Secret Server Installation Windows 8 / 8.1 and Windows Server

Secret Server Installation Windows 8 / 8.1 and Windows Server
Secret Server Installation Windows 8 / 8.1
and Windows Server 2012 / R2
Table of Contents
Table of Contents .......................................................................................................................................... 1
I.
Introduction .......................................................................................................................................... 3
A.
ASP.NET Website .............................................................................................................................. 3
B.
SQL Server Database ......................................................................................................................... 3
C.
Administrative Access ....................................................................................................................... 3
II.
Prerequisites ......................................................................................................................................... 3
A.
System Requirements Overview ....................................................................................................... 3
B.
Additional Recommendations........................................................................................................... 3
C.
Beginning the Installation Process .................................................................................................... 4
D.
Installing IIS ....................................................................................................................................... 5
1.
Windows 8 / 8.1 ............................................................................................................................ 5
2.
Windows Server 2012 ................................................................................................................... 7
E.
Installing the .NET Framework 3.5 .................................................................................................. 12
1.
For Windows 8 ............................................................................................................................ 12
2.
Enabling the Feature using Server Manager (Windows Server 2012) ........................................ 13
F.
Additional step if .NET was installed before IIS .............................................................................. 13
G.
Installing and Configuring Microsoft SQL Server ............................................................................ 15
1.
Installing Microsoft SQL Sever .................................................................................................... 15
2.
Creating the SQL Server Database .............................................................................................. 17
3.
Creating the SQL Server User ...................................................................................................... 18
III.
Secret Server MSI ............................................................................................................................ 19
A.
Download the latest version of Secret Server ................................................................................ 19
B.
Running the MSI .............................................................................................................................. 19
1.
Standard Option .......................................................................................................................... 19
2.
Advanced Option ........................................................................................................................ 19
3.
File Destination ........................................................................................................................... 19
Last revised: 9/11/2013
4.
Application Name........................................................................................................................ 19
5.
Completing Installation from Secret Server ................................................................................ 19
IV.
Completing Secret Server installation from website ...................................................................... 20
V.
Manual Installation - Creating Secret Server Website (No MSI) ......................................................... 21
A.
Installing as a Virtual Directory ....................................................................................................... 21
B.
Installing as part of a Website......................................................................................................... 25
C.
Configuring the Pipeline.................................................................................................................. 27
VI.
A.
1.
Changing the Pipeline Mode ....................................................................................................... 27
2.
Creating a New Application Pool ................................................................................................ 27
Appendix ......................................................................................................................................... 30
Virtual Accounts .............................................................................................................................. 30
2
I.
Introduction
A.
ASP.NET Website
Secret Server is installed as an ASP.Net Website. The MSI will setup the website with the correct
permissions and create the settings in IIS. Once the website is setup the installation will be completed
by a 5 step process within the application itself.
B.
SQL Server Database
Secret Server requires an instance of SQL Server for the database backend. The SQL Server database will
require a SQL account with dbOwner permission to complete the installation.
C.
Administrative Access
Throughout most of this installation, you will be required to be an administrator to perform most of
these actions. Please ensure that you are logged on to your system with an account that has
Administrative permissions.
II.
Prerequisites
NOTE: This is the installation guide for Windows Server 2012 and Windows 8 as well as Windows Server
2012 R2 and Windows 8.1. For other operating system installation guides, click here.
A.
System Requirements Overview
1. One of the following operating systems:
 Windows Server 2012
 Windows Server 2012 R2
 Windows 8 Pro
 Windows 8.1 Pro
2. Microsoft SQL Server 2005 or 2008 or 2012 including R2 (any Edition).
3. Microsoft Internet Information Services (IIS) (Internal Part of Operating System)
4. Microsoft .NET Framework 3.5. Both 32-bit and 64-bit editions are supported.
WARNING: An important security update has been released for the Microsoft .NET Framework.
Please ensure that this update is installed on your server to ensure maximum security. For
further detail and how to obtain the patch, please click here.
B.
Additional Recommendations
1. SSL enable your Secret Server.
2. Run Microsoft Update on your server to make sure all components are up to date.
3
C.
Beginning the Installation Process
Components should be installed in this order.
1.
2.
3.
4.
Internet Information Services (IIS)
.NET Framework 3.5 SP1
SQL Server
Secret Server
4
D.
Installing IIS
IIS is an internal part of the Microsoft Windows Operating System. Installing it will vary depending
on which version of the Operating System you are using.
1.
