Deployment Guide for Windows Authentication

Updated 5 months ago by Niall Clifford

With the latest release of Maximizer on-premise, Windows Authentication is no longer supported! Authentication is now provided using Single Sign-On (SSO) with SAML2. Please contact your Business Partner or Maximizer Customer Experience for more information.

If you are planning on using Windows Authentication for security, this guide will help you with the new configuration required with Maximizer CRM.

This deployment guide applies only to Maximizer CRM Enterprise version 2020.
The SQL Server and Application Server must be on the domain. The IIS Server needs to either be on your domain or is in at least a one-way trust with your domain.  

 

There are 4 users required for this to work: 

  1. A user with full administrative rights and sysadmin rights on the SQL Server, Application Server and IIS Server

You need a domain user that is a member of the local Administrators group on all servers involved in the application. This is for installation purposes and running the Windows Administrator module. We suggest you use Windows Authentication Mapping in your databases as the MASTER user.

  1. A user that will be used for the two IIS application pools and will be a login on the SQL Server

A domain user that will be used for the two IIS application pools that have the same rights set on the IIS Server as those two pools have. The user needs to be a member of the local IIS_IUSRS  group and have full rights to the “..\Maximizer\Portals” folder and sub-directories and the “..\Maximizer\Campaign Manager” folder and sub-directories. This user should also be added as a login to the SQL Server. We suggest this user be called MaxIIS. You will be mapping this user as dbo on all the Maximizer databases including the MaConfig database. This domain user needs to be mapped to the WEBUSER in your databases in the Windows Authentication tab.

  1. A user to run the Maximizer Service Bus with full rights on both the IIS Server and be a login on the SQL Server

This domain user must be added with full rights to the IIS machine and as a login on the SQL Server. The user needs to be a member of IIS_IUSRS and have full rights to all Maximizer folders. We suggest this user be called MaxSvcBus. You will be mapping this user as dbo on all the Maximizer databases including the MaConfig database. You will also be setting the Windows Authentication Mapping in your Maximizer databases as the user you have set up for Notifications in your databases. (Typically called NOTIFYSRV)

  1. A user that will be used for the Email Service that is part of the IIS_IUSRS Group on the IIS Server and is a login on the SQL Server

This domain user must have full rights on the Maximizer Application Server, be part of the IIS_IUSRS group on the IIS Server and be a login on the SQL Server. Additionally, this user should be the same user that will be used for the Email Service to login to SMTP to allow email relaying to work properly and needs to be mapped to the EMAILUSER in your databases in the Windows Authentication tab. We suggest you call this user MaxEmail. Of course, this may need to be something else if you already have an account you use for Maximizer email. This user will need to be mapped as dbo to all Maximizer databases including MaConfig.

 

All the Users should be created and have their rights set before installation can begin

 

SQL Server 

All four of the users above need to be added as logins to the SQL Server. The Administrator user mentioned above needs to have sysadmin rights on the SQL Server for the installation to run correctly and can set up everything required on SQL Server.

 

As for the other 3 logins, after the Application Server installation, you will need to add them as users to the MaConfig database and all your Maximizer databases as dbo so they can act. Remember to do this after creating new Maximizer databases as well.

 

Application Server Installation

 

  1. Make sure to connect to the SQL Server as the Administrative User mentioned above in [1] with Windows Authentication when connecting to SQL Server.
  2. Use the correct user for the Email Service when asked which was created/chosen above.
  3. Use the same user from the Email Service for the SMTP Server login credentials if you want email relaying to work properly.

 

