Secret Server Installation Windows Server 2012

Secret Server Installation – Windows Server 2012

Table of Contents

System Requirements Overview ... 2

Additional Recommendations ... 3

Beginning the Installation Process ... 3

Installing IIS ... 3

.NET Framework 4.5.1 ... 3

Microsoft SQL Server ... 3

Secret Server Installer ... 8

Download the latest version of Secret Server ... 8

Running the Installer ... 8

Completing Secret Server installation from website ... 9

Manual Installation (no setup.exe) ... 11

Installing as a Virtual Directory ... 11

Installing as a Website ... 12

Configuring the Application Pool ... 13

Appendix ... 15

Virtual Accounts ... 15

SSL Certificate ... 15

WCF Services ... 15

Installing the .NET Framework 4.5.1 Manually ... 16

Installing IIS Manually ... 16

Secret Server Installation – Windows Server 2012

Introduction

This is the installation guide for Windows Server 2012 and Windows 8, as well as Windows Server 2012 R2 and Windows 8.1. For other operating system installation guides, click here.

ASP.NET WEBSITE

Secret Server is installed as an ASP.NET website. The Secret Server installer will set up the website with the correct permissions and create the settings in IIS. Once the website is set up, the installation will be completed by a 5-step process within the application itself.

SQL SERVER DATABASE

Secret Server requires an instance of SQL Server for the database backend. The SQL Server database will require a SQL account with db_owner permission to complete the installation.

ADMINISTRATIVE ACCESS

Throughout the installation, you will be required to be an administrator to perform most of these actions. Please ensure that you are logged on to your system with a Windows account that has administrative rights.

Prerequisites

Important:

full list of system requirements and recommendations, located HERE.

SYSTEM REQUIREMENTS OVERVIEW

1. One of the following operating systems: 1

 Windows 8 or 8.1

 Windows Server 2012 or 2012 R2

2. Microsoft SQL Server 2005 or greater (any edition) 3. Microsoft Internet Information Services (IIS)

4. Microsoft .NET Framework 4.5.1, 4.5.2, or 4.6 (32-bit or 64-bit)

Note Windows 8.1 and Server 2012 R2 come with.NET Framework 4.5.1 already installed. If you are using Windows 8 or Server 2012, you should already have .NET Framework 4.5 but will need to upgrade to .NET Framework 4.5.1. Find the installer provided by Microsoft HERE.

Secret Server Installation – Windows Server 2012

Page | 3

ADDITIONAL RECOMMENDATIONS

1. Use an SSL certificate for Secret Server.

2. Run Microsoft Update on your server to make sure all components are up to date.

BEGINNING THE INSTALLATION PROCESS

Components should be installed in the following order: 1. Internet Information Services (IIS)

2. .NET Framework 4.5.1

3. SQL Server

4. Secret Server

INSTALLING IIS

IIS is an internal part of the Windows operating system. If IIS is not found, the Secret Server installer will install it automatically. If you would prefer to install IIS manually, please refer to the instructions in the Appendix.

.NET FRAMEWORK 4.5.1

If .NET Framework 4.5.1 is not found, the Secret Server installer will install it automatically. If you would prefer to install .NET manually, please refer to the instructions in the Appendix.

MICROSOFT SQL SERVER

Installing Microsoft SQL Server

We recommend using Microsoft SQL Server 2012, 2014, or 2016. An edition called Microsoft SQL Server Express is available to download for free. When downloading the file, select the filename ending in WT, which means “with tools” and will include SQL Server Management Studio.

The instructions given below use Microsoft SQL Server 2012 Express Edition with Tools as an example. The installation processes for other editions such as Enterprise or Standard may be similar:

1. Download the SQL Server installation package, right-click it, and select Run as Administrator.

2. From the welcome screen, select Installation from the left menu.

Secret Server Installation – Windows Server 2012

4. After you accept the license terms, you can click Next to install product updates. 5. In the Feature Selection window, ensure that the Database Engine Services and

Management Tools – Basic check boxes are selected. Click Next.

6. In the Instance Configuration window, the default setting is to use a named instance called

Secret Server Installation – Windows Server 2012

Page | 5

7. In the Server Configuration window, you have the option to specify a different service

account to run SQL Server Database Engine. Otherwise, click Next to use the default settings.

