Password Reset Server Installation Guide Windows Vista Windows 7 Windows Server 2008 / R2 Table of Contents I. Requirements .................................................................................................................................................................. 3 A. System Requirements .............................................................................................................................................. 3 B. Domain Account Requirements ........................................................................................................................... 4 C. Recommendations..................................................................................................................................................... 4 II. Before You Begin............................................................................................................................................................ 5 A. Administrative Access ............................................................................................................................................. 5 B. Installation Process................................................................................................................................................... 5 C. Installing IIS ................................................................................................................................................................. 6 1. Windows Vista / Windows 7........................................................................................................................... 6 2. Windows Server 2008 / Windows Server 2008 R2 .............................................................................. 8 D. Installing ASP.NET before IIS.............................................................................................................................. 11 E. Installing ASP.NET 2.0 and the .NET Framework 3.5 SP1 ...................................................................... 12 F. Installing SQL Server 2008 .................................................................................................................................. 13 G. Creating a SQL Server Database ........................................................................................................................ 15 1. Creating the Database ...................................................................................................................................... 15 2. Creating the SQL Server User........................................................................................................................ 15 III. Password Reset Server MSI ..................................................................................................................................... 16 A. Download the latest version of Password Reset Server .......................................................................... 16 B. Running the MSI ....................................................................................................................................................... 16 1. Standard Option ................................................................................................................................................ 16 2. Advanced Option ................................................................................................................................................ 16 3. File Destination................................................................................................................................................... 16 4. Application Name .............................................................................................................................................. 16 5. Completing Installation from Password Reset Server........................................................................ 16 IV. Completing Password Reset Server installation from website ................................................................ 17 V. Manual Installation – Creating website (No MSI) .......................................................................................... 20 A. Installing as a Virtual Directory ......................................................................................................................... 20 B. Installing as a Website ........................................................................................................................................... 21 C. Configuring the Application Pool ...................................................................................................................... 22 1. Changing the Pipeline Mode .......................................................................................................................... 22 2. Creating a New Application Pool ................................................................................................................. 23 3. Configuring an Application Pool Identity ................................................................................................ 23 VI. Appendix ......................................................................................................................................................................... 24 A. Microsoft SQL Server 2008/2012 Express Prerequisites ....................................................................... 24 B. Installing PowerShell ............................................................................................................................................. 24 1. Windows Vista .................................................................................................................................................... 