IIS Server Installation

 Connect to SQL Server as the Administrative User mentioned above with Windows Authentication when connecting to SQL Server.
Use the correct user for the Maximizer Service Bus Controller when prompted. This user must be created according to the instructions listed above.
We recommend setting up Maximizer to use SSL when configuring Windows Authentication. Doing so will provide an added layer of security to your Maximizer installation. Both SSL and non-SSL options are listed below.
  1. Make sure to connect to the SQL Server as the Administrative User mentioned above with Windows Authentication when connecting to SQL Server.
  2. Use the correct user for the Maximizer Service Bus when asked created above.
  3. Take note if you choose to use an SSL or non-SSL setup during the install as you will have to configure some files differently depending on which is chosen.
  4. When the installation is complete, open the IIS Manager and go to Application Pools.
  5. Click on the Maximizer 64bit Application Pool and on the right, under Edit Application Pool, click Advanced Settings.
  6. Under Process Model find Identity and click on the ellipses beside the Application Pool Identity.
  7. Select Custom Account and set the username prefixed with domain name and password to the one created above for the IIS User.
  8. Click OK to save this change and OK to the Advanced Settings dialog to close it.
  9. Repeat steps 4 to 7 for the Maximizer 32bit Application Pool.
  10. Still in the IIS Manager go to the Campaign website.
  11. Under IIS on the right open Authentication.
  12. Right-click on Anonymous and choose Enabled.
  13. Right-click on Anonymous again and choose Edit.
  14. Change Anonymous User Identity to Application Pool Identity and click OK.
  15. Right-click on ASP.NET Impersonation and choose Enabled.  If you get an error when doing this do the following:
    1. In File Explorer, browse to the ..\Maximizer\Campaign Manager\Statistics folder.
    2. Right-click the web.config file and choose Properties.
    3. Check the Attributes and uncheck Read-only then click OK. You should be able to enable ASP.NET Impersonation now.
  16. Right-click on ASP.NET Impersonation and choose Edit…
  17. Make sure Specific User is selected and click Set…
  18. Set the username prefixed with domain name and password to the one created above for the Email Service User then press OK.
  19. Press OK to save these changes.
  20. Right-click on Windows Authentication and choose Disable.
  21. Continuing in the IIS Manager go to the MaximizerWebAuthentication website.
  22. Under IIS on the right, open Authentication.
  23. Right-click on Anonymous and choose Edit…
  24. Set Anonymous User Identity to Application Pool Identity and click OK.
  25. Right-click on ASP.NET Impersonation and choose Enable.
  26. Leave Windows Authentication enabled.

 

You will need to add all domain users that will be logging into Maximizer to the IIS Servers Local IIS_IUSRS group. This can be done individually, or by adding an existing domain group containing the domain users you want to be able to login to Maximizer.

 

If you are NOT using SSL for IIS, do the following on the IIS Server (not recommended):

  1. Go to the ..\Maximizer\Portals\Employee\Feeds\Services folder.
    1. Delete the existing web.config file.
    2. Rename the Web_win.config.bak to web.config.
  2. Go to the ..\Maximizer\Portals\Employee\Services\OutlookSync folder.
    1. Delete the existing web.config file.
    2. Rename the Web_win.config.bak to web.config.
  3. Go to the ..\Maximizer\Portals\MaximizerWebData folder.
    1. Delete the existing web.config file.
    2. Rename the Web_win.config.bak to web.config.
  4. Recycle the Maximizer 64-bit Application Pool and the Maximizer 32-bit Application Pool.
  5. Go to the ..\Maximizer\Notification Service folder
    1. Delete the Maximizer.ServiceBus.Controller.exe.config file
    2. Rename the Maximizer.ServiceBus.Controller.exe_win.config.bak file to Maximizer.ServiceBus.Controller.exe.config
  6. Re-start the Maximizer Service Bus.

 

If you ARE using SSL for IIS, do the following on the IIS Server(Recommended):

  1. Go to the ..\Maximizer\Portals\Employee\Feeds\Services folder.
    1. Delete the existing web.config file.
    2. Rename the web_win_ssl.config.bak to web.config.
  2. Go to the ..\Maximizer\Portals\Employee\Services\OutlookSync folder.
    1. Delete the web.config file.
    2. Rename the web_win_ssl.config.bak file to web.config.
  3. Go to the ..\Maximizer\Portals\Employee folder.
    1. Delete the existing web.config file.
    2. Rename the web_ssl.config.bak file to web.config.
  4. Go to the ..\Maximizer\Portals\MaximizerAdmin folder.
    1. Delete the existing web.config file.
    2. Rename the web_ssl.config.bak file to Web.config
  5. Go to the “..\Maximizer\Portals\MaximizerWebData” folder.
    1. Delete the existing web.config file.
    2. Rename the web_win_ssl.config.bak to Web.config.
  6. Go to the “..\Maximizer\Portals\Wireless” folder.
    1. Delete the existing web.config file.
    2. Rename the web_ssl.config.bak file to Web.config.
  7. Recycle the Maximizer 64-bit Application Pool and the Maximizer 32-bit Application Pool.
  8. Go to the “..\Maximizer\Notification Service” folder.
    1. Delete the Maximizer.ServiceBus.Controller.exe.config file.
    2. Rename the Maximizer.ServiceBus.Controller.exe_win_ssl.config.bak file to Maximizer.ServiceBus.Controller.exe.config.
  9. Re-start the Maximizer Service Bus Controller.