8. In the Database Engine Configuration window, you have the choice to select either

Windows authentication mode or Mixed Mode. Select the option that will work best for your environment. See descriptions below:

a. Mixed Mode (for easiest configuration) Mixed Mode is required if you intend on

using a SQL Server account to authenticate Secret Server to your SQL Server instance. If you are doing an evaluation and using the Secret Server setup.exe installer, we recommend using Mixed Mode with a SQL authentication account. Selecting this option will also require you to set a password for the SQL Server system administrator (sa) account. See Adding a SQL Server User (below) for instructions.

b. Windows Mode (recommended for best security) This will prevent SQL Server

Secret Server Installation – Windows Server 2012

9. Your user account should already be shown in the Specify SQL Server administrators box. If

not, click Add Current User, and then click Next.

10. Allow the installation to complete, and then click Close. SQL Server 2012 Express is now

installed.

Creating the SQL Server Database

The Secret Server installer will create the database for you if it does not exist and if the user account has permission to create a new database (this requires the dbcreator server role).

To create a database manually through SQL Server Management Studio, use the following steps:

1. Open SQL Server Management Studio by searching for it from the Windows Start screen. 2. Connect to your SQL Server instance.

3. Right click the Databases folder and select New Database…

Secret Server Installation – Windows Server 2012

Page | 7

Adding a SQL Server User

Use the following instructions to add a SQL Server account for Secret Server to use to access the SQL database:

1. Open SQL Server Management Studio by searching for it from the Windows Start screen. 2. Connect to your SQL Server Database.

3. Expand the Security folder.

4. Right-click the Logins folder and select New Login…

5. Select a method of authentication:

a. SQL Server authentication Use this option to create a new SQL Server account (this requires Mixed Mode to be enabled). To create the account, enter a new username and password and then deselect the Enforce password policy check box to prevent the account from expiring.

Secret Server Installation – Windows Server 2012

6. Click User Mapping in the left menu.

7. Select the check box next to your Secret Server database.

8. In the Database role membership window below, select the db_owner check box. 9. Click OK.

Secret Server Installer

Note Ensure you have SQL Server installed before attempting to set up Secret Server.

DOWNLOAD THE LATEST VERSION OF SECRET SERVER

The latest version of Secret Server is available for download. A setup.exe file will be downloaded to your machine.

RUNNING THE INSTALLER

It is recommended to run the setup.exe file as an administrator.

Prerequisites

The installer will first check the system to determine whether there are any missing prerequisites and will install the needed features if necessary. These prerequisites include .NET 3.5, .NET 4.5.1, and IIS. Alternatively, you can choose to enable these features manually before running the installer.

Installation Type

Secret Server Installation – Windows Server 2012

Page | 9

Standard Installation

This option installs Secret Server as a virtual directory under the Default Web Site in IIS. This is recommended if you have existing sites using the Default Web Site and it is also the fastest way to get Secret Server up and running.

Advanced Installation

This option installs Secret Server as a new website in IIS without using the Default Web Site. This option also allows you to specify a port number that the website will run under. Using this option assumes some knowledge of IIS and is often followed up by adding a DNS entry for the new website on the domain controller. This option must be used if there is no Default Web Site in IIS.

File Destination

This is the location where the application files will exist. The folder is typically C:\SecretServer or

C:\inetpub\wwwroot\SecretServer (legacy), but can be customized to follow your convention.

Application Name

The application name will be used when creating the application pool and either the website or virtual directory in IIS, depending on the option selected above.

Completing Installation from Secret Server

Once the setup.exe installer completes, the website will be setup with the correct permissions. Click

Continue, and the browser will open to allow you to complete the Secret Server installation from the

webpage. The following section will guide you through this process.

Completing Secret Server installation from website

Secret Server is now ready to complete installation. If the setup.exe did not open the browser automatically, open a browser and navigate to where your Secret Server is located, for example:

http://localhost/secretserver.

From here, Secret Server has a 5-step installation process:

1. Step one ensures that Secret Server has write access to its location. If required, you must

give the correct account write and modify permissions to the application folder to continue. Once the permissions are set, click Next.

Note (Advanced) If you don’t want to change the permissions of a folder, you can give Secret Server

Secret Server Installation – Windows Server 2012

Note Secret Server only needs write permission to the directory containing the application files during

installation and upgrade. You can remove the write and modify permissions once the installation process is complete.

2. Step two creates your unique encryption key. This key is generated securely and used to

encrypt and decrypt values stored in the database.

Alternatively, Secret Server can be configured to use a SafeNet HSM (or paired HSMs for failover). Use of HSM encryption requires an HSM card to be installed on the same server as Secret Server. To configure Secret Server to use an HSM, click the Advanced link, and then click the encryption option Use Safenet HSM for Encryption. Use of HSM encryption requires Secret Server Enterprise Plus Edition.

3. Step 3 is where you specify the database. If Secret Server is installed on the same machine

as SQL Server, you can specify (local). If you are using a named instance of SQL, specify a slash then the instance name, for instance: (local)\InstanceName. Enter the SQL username and password if using SQL Server Authentication, or select Windows Authentication. For information about adding a SQL Server user, see Adding a SQL Server User.