2.
3.
4.
1.
Windows 8 / 8.1
Start by clicking the Start Screen, then “Computer”.
Click the “Computer” tab in the ribbon, then “Uninstall or change a program”
On the left pane, click “Turn Windows Features on or off”.
A dialog like this should appear. It may take a moment or two for the system to load.
Expanding “Internet Information Services” > “World Wide Web Services” > “Application
Development Features” and checking “ASP.NET 3.5” will also check other needed
dependencies.
5. Expand “Common Http Features” and check the following:
5
a. Static Content (If this is not checked, images will not appear)
b. Default Document
6. Click “OK”. At this point, Windows will now install IIS.
7. At this point, IIS is now installed. Depending on your operating system, Windows may ask
you to restart your computer.
You can verify the installation of IIS by opening the Control Panel, clicking “Administrative Tools”, and an
icon in there should now appear called “Internet Information Services”.
We recommend you run Windows Update to get the latest security patches for IIS once you have IIS
installed.
6
2.
Windows Server 2012 / R2
To install Internet Information Services on Windows Server 2012 / R2, you will give your server the
“Web Server (IIS)” role.
1. Begin by opening the Server Manager for your server, and under “Manage” click “Add Roles and
Features”
2. Select “Role-based or feature-based installation”
7
3. Select your target server from the Server Pool.
4. Select “Web Server (IIS)”.
A dialog may appear asking to confirm the required features. Click “Add Features” when
prompted.
5. Click “Next >”.
6. On the “Features screen”, you have the opportunity to install the .NET Framework 3.5. Check
“.NET Framework 3.5 Features”. .NET 3.5 is required for Secret Server to run.
8
7. When asked for the services of the Role you want to enable, select “ASP.NET 3.5” under
Application Development.
9
8. Checking “ASP.NET 3.5” will prompt you to automatically check other feature needed to run
ASP.NET. Select “Add Features” to continue.
9. Also ensure that “Static Content”, “Default Document”, and “HTTP Errors” are selected under
“Common HTTP Features”.
10. Click “Next >”.
11. After confirming your installation click “Install”, the installation will begin
10
12. Finally once the installation is complete, a summary dialog will appear.
13. Click “Close”.
Your server is now configured to run Secret Server.
11
E.
Installing the .NET Framework 3.5
For Windows 8 / 8.1, follow the steps in section 1. For Server 2012 / R2, you will need to enable the
Feature as detailed in section 2.
TIP: If you installed IIS in the instructions above, then the .NET Framework 3.5 should already be
installed.
TIP: If you haven’t installed IIS yet, we recommend completing that step first.
1.
2.
3.
4.
1.
For Windows 8
Start by clicking the Start Screen, then “Computer”.
Click the “Computer” tab in the ribbon, then “Uninstall or change a program”
On the left pane, click “Turn Windows Features on or off”.
Check “.NET Framework 3.5 (Includes .NET 2.0 and 3.0)”
The Windows Communication Foundation Activation features are not required.
WARNING: Microsoft has released an update for the .NET Framework 3.5 which contains compatibility
fixes for applications running on previous versions of the .NET Framework. It is recommended that this
update is installed after the .NET Framework 3.5 has been installed.
It can be downloaded here: http://support.microsoft.com/kb/959209
12
2. Enabling the Feature using Server Manager (Windows Server 2012 / R2)
If you have not yet installed Internet Information Services, install Internet Information Services first. The
steps to install IIS also include the steps to install .NET Framework 3.5. If IIS is already installed, .NET
Framework 3.5 can be installed.
1.
2.
3.
4.
5.
6.
7.
Begin by opening the Server Manager.
Click “Manage”, and “Add Roles and Features”
Select “Role-based or feature-based installation”
Select your server
Click “Next” on Roles to skip passed it.
On the features screen, select “.NET Framework 3.5 Features”
The HTTP Activation and Non-HTTP Activation features are not required.
8. Click “Next”
9. Click Install.
F.
Additional step if .NET was installed before IIS
We recommend installing IIS before you install ASP.NET. However, if the .NET Framework 3.5 was
already installed before IIS was, there are some additional steps required to configure ASP.NET in IIS.
You must register ASP.NET in IIS. This step is only necessary if you installed the .NET Framework 3.5
before IIS.
