Making openPDC and openHistorian services working with an AD account

Hello,

I’m trying to make openpdc and openhistorian Windows service working with and AD account that would have the minimum permissions required (IT security rules). I’ve been able to create an AD account then included it in the ‘openPDC Admins’ server local group. I then add the RWXD rights for this group to the OpenPDC folders and sub folders / files. When I am launching the service, the openPDC Console show the following error message :
Failed to initialize web hosting: Access is denied
I’ve tried to put the service account int the IIS_IUSRS local group without success.

Could you please tell me how to grant the permission of initializing this web hosting to this account ?
My IT security departement don’t want AD account to be member of the Administrators local groups.

Thank you very much for your reply,
Have a nice day,
Regards.

Stephane.

EDIT :
I think I’ve found a solution by listing the local URL ACL using the powershell netsh http show urlacl command.
For each port listed ; I’ve passed the two following commands :

  • netsh http delete urlacl url=http://+:PORT_NUMBER/
  • netsh http add urlacl url=“http://+:PORT_NUMBER/” user=“HOSTNAME\openPDC Admins” listen=yes
    The port numbers that I’ve identified by this way are the following :
  • +:8280
  • +:5018
  • +:6452
  • +:6352
  • +:6152
  • +:6151
  • +:6051
  • +:6052

That’s enable all the accounts of the local group openPDC Admins to manage the openPDC service and making it works without errors in the openPDC Man,ager Console.
Could you confirm me that it’s the best way to do so and that the list of port numbers is complete ?

Hello,

I’m able to make the service works with a dedicated AD service account.
Topic closed.

Regards,

Stephane.