Note If the database name you provide does not yet exist in the specified instance of SQL Server, Secret

Server will attempt to create the database using the SQL or Windows account you have specified. For that account to create a database, it will need to have the dbcreator server role in SQL Server.

4. Secret Server will now attempt to download and install the latest version from the internet.

You must have an active internet connection. If you do not, Secret Server will continue to install the current version.

5. Secret Server will ask you to agree to your End User License Agreement. If you do, select the

check box and click continue. Secret Server will then configure your database.

6. Secret Server will now ask you to create your first user. This user will have administrative

access within the application.

7. Once logged into Secret Server, you will be prompted with the Getting Started Wizard. If

you skipped the wizard and would like to return, you can go to HELP > Getting Started from the top menu. The wizard will guide you through adding your licenses, setting up an email server, and creating your first group.

Secret Server Installation – Windows Server 2012

Page | 11

Manual Installation (no setup.exe)

If you are knowledgeable of IIS and would prefer to manually install the website without using the setup.exe installer, you can follow these instructions.

Note Make sure you have the required software installed before attempting to setup Secret Server.

Download the latest version of Secret Server. After clicking the download button you will be taken to a page where you can choose to download a .zip file that contains the Secret Server files. Use this .zip file for the instructions below.

Secret Server can be installed in a few different ways:  As a virtual directory

 As a website

INSTALLING AS A VIRTUAL DIRECTORY

1. Extract the contents of the .zip file where you would like Secret Server to be located on your

system (a common location is C:\inetpub\wwwroot).

2. Open Internet Information Services (IIS) Manager.

3. Right-click Default Web Site and select Add Virtual Directory…

4. Select an alias for your Secret Server. The alias is what will be appended to the website. For

instance, http://myserver/SecretServer.

5. Select the physical directory for where you unzipped Secret Server.

Secret Server Installation – Windows Server 2012

7. Create a new application pool.

8. Right-click your Secret Server virtual directory in IIS and select Manage Application > Advanced Settings…

9. In the new window, change the Application Pool to the one you created in step 7. Click OK.

10. Ensure that the Secret Server folder has the proper permissions by checking that the

account running the application pool in IIS has Modify permissions on the folder where Secret Server is installed.

Secret Server is now ready to be installed. Go to Completing Secret Server installation from website.

INSTALLING AS A WEBSITE

Secret Server Installation – Windows Server 2012

Page | 13

2. Open Internet Information Services (IIS) Manager. 3. Create a new application pool.

4. Ensure that the account running your newly created application pool in IIS has Modify

permissions on the folder where Secret Server is installed.

5. In IIS, right-click Sites and select Add Website… 6. Enter a Site name.

7. Click Select… and choose the application pool you created in step 3 from the drop-down

menu. Click OK.

8. Click the … button beside the Physical path field and select the directory containing the

unzipped Secret Server files (for example, C:\inetpub\wwwroot\secretserver). Click OK.

9. Click OK at the bottom of the Add Website window to save your settings.

Secret Server is now ready to be installed. Go to Completing Secret Server installation from website.

CONFIGURING THE APPLICATION POOL

During a manual installation, Secret Server may be placed in the DefaultAppPool application pool, which may not be set to use the correct pipeline for Secret Server. Secret Server requires that the application pool’s managed pipeline mode be set to Classic. To resolve this, you can modify the existing application pool settings or create a new one.

Note It is recommended that you create a new application pool for Secret Server if you have other web

applications running on the same server. This will help avoid changing the configuration for another application.

Changing the Pipeline Mode

You can modify the pipeline mode for Secret Server’s application pool using the following instructions:

1. Open Internet Information Services (IIS) Manager and select the Application Pools node. 2. Double-click the DefaultAppPool (or the application pool you wish to change).

Secret Server Installation – Windows Server 2012

Creating a New Application Pool

Follow the steps below to create an entirely new application pool to use for Secret Server:

1. Open Internet Information Services (IIS) Manager and right-click the Application Pools

node.

2. Select Add Application Pool…

3. Enter a new name for your application pool in the Name field.

4. Ensure that the .NET CLR Version (in Windows 8 and Windows Server 2012 this will be

called the .NET Framework Version) is set to .NET Framework v4.0.30319.