1. Begin by clicking Start > Powershell
2. At the prompt, type “cd %WINDIR%\Microsoft.NET\Framework64\v2.0.50727” and press enter.
13
TIP: If you are using the 32-bit Edition of Windows and the .NET Framework, you should use:
“cd %WINDIR%\Microsoft.NET\Framework\v2.0.50727”
3. Then at the command prompt, type “aspnet_regiis.exe /i" and press enter. The ASP.NET
registration into IIS will then begin. After a few moments, ASP.NET will be registered in IIS.
Warning: This command requires elevated privileges in Vista if UAC (User Account Control) is
enabled. You can do this by opening the start menu, find Powershell, right-click, and select
“Run as Administrator”. Running it without Administrative Privileges will result in the error
“An error has occurred: 0x80004005 Unspecified error”.
4. ASP.NET is now correctly registered.
14
G.
Installing and Configuring Microsoft SQL Server
1.
Installing Microsoft SQL Sever
We recommend using Microsoft SQL Server 2012. A free edition called Microsoft SQL Server 2012
Express is available to download.
The instructions given below are for Microsoft SQL Server 2012 Express Edition with Tools. The
installation processes for other editions such as Enterprise or Standard may be similar, but not the same.
TIP: There are several editions of Microsoft SQL Server 2012 Express. We recommend downloading
“Microsoft SQL Server 2012 Express with Tools”. This KB article has the link on Microsoft’s site.
1. Download the installation package, right-click it and select “Run as Administrator” if you have
UAC enabled.
2. From the welcome screen, select “Installation” from the left menu.
Screen shown for Microsoft SQL Server 2012
3. Select “New SQL Server installation stand-alone installation or add features to an existing
installation”.
4. SQL Server will then initialize your installation.
15
5. Select “Database Engine Services” and “Management Tools – Basic” and select “Next”.
6.
7.
8.
9.
Under “Instance Configuration” click “Next”.
Ensure your environment meets all of your Disk Space requirements.
For “Server Configuration” click “Next”.
For Database Engine Configuration, the installer will then ask you if you want to enable Mixed
Mode or Windows only mode.
a. Mixed Mode (Recommended)
Mixed Mode is required if you intend on using a SQL Server account to authenticate Secret Server to
your SQL Server. If you are doing an evaluation and using the Secret Server MSI, we recommend Mixed
Mode with a SQL Authentication account. See Creating the SQL Server User (below) for instructions.
b. Windows Mode
This will prevent SQL Server account authentication and requires a Windows Service account to run the
Secret Server website. This will also require additional configuration in IIS once Secret Server is
installed. There is a KB article that walks through the advanced setup at support.thycotic.com.
10. Click the “Add Current User” for the “SQL Server Administrators”.
11. Continue through the wizard by clicking next until the installation is complete.
16
12. SQL Server 2012 Express is now installed.
TIP: We recommend running Microsoft Update to get all of the latest service packs and fixes for SQL
2008.
2. Creating the SQL Server Database
NOTE: The Secret Server installer will create the database for you if it does not exist and the
user account has permission to create a new database.
1.
2.
3.
4.
Open Management Studio Express.
Connect to your SQL Server database.
Right click the “Databases” folder and select “New Database…"
Enter a database name and click “OK”
17
3. Creating the SQL Server User
1. Open Management Studio Express.
2. Connect to your SQL Server Database.
3. Expand the “Security” folder.
4. Right click “Logins” and select “New Login…”
5.
6.
7.
8.
9.
10.
11.
Select SQL Server authentication (Requires Mixed Mode enabled)
Enter a new username and password.
Uncheck Enforce password policy to prevent the account from expiring.
Select the “User Mappings” from the left menu.
Check the checkbox next to your Secret Server database.
Give the user “db_owner” permission.
Click OK.
18
III.
Secret Server MSI
TIP: Make sure you have the prerequisites installed before attempting to setup Secret Server.
A.
Download the latest version of Secret Server
The latest version of Secret Server is available for Download. Once clicking the Download button, the
setup.exe file will be downloaded to your machine.
B.
Running the MSI
When running the setup.exe file, your first option will be to choose Standard or Advanced.
1.
Standard Option
Installs Secret Server as a Virtual Directory under the Default Website. This is recommended if you have
existing sites using the Default Website and it is also the fastest way to get up and running.
2.
Advanced Option
Installs Secret Server as a new Website without using the Default Website. This option allows you to
specify a port number that the website will run under. Using this option assumes some knowledge of IIS
and is often followed up by adding a DNS entry on the domain controller. This option must be used if
there is no Default Website.
3.