24 2. Windows 7 ............................................................................................................................................................ 24 3. Windows Server 2008 / Windows Server 2008 R2 ............................................................................ 24 C. Virtual Accounts ....................................................................................................................................................... 24 D. Creating a Domain Account to Reset Passwords ........................................................................................ 25 E. SSL Certificate ........................................................................................................................................................... 30 1. What is an SSL Certificate? ............................................................................................................................. 30 2. Where can I obtain an SSL Certificate? ..................................................................................................... 30 2 I. Requirements This is the installation guide for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. If you are looking for the installation guide for Windows 8 / 8.1 and Windows Server 2012 / 2012 R2, please click here. IMPORTANT If this is the first time you are installing Password Reset Server, please take the time to review the full list of system requirements and recommendations, located HERE. A. System Requirements 1. Microsoft SQL Server 2005 or Microsoft SQL Server 2008. 2. One of the following operating systems: Windows Server 20081 Windows Server 2008 R2 Microsoft Windows Vista Ultimate, or Windows Vista Business2. Microsoft Windows 7 Ultimate, or Windows 7 Professional2. 3. Microsoft Internet Information Services (IIS) (Internal Part of Operating System) 4. Microsoft .NET Framework 3.5 with Service Pack 1. Both 32-bit and 64-bit editions are supported. Note Windows 7 and Windows Server 2008 R2 come with the .NET Framework 3.5 SP1 already installed. You do not need to install the .NET Framework if you are using one of these operating systems. Note An important security update has been released for the Microsoft .NET Framework. Please ensure that this update is installed on your server to ensure maximum security. For further detail and how to obtain the patch, please click here. 1 Both 32-bit and 64-bit Editions of Windows are supported. You must install the proper version of the .NET Framework to support 64-bit. 2 Windows Vista/7 is only supported for testing environments. Microsoft does not support this operating system as a production environment. 3 B. Domain Account Requirements Each domain will need a domain account to synchronize the users and reset passwords. See Creating a Domain Account to Reset Passwords for information about setting up this account. C. Recommendations 1. Use a SSL Certificate for Password Reset Server. 2. Run Microsoft Update on your server to make sure all components are up to date. 4 II. Before You Begin A. Administrative Access Throughout most of this installation, you will be required to be an administrator to perform most of these actions. Please ensure that you are logged on to your system with an account that has Administrative permissions. B. Installation Process Components should be installed in this order. 1. 2. 3. 4. Internet Information Services (IIS) ASP.NET 2.0 / .NET Framework 3.5 SP1 (Windows Vista / Server 2008 Only) SQL Server 2008 Password Reset Server 5 C. Installing IIS IIS is an internal part of the Microsoft Windows operating system. Installing it will vary depending on which version of the operating system you are using. 1. Windows Vista / Windows 7 Please ensure you have your Windows installation disk available if the system asks for it. This disk should have been included with the system manufacturer or the administrator that installed Windows on that machine. 1. 2. 3. 4. Start by clicking the Start Menu, then Control Panel. Open the Programs and Features Control Panel item. On the left pane, click Turn Windows Features on or off. A dialog like this should appear. It may take a moment or two for the system to load: 6 5. Expand Internet Information Services > World Wide Web Services > Application Development Features and check ASP.NET. Selecting this will automatically select other needed dependencies. 6. Expand Common Http Features and ensure that both Static Content and Default Document are selected. 7. Click OK. At this point, Windows will now install IIS. It may ask you for your operating system disk. 8. At this point, IIS is now installed. Depending on your operating system, Windows may ask you to restart your computer. You can verify the installation of IIS by opening the Control Panel, clicking Administrative Tools, and an icon in there should now appear called Internet Information Services. We recommend you run Windows Update to get the latest security patches for IIS once you have IIS installed. 7 2. Windows Server 2008 / Windows Server 2008 R2 To install Internet Information Services on Windows Server 2008 or Server 2008 R2, you will give your server the Web Server (IIS) role. 1. Begin by opening Server Manager and selecting Roles. 2. Click Add Roles. 3. Select the Web Server (IIS) role. 8 4. Click Next. 5. Select the Web Server (IIS) role to automatically select all of the features needed to run this role. When the dialog appears, select Add Required Features. 6. When asked for the services of the Role you want to enable, select ASP.NET under Application Development. 9 7. Checking ASP.NET will prompt you to automatically check other role services needed to run ASP.NET. Select Add Required Role Services to continue. 8. Also ensure that Static Content, Default Document, and HTTP Errors are selected under Common HTTP Features. 