Domain Trusts in Multiforest Commerce Deployment
A secure commerce deployment requires the establishment of security boundaries between commerce tiers and environments. This topic provides information to help you plan domain trust relationships across forests for a secure Microsoft Commerce Server 2009 R2 distributed deployment. It also provides information about the AzMan privileges and database roles required for domain service accounts in two-tier and three-tier Commerce Server 2009 R2 deployment topologies.
The planning of identity infrastructure and the overall design of your domain services architecture is outside the scope of this topic. Refer to your domain services product documentation for this type of information.
This topic contains the following subsections:
Domain Trust for a Two-Tier Commerce Deployment in a Two Forests Topology
Domain Trusts for a Three-Tier Commerce Deployment in a Three Forests Topology
Domain Trust for a Two-Tier Commerce Deployment in a Two Forests Topology
In a secure two-tier Commerce Server 2009 R2 deployment topology, the presentation tier and the data tier must be separated by a security boundary, forming two distinct forests: a Web forest and a data forest. A one-way trust must be explicitly established between the web domain (the trusting domain) and the data domain (the trusted domain) to allow the required service identities defined in the data domain to be trusted in the Web domain.
.gif "Important note") Important Note: |
|---|
Single forest deployment is not a recommended scenario as it does not provide the security boundaries required for a secure commerce deployment. In the production environment of a two-tier Commerce Server 2009 R2 deployment, the data tier must be separated from the presentation tier by a forest boundary. |
The following table shows an example of domain accounts required in a two forests topology for a two-tier secure commerce deployment. This example assumes that the Silverlight-based Business Management Applications are deployed on the default (Internal-facing) zone of a Microsoft SharePoint 2010 commerce Web site.
Note
The information in this table assumes that a SharePoint 2010 administrator account already exists in the presentation tier.
Domain Accounts in a Secure Two-Tier Commerce Deployment - Two Forests Topology
In a secure commerce deployment that uses claims-based security such as SharePoint 2010, we recommended that the STS identity be part of the application tier domain. The STS identity does not need to belong to the administrator group.
Domain accounts |
AzMan permissions |
|---|---|
<DataTierDomain>\<CommerceWebAppPoolUser> |
ProfileAuthorizationStore: ProfileAdministrator OrdersAuthorizationStore: OdersAdministrator CatalogAuthorizationStore: InventoryViewer |
<ApplicationTierDomain>\<STSSvc> |
CommerceEntityAuthorizationStore: CommerceQueryOperations ProfileAuthorizationStore: ProfileAdministrator |
<DataTierDomain>\<RoutingSvc> |
CatalogAuthorizationStore:Administrator Note: The routing service identity impersonates Commerce Server Business Administration Ribbon users. Permissions listed above are used with the Solution Storefront. Customized business management applications may require different AzMan permissions. |
For a description of the accounts, see What Are the Required Accounts and Groups?
Recommended Domain Trusts for a Three-Tier Commerce Deployment in a Three Forests Topology
In a three-tier Commerce Server 2009 R2 deployment where each tier constitutes a distinct forest (a Web forest for the presentation tier, an application forest for the application tier and a data forest for the data tier), the following trust relationships must be established to allow the required flow of identity across domains.
A one way trust must be established between the presentation tier forest (the trusting domain) and the application tier forest (the trusted domain).
A one-way trust or a two-way trust can be established between the application tier forest and the data tier forest, depending on which domain account is used on the application tier.
A two-way trust between the application tier domain and the data tier allows the application to run using its own domain account, such as an application domain account.
A one-way trust can be established where the application tier domain trusts the data tier domain (the trusted domain), if the application runs with a domain account from the data domain.
Domain Accounts for a Secure Three-Tier Commerce Deployment in a Three Forests Topology
In a secure commerce deployment that uses claims-based security such as SharePoint 2010, we recommended that the STS identity be part of the application tier domain where the Commerce Foundation is hosted.
Domain accounts |
AzMan permissions |
|---|---|
<ApplicationTierDomain>\<STSSvc> |
CommerceEntityAuthorizationStore:CommerceQueryOperations ProfileAuthorizationStore: ProfileAdministrator |
<ApplicationTierDomain>\<CommerceAppPoolUser> .gif "Note") Note:
This identity must be a SharePoint 2010 managed account.
|
OrdersAuthorizationStore: OrdersAdministrator CatalogAuthorizationStore: InventoryViewer |
<DataTierDomain>\<FoundationSvc> Note:
Identity used by the operation service.
|
ProfileAuthorizationStore: ProfileAdministrator CatalogAuthorizationStore:Administrator OrdersAuthorizationStore:OrdersAdministrator |
<ApplicationTierDomain>\<RoutingSvc> (Only required on the internal zone). |
CatalogAuthorizationStore:Administrator Note:
Routing Service identity impersonates Commerce Server Business Administration Ribbon users. Permissions listed above are used with the Solution Storefront. Customized business management applications may require different AzMan permissions
|