File Destination
This is the location where the application files will exists. The folder is typically
C:\inetpub\wwwroot\SecretServer but can be customized to follow your convention.
4.
Application Name
Application name will be used when creating the Application Pool and either the website or the virtual
directory depending on the selected option above.
5.
Completing Installation from Secret Server
Once the MSI completes, the website will be setup with the correct permissions. The browser will open
to allow you to complete the Secret Server installation from the webpage. The following section will
guide you through this process.
19
IV.
Completing Secret Server installation from website
Secret Server is now ready to begin installation through its installer. Open a browser and browse to
where your Secret Server is located, for example: http://localhost/secretserver.
Secret Server has a 5 step installation process:
1. Step one ensures that Secret Server has write access to its location. If required, you must give
the correct account write and modify permissions to the application folder to continue. Once
the permissions are set, click “Next”.
TIP: (Advanced) If you don’t want to change the permissions of a folder, you can give Secret
Server a Windows Username and Password that does, and Secret Server will “impersonate” as
that user during the installation process.
TIP: Secret Server only needs write permission during installation and upgrade. You can
remove the write and modify permissions once the installation process is complete.
2. Step two creates your unique encryption key. This key is generated securely and used to encrypt
and decrypt values stored in the database. Click “Next”.
Alternatively, Secret Server can be configured to use a SafeNet HSM (or paired HSMs for
failover). Use of HSM encryption requires an HSM card to be installed on the same server as
Secret Server. To configure Secret Server to use an HSM, click the advanced tab, then click the
encryption option that says, “Use Safenet HSM for Encryption” Use of HSM encryption requires
Secret Server Enterprise Plus Edition.
3. Step 3 is where you specify the database.
If Secret Server is installed on the same machine as SQL Server, you can specify (local). If you are
using a named instance of SQL, specify a slash then the instance name, for instance:
(local)\InstanceName.
NOTE: Secret Server will create the database for you if it does not exist.
4.
5.
6.
7.
Enter the SQL Username and Password if using SQL Server Authentication, or select Windows
Authentication. To create a SQL Server user, see Creating the SQL Server User.
Secret Server will now attempt to download and install the latest version from the internet. You
must have an active internet connection. If you do not, Secret Server will continue to install the
current version.
Secret Server will ask you to agree to your End User Licenses Agreement. If you do, click
continue. Secret Server will then configure your database.
Secret Server will now ask you to create your first user. This user will have administrative access
within the application.
Once logged into Secret Server you may apply your licenses by going to Administration, Licenses
and entering your License name and key.
20
Secret Server has now successfully been installed. See the User Guide for information on using Secret
Server.
V.
Manual Installation - Creating Secret Server Website (No MSI)
If you are knowledgeable of IIS and would prefer to manually install the website without using the MSI,
you can follow these instructions.
TIP: Make sure you have the required software installed before attempting to setup Secret Server.
Download the latest version of Secret Server. After clicking the download button you will be taken to a
page where you can choose to download a ZIP file that contains the Secret Server files. Use this ZIP file
for the instructions below.
Secret Server can be installed in a few different ways:



As a Virtual Directory
As a Website
Part of a Website
A.
Installing as a Virtual Directory
1. Extract the contents of the ZIP file where you would like Secret Server to be located on your
system.
2. Ensure that the folder has the proper permissions
a. Ensure that the folder has the proper permissions on it for IIS. Ensure that the NETWORK
SERVICE virtual account has Read, Write, and Modify permissions on the folder where Secret
Server is installed.
Note: Windows will default the application pool to a virtual identity, ApplicationPoolIdentity
that will be problematic when setting the permissions on the folder so it is recommended the
application pool identity is NETWORK SERVICE.
3. Open the IIS Control Panel by going into the Control Panel, then “Administrative Tools” >
“Internet Information Services (IIS) Manager”.
21
4. Select “Default Web Site”, right-click it, select “Add Virtual Directory…”.
5. Select an alias for your Secret Server. The alias is what will be appended to the website. For
instance, http://myserver/SecretServer.
6. Select the physical directory for where you unzipped Secret Server.
22
7. In the tree, right click the new virtual directory and select “Convert to Application”.
8. In the new dialog, select the “.NET v2.0 Classic” App Pool, and click OK.
9. Change the Application Pool Identity to NETWORK SERVICE. In IIS, click the Application Pools
node, select the one running Secret Server, click Advanced Settings.., and then under Process
Model set Identity to NETWORK SERVICE.
