Here is the situation:
We are using a domain service account (domainX\A) that runs our service on a Windows 2003 machine and has a lot of permissions. For that reason, we cannot can get a hold of the password.
We are given the password of a domain application account (domainX\B) that we should use to connect to the database with. No problem, until we let the service account (domainX\A) do an impersonation to setup the connection using Windows Integrated Security with account domainX\B. We discovered that we manage to get it working when we make domainX\B member of the local admin group, which is something we are not allowed to do. We are not allowed to log on to the machine using that account.
So the Question is, what permissions should we set/use/give to the domain application account domainX\B, to get this impersonation working, but not risking that people who know the password for that domainX\B account can do anything on the machine (that is logging on to it, both at the console and using RDP) ? Or is this not possible at all, ... as a result of the strict security policies within our company ?
I would really like to know if you guys have a solution for me ...
Hope to hear from you soon ...