Setup with one-way trust

If you run your system in a multi-domain environment, you can configure this setup with one-way trust. The system is installed on the trusting domain and users log in from trusting and trusted domains.

1. Create a service account in the trusted domain. You can name it whatever you want, for example, svcMilestone.
2. Add the new service account to the following local Windows user groups on the server running the system, in the trusting domain:
   • Administrators
   • IIS_IUSRS (Windows Server 2008, necessary for Internet Information Services (IIS) Application Pools)
   • IIS_WPG (Windows Server 2003, necessary for IIS Application Pools).
3. Make sure that the service account has system administrator rights on your SQL Database or SQL Server Express, either directly or through the BUILTIN\Administrators group.
4. Set the identity of the ManagementServerAppPool Application Pool in the IIS to the service account.
5. Reboot the server to make sure that all group membership and permission changes take effect.

Important: To add trusted domain users to new or existing XProtect system roles, log in to Windows as a trusted domain user. Next, launch the Management Client and log in as user of either the trusting domain or the trusted domain. If you log in to Windows as a trusting domain user, you are asked for credentials for the trusted domain in order to browse for users.

Example illustration of multi-domain environments with one-way trust:

1. One-way outgoing domain trust
2. MyDomain.local
3. OtherDomain.edu
4. Trusting domain user
5. Management server
6. Milestone service account
7. Trusted domain user

© 2018 Milestone Systems A/S