Warning: Verify that the .NET Framework Version is set to “v2.0” for the Application Pool that is running
Secret Server.
23
Note: Windows will default the application pool to a virtual identity, ApplicationPoolIdentity that is
problematic when setting the permissions on the folder, so it is recommended to change the application
pool identity to NETWORK SERVICE.
You can use a Domain Service account but since it is significantly more complicated to setup,
so we recommend using NETWORK SERVICE for the initial install. The detailed instructions
for setting the Application Pool to run as a Domain account can be found here.
For more information on Virtual Accounts, please see the section VIRTUAL ACCOUNTS in the
Appendix.
10. See our section on CONFIGURING THE PIPELINE.
11. Secret Server is now ready to be installed. Go to INSTALLING SECRET SERVER .
24
B.
Installing as part of a Website
1. Extract Secret Server to the path where your website is (Commonly C:\Inetpub\wwwroot). For
example, C:\Inetpub\wwwroot\SecretServer
2. Ensure that the folder has the proper permissions on it for IIS. Ensure that the
NETWORK SERVICE virtual account has Read, Write, and Modify permissions on the
folder where Secret Server is installed.
WARNING: Windows will default the application pool to a virtual identity,
ApplicationPoolIdentity that will be problematic when setting the permissions on the folder so it
is recommended the application pool identity is NETWORK SERVICE.
3. Open the IIS Control Panel by going into the Control Panel, then “Administrative Tools” >
“Internet Information Services (IIS) Manager”.
4. Expand the Default Website and locate the Secret Server folder. Right-click it, and select
“Convert to Application”.
5. Select “OK” in the new dialog.
6. Change the Application Pool Identity to NETWORK SERVICE. In IIS, click the Application Pools
node, select the one running Secret Server, click Advanced Settings.., and then under Process
Model set Identity to NETWORK SERVICE.
25
WARNING: Windows will default the application pool to a virtual identity, ApplicationPoolIdentity that
will be problematic when setting the permissions on the folder so it is recommended to change the
application pool identity to NETWORK SERVICE.
You can use a Domain Service account but since it is significantly more complicated to setup,
so we recommend using NETWORK SERVICE for the initial install. The detailed instructions
for setting the Application Pool to run as a Domain account can be found here.
For more information on Virtual Accounts, please see the section VIRTUAL ACCOUNTS in the
Appendix.
7. See our section on CONFIGURING THE PIPELINE.
8. Secret Server is now ready to be installed. Go to INSTALLING SECRET SERVER .
26
C.
Configuring the Pipeline
Secret Server requires that the application pool’s managed pipeline mode be set to “Classic”. This can be
done by changing the Application Pool’s mode or creating a new one.
Tip: It is recommended that you create a new Application Pool if you have other web applications
running on the server. This will help avoid changing the configuration for another application.
1.
Changing the Pipeline Mode
Secret Server is by default placed in the “DefaultAppPool” application pool. You can modify the pipeline
mode.
1. In the Internet Information Services (IIS) Manager, select the “Application Pools” node.
2. Double-click the DefaultAppPool.
3. For the “Managed Pipeline Mode” select “Classic”.
4. Click OK.
2. Creating a New Application Pool
1. In the Internet Information Services (IIS) Manager, right-click the “Application Pools” node and
select “Add Application Pool…”
2. Select a name for your application pool. It does not have to be anything specific.
3. Ensure that the .NET Framework Version is set to “.NET Framework v2.0.50727”
4. For the “Managed Pipeline Mode” select “Classic.”
Note: the Windows Server 2012 R2 and Windows 8.1 Application Pool window will appear slightly
different than in Windows Server 2012 and Windows 8.
27
Windows Server 2012 and Windows 8:
Windows Server 2012 R2 and Windows 8.1:
5. Click “OK”.
6. Right click the Virtual Directory in Internet Information Services (IIS) Manager, select “Manage
Application” -> “Advanced Settings…”
28
7. In the new Window, change the Application Pool to the one we just created.
29
VI.
Appendix
A.
Virtual Accounts
Virtual Accounts, or Managed Service Accounts, is a new feature in Windows 7 and Windows Server
2008 R2. Windows will create a virtual account for the name of the Application Pool. Thus, if your
Application Pool’s name is “DefaultAppPool” and its identity is set to “ApplicationPoolIdentity”, then you
would assign folder permissions to the account “IIS AppPool\DefaultAppPool”.
Recommended: Assign the identity to NETWORK SERVICE to avoid the issues with virtual accounts.
30
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising