Configure Devolutions Server to use domain single sign-on (SSO)

For domain single sign-on (SSO) to be used to connect to the database, you must set the Application pool to use a domain account to run under. The Devolutions Server must also be member of the domain.

To make the process easy to follow, we will name the domain account "VaultDBRunner". Adapt this to your requirements.

  1. Create the VaultDBunner account in the domain.

  2. Grant access to the SQL Server instance to VaultDBRunner.

  3. Grant access to the database to VaultDBRunner.

  4. In IIS Manager, expand the Application Pools section and locate the application pool used by your Devolutions Server site. By default, it has the same name as the web application.

  5. In the Advanced Settings of the application pool, edit the Identity setting to get the VaultDBRunner account.

    Application pools – Advanced Settings – Identity
    Application pools – Advanced Settings – Identity

    In some cases, the UPN format must be used for the username (username@domain.xyz) instead of the NETBIOS format (domain\username).

  6. Once the account is set as the application pool identity, you can grant least permissions with the Apply Least Permissions option for the Scheduler Service and Web Application sections. It is also possible to generate the least permissions SQL queries to run it manually on the SQL Server. See Generate script for database permissions.

    Edit – Database – Advanced Credentials – Apply Least Permissions
    Edit – Database – Advanced Credentials – Apply Least Permissions

  7. In the Devolutions Server web interface, go to Administration – Server settings – Authentication and Enable domain single sign-on (SSO). Save your changes.

    Enable domain single sign-on (SSO) in Devolutions Server
    Enable domain single sign-on (SSO) in Devolutions Server

  8. In Remote Desktop Manager, go to File – Data Sources and edit your Devolutions Server data source to enable the Use domain single sign-on (SSO) option.

    Use domain single sign-on (SSO) in Remote Desktop Manager
    Use domain single sign-on (SSO) in Remote Desktop Manager