Service Account Requirements for App Launcher

Multiple service accounts may be used during this process. If one service account is used for more than one component, combine the permissions required for the account.

Application Launcher Service Accounts

The application launcher uses a single account to log into the jump server on behalf of the user and to launch the application. This account should be a domain-joined account and can be managed by Privileged Identity, provided it is not also running deferred or zone processing services. The account has no explicit requirements other than it must be allowed to RDP to the jump server host. This typically only requires membership in the Remote Desktop Users group on the jump server.

Other considerations for this service account are:

  • If the web service is leveraging Integrated Windows Authentication, this account must be able to connect to the web service without being prompted for a username and password.
  • When connecting to the web service with the account, no SSL trust issues can be encountered.
  • Depending on the application being launched, the account may require additional permissions on the jump server. For example, if the application being launched requires administrative privileges to run on the jump server, this service account must have administrative group membership on the jump server.

Session Recording Service Accounts

Session recording service account requirements vary based on deployment.

All roles on same server

  • If session recording, transcoding, and media service roles are installed on the jump server, it is sufficient to configure the application to use Local System since no network access is required.

Recorder role on jump server, media server, and transcoder services on a separate host

  • The jump server login account must have network access and must be able to modify permissions to the Source share on the transcoder host.
  • On the jump server, the session recording service account should be configured as Network Service.
  • Through the Windows services snap-in, session recording services may be disabled post-install.
  • The transcoding host service account may be configured as Local System or a named account. If running as a named account, this account must be granted Logon as a service. Network access is required from the transcoder host for the video files, as the media server is on the same host.
  • The transcoding host service account must be granted Modify access to the Source, Working, and SessionRecording directories on the transcoder host. The actual paths are defined during installation.

Recorder role on jump server, transcoder on a separate host, and media server on a separate host with local storage

  • The jump server login account must have network access and must be able to modify permissions to the Source share on the transcoder host.
  • On the jump server, the session recording service account should be configured as Network Service.
  • Through the Windows services snap-in, session recording services may be disabled post-install.
  • Transcoding host service account must be configured as a named account.
  • Transcoding host service account must be granted Logon as a service.
  • Transcoding host service account must be granted modify access to the Source and Working directory on the transcoder host. The actual paths are defined during installation.
  • Transcoding host service account must be granted Write access to the SessionRecording share on the media server host.

Recorder role on jump server, transcoder on separate host, and media server on separate host with remote storage

  • The jump server login account must have network access and must be able to modify permissions to the Source share on the transcoder host.
  • On the jump server, the session recording service account should be configured as Network Service.
  • Through the Windows services snap-in, session recording services may be disabled post-install.
  • Transcoding host service account must be configured as a named account.
  • Transcoding host service account account must be granted Logon as a service.
  • Transcoding host service account must be granted Modify access to the Source and Working directory on the transcoder host. The actual paths are defined during installation.
  • Transcoding host service account must be granted Write access to the SessionRecording share on the storage system connected to the media server host.
  • If the storage system for the media server is a remote server, configure the SessionRecording virtual directory in IIS with network credentials valid on the remote storage system, and grant Read permissions to that directory for the account.

It is possible to configure every component to use the same service account. Because there are different access requirements, using a single service account for all components is fully supported and recommended. However, this can make the configuration and maintenance unnecessarily complex.