5. For the Managed Pipeline Mode select Classic. Click OK. 6. (Optional) configure the application pool identity.

Note The Windows Server 2012 R2 and Windows 8.1 Add Application Pool window will appear slightly

different than in Windows Server 2012 and Windows 8:

IIS Application Pool - Windows 8 / Server 2012 IIS Application Pool - Windows 8.1 / Server 2012 R2

Configuring an Application Pool Identity

Windows 8 / Server 2012 will default new application pool identities to a virtual identity, ApplicationPoolIdentity. For easiest configuration, use either this or NETWORK SERVICE as the identity. For better security, you can specify your own Windows service account. See the Appendix for further information on using a virtual identity for Secret Server in IIS.

To configure an application pool identity, follow the steps below:

Secret Server Installation – Windows Server 2012

Page | 15

3. Right-click the application pool you would like to modify and select Advanced Settings… 4. Under the Process Model section, click the Identity field to select a Built-in account or

specify a Custom account. For more information about using a custom account, see Running Secret Server IIS Application Pool with a Service Account. After you’ve selected an account, click OK.

Appendix

VIRTUAL ACCOUNTS

Virtual Accounts, or Managed Service Accounts, is a feature included in Windows 8 and Windows Server 2012. Windows will create a virtual account for the name of the application pool. Thus, if your application pool’s name is DefaultAppPool and its identity is set to ApplicationPoolIdentity, you would assign folder permissions to the account IIS AppPool\DefaultAppPool. This account can then optionally be used to connect Secret Server to the SQL database by adding db_owner access to the database as a Windows account. See Adding a SQL Server User. For more information on virtual accounts as application pool identities, see this article by Microsoft.

SSL CERTIFICATE

What is an SSL Certificate?

An SSL (Secure Sockets Layer) Certificate greatly enhances the security between the user’s browser and the server Secret Server is installed on. It encrypts all data between the server and the client’s browser so if an attacker were to look at the data being transmitted between the two, they would not be able to decipher it.

Where can I obtain an SSL Certificate?

A certificate can be obtained from various companies such as Thawte or VeriSign. It is also possible to create your own, see Creating and installing your own.

WCF SERVICES

Starting in Secret Server version 8.9.000000, the use of Secret Server's Distributed Engine requires that one of following two server features be installed when the Secret Server website is running on a Windows Server 2012:

 .NET Framework 4.5 Features -> WCF Services -> HTTP Activation

Secret Server Installation – Windows Server 2012

The choice of which to install depends on which Protocol is selected in the Engine Callback Settings. If HTTPS is selected, then the HTTP Activation feature is required. If TCP is selected, then TCP Activation is required.

If the feature is not installed, there will be the following error message in the Engine logs: (405) Method Not Allowed. ---> System.Net.WebException: The remote server returned an error: (405) Method Not Allowed.

INSTALLING THE .NET FRAMEWORK 4.5.1 MANUALLY

For operating systems other than Windows 8.1 or Windows Server 2012 R2, .NET Framework 4.5.1 is not included by default. To install version 4.5.1, use the offline installer provided by Microsoft, found HERE.

INSTALLING IIS MANUALLY

IIS is an internal part of the Microsoft Windows operating system. Its installation process will vary depending on which operating system version you are using.

Windows 8 / 8.1

Secret Server Installation – Windows Server 2012

Page | 17

1. Open the Control Panel by typing “Control Panel” from the Windows Start screen and

selecting the Control Panel result.

2. In the Control Panel window, select Programs and then click Turn Windows features on or off.

3. Expand Internet Information Services and expand Web Management Tools. 4. Select the IIS Management Console check box.

5. Expand World Wide Web Services.

6. Under Application Development Features, select the ASP.NET 4.5 check box. This will

Secret Server Installation – Windows Server 2012

7. Under Common Http Features, select the Default Document and Static Content check

boxes.

8. Click OK and wait for Windows to install the features.

9. Internet Information Services (IIS) Manager is now installed. You can verify the installation

of IIS by searching for “IIS” from the Windows Start screen. IIS Manager can also be accessed from the Control Panel under Administrative Tools.

We recommend you run Windows Update to install the latest security patches for IIS once you have IIS installed.

Windows Server 2012 / R2

Secret Server Installation – Windows Server 2012

Page | 19

1. Open the Server Manager for your server. From the Manage menu, select Add Roles and Features.

2. Select Role-based or feature-based installation, and then click Next.

3. On the next screen, ensure your local server is selected as the target server from the Server Pool window. Click Next.

4. In the Roles window, select the Web Server (IIS) check box. Click Next.

Secret Server Installation – Windows Server 2012

6. On the Features page, click Next.

7. In the Role services window, expand Common HTTP Features and ensure that Default Document, HTTP Errors, and Static Content are selected.

8. Scroll down and expand Application Development, and then select the ASP.NET 4.5 check

Secret Server Installation – Windows Server 2012

Page | 21