 

If you are new to Maximizer and have installed with Windows Authentication Settings and are ready to create a Maximizer database, you should do the following:

  1. Making sure to be logged into the Application Server as the domain user you installed with, launch the Maximizer CRM Administrator for Windows module. (Found under the Maximizer CRM program group)
  2. When presented with the Open Address Book dialog click the Cancel button.
  3. Click File > New Address Book…
  4. If necessary, change the Database Server field to your SQL server's name and click Next.
  5. Change Connect Using to Windows Authentication and click Next.
  6. Type in a name for your database in the Address Book Name field and click Next.
  7. Click the Start button to start the process of the database getting created.
  8. When the process completes, click Close.
  9. When you get control back, click File > Open Address Book…
  10. Select your new Address Book and click Open. The Address Book will now be open in the Administrator module.

 

If you are new to Maximizer or if this was an upgrade from a previous version of Maximizer CRM be sure of the following before proceeding:

  1. You have mapped the 4 system accounts to both the MaConfig and other Maximizer databases
  2. You have configured your IIS Server as mentioned above

 

If you are upgrading from a previous version of Maximizer CRM where SQL Authentication was enabled and now you have installed as Windows Authentication with Maximizer CRM there are some additional steps you need to do:

 

  1. You need to run the following Query against the MaConfig database:

UPDATE MaConfig SET eValue = 'yes' WHERE eKey = 'USE_NT_AUTHENTICATION'

  1. For every database you intend to now use with Windows Authentication you need to do the following. This is required so you can log in as MASTER with Windows Authentication:
    1. Open the Maximizer CRM Administrator module for Windows. (Found under the Maximizer CRM program group)
    2. Cancel any attempt to login to an Address Book if it comes up.
    3. Click File > Open Address Book…
    4. Select the Address Book you want to login to with Windows Authentication and click Remove.
    5. Click Yes to remove the Address Book from the list. This will not delete your database.
    6. Click Close to close the Open Address Book dialog.
    7. Click File > New Address Book…
    8. If necessary, change the Database Server field to your SQL servers name and click Next.
    9. Change Connect Using to Windows Authentication and click Next.
    10. Change Target action to Employ an existing Maximizer database.
    11. In the Database name drop-down, pick the database you just removed and click Next.
    12. Click the Start button to start the process of re-deploying the database with Windows Authentication.
    13. When the process completes, click Close.
    14. When you get control back, click File > Open Address Book…
    15. Select your re-deployed Address Book and click Open. The Address Book will now be open in the Administrator module.
    16. Repeat these steps for any additional Maximizer Address Books you want to open with Windows Authentication.

You should be able to login to Web Access at this time with the domain user you mapped to the MASTER Maximizer user.

 

At this time, you should ensure you have mapped your domain Service users to the correct Maximizer Users. Do the following:

  1. Login to the database you are working on in the Maximizer CRM Web Administrator.
  2. Click on the Users link in the navigation panel.
  3. Click on the EMAILUSER user.
  4. Click on the Windows Authentication tab.
  5. If the domain user you are using for the Maximizer Email Service is not here already do the following:
    1. Click Add.
    2. In the Corresponding Windows user name field, type in the domain users name for the Email Service in the following format: <Domain Name>\Username
    3. Turn on the checkbox Enabled and click Save.
    4. Click Save to save this change.
    5. Repeat the steps a) through d) above for the WEBUSER user to map the IIS domain user account and the NOTIFYSRV to map the Maximizer Service Bus domain user account.

 

If you are new to Maximizer or upgraded from a version on SQL Authentication you should use steps a) through d) above to map domain users to their corresponding Maximizer users as well. This will be required before those users will be able to successfully log in to the database.


How did we do?