators, Nintex PROD Administrators.” |
|
Web Service Account | This account serves as the identity for application pools that run various web server components, such as the Web Services. | Establish a dedicated account for all web server components and application pools in a specific environment. For example, an account like “NintexServiceDev” could serve all web server components and application pools in your development environment. While you use an account like “NintexServiceProd” on your production environment. |
|
Designer Site Application Pool Identity | This account is used as the Application Pool Identity for the Designer web site, which is installed when you install the product. | Name the application pool to represent its role with the product. e.g. Designer App Pool. A single account such as “Designer App Pool” could serve all environments, depending on variances in the organizational planning. |
|
Runtime Site Application Pool Identity | This account is used as the Application Pool Identity for the Runtime web site, which is the website used by end users to access SmartForms. | The application pool identity and pool may be shared between the Designer and Runtime web sites when the web sites are all on the same host. If your organization wishes to implement a topology where additional Runtime sites will exist, additional accounts and application pools may be considered to separate security, especially if you intend creating a dedicated Runtime site that is exposed to the internet and configured for Anonymous Access. |
|
SharePoint Service Accounts | These accounts are used in a SharePoint 2016/SharePoint 2019 environment. | It is recommended that SharePoint Accounts are not also used as the Service account. The Service Account will need additional rights and access into SharePoint not normally assigned to service accounts in a standard SharePoint installation. |
|
Nintex K2 for SharePoint App Upload User Account | This account is used to upload the Nintex K2 for SharePoint App to the App Catalog. |
|
|
Nintex K2 for SharePoint Registration User Account | This account is used when adding the Nintex K2 for SharePoint App to a Site Collection in SharePoint. | ||
Domain Users | This refers to user accounts for users that will interact with the product. |
Update the Service Account password after expiry
When the Service Account password expires, the Service will not operate as expected. If you don't have a policy in place to update it before it expires you can use one of the following methods to update it in the product:
- Setup Manager (preferred method)
- Run the Setup Manager and select Configure.
- On the Service Accounts Configuration page, untick the Use Existing Credentials option, provide the new password and click Test.
- Complete the rest of the steps in the Setup Manager.
- Command PromptThis option must only be used by an admin user or power userFollow the steps below to run a single command line in the command prompt against the K2 Installer with the new password.
- Run the following command replacing "k2svcpassword" with the new K2ServiceAccount password and "excpassword" with the Exchange password if the service account user is used for Exchange as well. The command must be executed from the [K2 installation Path]\Setup folder.Copy
SourceCode.SetupManager.exe -c:CFG,BPS,PDF -mod:RollK2ServicePassword -config -var:[SERVICEUSERCHANGED]=true~[USERSPASS]=k2svcpassword~[EXCHANGEPASS]=excpassword
You may experience an error when running the command if Windows cannot update or remove the services and needs to restart. In this instance, restart and rerun the command or use the Setup Manager method
- Run the following command replacing "k2svcpassword" with the new K2ServiceAccount password and "excpassword" with the Exchange password if the service account user is used for Exchange as well. The command must be executed from the [K2 installation Path]\Setup folder.
See also:
- Authentication and Authorization
- 'k2_schema_owner' SQL account
Using colon, semicolon, single and double quotes, angle brackets, and ampersand (:, ;, ', :, >, <, and &) in the password of your SQL account are unsupported.
- Required permissions
- Security Considerations