STK Terrain Server Installation Guide
This guide walks you through the process of installing and configuring STK Terrain Server on your system.
System Requirements
• 64-bit Windows, including Windows Server 2008 or later, and Windows Vista or later. • Microsoft .NET Framework v4.5 or later.
• Internet Information Services (IIS) v7.0 or later. • 4 GB RAM or more.
• Faster CPUs, Solid State Drive, and more RAM will significantly improve terrain processing time. • Plenty of disk space for storing raw and processed terrain data. At a minimum, 500 GB of disk
space is required for hosting the processed STK World Terrain Dataset (licensed separated).
Installation
1. Install Internet Information Services (IIS) v7.0+ and Microsoft .NET Framework v4.5+ if they’re not already installed.
2. Run “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -i” (without the quotes) from a command prompt with administrator rights to ensure ASP.NET is registered in IIS. If you get a message saying “This option is not supported on this version of the operating system” use “Turn Windows Features On/Off” or “Server Manager” to install ASP.NET 4.5. The message from aspnet_regiis has more information on how to do this.
3. Double-click install.exe to run the STK Terrain Server installer and follow the on-screen instructions.
4. Launch License Manager and use it to install your STK Terrain Server license. 5. Launch STK Terrain Server by selecting it from the Start menu/screen, or by visiting
http://[servername]/stk-terrain.
Default Authentication
The STK Terrain Server installer provides a means for easy configuration of Windows Authentication. By default, Windows Authentication will be enabled, and All Users will have Read access to the STK Terrain Server, while only users that are members of the Windows Group StkTerrainServerAdmins can modify the STK Terrain Server contents. If there is no possibility of accidental or intentional misuse in your environment, you may disable the Windows Authentication in the Setup dialog.
The Windows Group may be set to a different Windows Group if preferred by specifying a new group name in the Setup Dialog. Windows groups can be added and managed from the Computer
Configuring Authentication in IIS
Then, enable “Windows authentication” or “Basic authentication”. We recommend that you use Windows authentication whenever possible. Basic authentication will send login credentials in clear text in the HTTP request, which is a security problem unless your server is also configured to require an HTTPS connection.
button or select “Add Roles and Features” from the Tasks drop-down. The features are found under Web Server (IIS), Web Server, Security.
Next, we configure which users and groups are allowed access to the application. In the Features View for the stk-terrain virtual directory again, select .NET Authorization Rules.
perform that action. If the first matching rule has a mode of “Deny” the user will not be allowed to perform that action.
Users and groups refer to Windows users or groups on the web server. They can be qualified with a Windows domain name if necessary.
The next rule in the list grants all users full access (read and write) to the STK Terrain Server application. We recommend that you double-click this rule and select a user or group in order to limit write access. You can designate multiple users or groups by inserting additional, similar rules at the same position in the rule list.
The third rule in the list denies access to all users that weren’t granted access by previous rules. The fourth and subsequent rules in the list, which could be different on your server, are inherited from the parent web site.
With this configuration complete, web browsers will automatically prompt for login credentials when attempting to perform an action within the STK Terrain Server application that does not allow
anonymous access. In some cases, the login may be automatic (no explicit prompt) when you’re logged into the server as a user that is allowed access, or if your network has a Windows domain and your domain user is allowed access.
Troubleshooting Authentication
If authentication doesn’t work – in particular, if you’re using Windows authentication and the server will not accept your credentials – here are some things to try.
Configure the StkTerrainServerAppPool to use the NetworkService identity instead of the
Configure Windows authentication to prefer NTLM over Negotiate. This may help when authenticating Windows domain users, because Negotiate will often choose to use Kerberos authentication in this scenario, which can be tricky to get working. Navigate back to the Authentication feature for the stk-terrain virtual directory in IIS Manager. Select Windows Authentication from the list and then click “Providers…” on the right. Move NTLM above Negotiate.
Configuring Web Service Authorization
In the above sections, we showed how the STK Terrain Server can restrict anonymous users to read only access. For some, this level of security may not be adequate enough, as any user can still retrieve information on tilesets and datasources defined on the STK Terrain Server. Authorization of users to only have permissions to request tiles and tileset metadata can be achieved by using the Url
Authorization Feature for IIS.
With URL Authorization enabled for IIS, authorization can now be configured for each REST webservice. Open the Web.Config file located at the root of the stk-terrain install directory. Inside the
<configuration> element, a REST webservice virtual location can be identified and assigned
authorization control. The following example, highlighted in red, would restrict the use of localhost/stk-terrain/admin REST API to only users in the StkTerrainServerAdmins user group.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <location path="admin"> <system.webServer> <security> <authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="StkTerrainServerAdmins" /> </authorization> </security> </system.webServer> </location> ... </configuration>
Users and groups refer to Windows users or groups on the web server. They can be qualified with a Windows domain name if necessary.
Following the pattern illustrated in the example above, the “path” attribute can be configured for authorization of the following admin REST API end points:
• admin/datasources – Returns json that defines the collection of datasources defined on the STK Terrain Server.
• admin/datasources/{name} – Returns the json that defines the configuration of a named datasource. Named datasources will inherit the authorization defined at the datasources level; defining authorization rules for a named datasource will override the authorization above. • admin/settings – Returns json that defines the configuration settings for viewing a tileset • admin/license – Returns json that describes the STK Terrain Server license state
• admin/datasources/files – Defines an interface for uploading files to a STK Terrain Server datasource.
• admin/tilesets – Returns json that defines the collection of tilesets defined on the STK Terrain Server. This web service allows for the discovery of tilesets on the server, but provides admin information about the tileset, including the directory location of the tileset and status on the incorporation of data sources into this tileset, including percent complete and the time elapsed to incorporate the data source.
The public REST API end points can also be configured for authorization control:
• v1/tilesets/{name}/tiles – Root path of all Terrain Server tiles. For legacy Cesium applications, the v1 can be optional for tile and layer.json retrieval endpoints, however this unversioned REST API may be deprecated in the future. These legacy endpoints are
o tilesets/{name}/tiles/layer.json o tilesets/{name}/tiles/{z}/{y}/{x}.terrain
Licensing
If a license for STK Terrain Server is not yet installed, browsing to the Data Sources or Tilesets page in the web interface will redirect to a license information page:
