===== LISA must be running as a service user in order to generate API keys =====

==== Summary ====

From Lime CRM 12.22 it's possible to create API users and generate API keys. If you have LISA running as the Local System account you, need to either use limefu to generate API keys, or you need to change the service account for LISA.

==== Symptoms ====

When you attempt to generate an API key in LISA, you'll get an error. On the server, you'll get something similar to the following if you look in Windows Event Log:

<code>
Limefu output: 
stdout:
stderr:
<long, scary, error message>
  ...

sqlalchemy.exc.DBAPIError: (pyodbc.Error) ('28000', "[28000] [Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'WORKGROUP\\SOMEACCOUNT$'. (18456) (SQLDriverConnect)")
</code>

==== Resolution ====

There are two resolutions for this.

1. The simplest solution is to use LISA to create and configure API users, and then use limefu for the API key generation only.

2. Another solution, which involves a bit more restrictions but allows an admin to configure everything in LISA, is to configure LISA to run as the same service account as, for instance Lime CRM Web Server.

=== Generate API keys with limefu ===

Create your API user in LISA as normal and configure its group memberships as normal. To generate an API key for it:

  * On the server where Lime CRM is running, start the Lime command line console
  * Run the following command

<code>
(lime) C:\> limefu users generate-api-key -a "<lime application>" -u "<apiusername>"
</code>

=== Configure LISA to run as the same user as the other Lime CRM services ===

**This is only feasible if you don't use LISA for configuring the Lime CRM Web service or viewing event logs etc.**

In the service manager, configure the service "Lime CRM Server Administration" to run as the service user.

=== Allow LISA to listen to traffic on port 5472 ===

You have to bind the service user to LISA's port in order for LISA to be able to receive requests.

== Delete the previous binding (may not be necessary) ==

Open a command prompt and run the following command:

<code>
netsh http delete urlacl url=http://+:5472/
</code>

== Bind the service user ==

Open a command prompt and run the following command:

<code>
netsh http add urlacl url=http://+:5472/ user=<service-account>
</code>