9. Click Next. 10. After confirming your installation, the installation will begin. 11. Finally once the installation is complete, a summary dialog will appear. Click Close. Your server is now configured to run Password Reset Server. 10 D. Installing ASP.NET before IIS Note This is only applicable to Windows 7 and Windows Server 2008. We recommend installing IIS before you install ASP.NET. However, if the .NET Framework 3.5 was already installed before IIS was, there are some additional steps required to configure ASP.NET in IIS. You must register ASP.NET in IIS. This step is only necessary if you installed the .NET Framework 3.5 before IIS. 1. Begin by selecting Run from the Start menu, then type in cmd.exe and click OK. 2. At the command prompt, type cd %WINDIR%\Microsoft.NET\Framework\v2.0.50727 and press Enter. Tip If you are using the x64 Edition of Windows and the .NET Framework, you should use: cd %WINDIR%\Microsoft.NET\Framework64\v2.0.50727 3. At the command prompt, type aspnet_regiis.exe /i and press Enter. The ASP.NET registration into IIS will then begin. After a few moments, ASP.NET will be registered in IIS. Warning This command requires elevated privileges in Vista if UAC (User Account Control) is enabled. You can do this by opening the start menu, find the Command Prompt, right-click, and select “Run as Administrator”. Running it without Administrative Privileges will result in the error “An error has occurred: 0x80004005 Unspecified error”. 4. ASP.NET is now correctly registered. 11 E. Installing ASP.NET 2.0 and the .NET Framework 3.5 SP1 This is only applicable to Windows 7 and Windows Server 2008. Note We recommend installing IIS before you complete this process. 1. Begin by downloading the .NET Framework 3.5 SP1. 2. Execute the download to begin the installation process. 3. Once setup is complete, ASP.NET and the .NET Framework are now properly installed on your system. Warning Microsoft has released an update for the .NET Framework 3.5 SP1 which contains compatibility fixes for applications running on previous versions of the .NET Framework. It is recommended that this update is installed after the .NET Framework 3.5 SP1 has been installed. It can be downloaded here: http://support.microsoft.com/kb/959209 Warning An important security update has been released for the Microsoft .NET Framework. Please ensure that this update is installed on your server to ensure maximum security. For further detail and how to obtain the patch, please click here. 12 F. Installing SQL Server 2008 We recommend using SQL Server 2008. A free edition called SQL Server 2008 Express is available to download for free. Warning SQL Server 2008 SP1 must be installed immediately after the installation is complete to resolve compatibility issues with Windows 7 and Windows Server 2008 R2. Warning SQL Server 2008 Express has some prerequisites that must be installed first. Please see our appendix for required software for SQL Server 2008 Express. The instructions given below are for the SQL 2008 Express Edition with Tools. The installation processes for other editions such as Enterprise or Standard may be similar, but not the same. Tip There are several editions of SQL Server 2008 Express. We recommend downloading SQL Server 2008 Express with Tools. This KB article has the link on Microsoft’s site. 1. Download the installation package, right-click it and select Run as Administrator if you have UAC enabled. 2. From the welcome screen, select Installation from the left menu. 13 3. Select New SQL Server installation stand-alone installation or add features to an existing installation. 4. SQL Server will then initialize your installation. 5. SQL Server may ask you to install some preparation files first. Select Install. 6. Continue to click Next until you reach the Feature Selection screen. 7. Select Database Engine Services and Management Tools – Basic and select Next. 14 8. Under Instance Configuration click Next. 9. Ensure your environment meets all of your disk space requirements. 10. For Server Configuration click Use the same account for all SQL Server services. a. Under the Account Name drop-down menu, select NT AUTHORITY\NETWORK SERVICE. b. Do not enter anything in the password field. c. Click OK. d. Click Next. 11. For Database Engine Configuration, the installer will then ask you if you want to enable Mixed Mode or Windows only mode: Mixed Mode (recommended for easiest configuration) - Mixed Mode is required if you intend on using a SQL Server account to authenticate Password Reset Server to your SQL Server. If you are doing an evaluation and using the Password Reset Server MSI, we recommend Mixed Mode with a SQL Authentication account. See Creating the SQL Server User (below) for instructions. Windows Mode (recommended for best security) - This will prevent SQL Server account authentication and requires a Windows Service account to run the Password Reset Server website. This will also require additional configuration in IIS once Password Reset Server is installed. This KB article walks through the advanced setup. This mode is recommended as a best practice. 12. Click Add Current User for the SQL Server Administrators. 13. Continue to click Next until you reach the Ready to Install step. Ensure all of the configuration options look correct. 14. Click Next again to complete the installation. Tip We recommend running Microsoft Update to get all of the latest service packs and fixes for SQL 2008. G. Creating a SQL Server Database 1. 1. 2. 3. 4. 2. Creating the Database Open Management Studio Express. Connect to your SQL Server database. Right click the Databases folder and select New Database… Enter a database name and click OK. Creating the SQL Server User 1. 2. 3. 4. Open Management Studio Express. Connect to your SQL Server Database. Expand the Security folder. Right click Logins and select New Login… 5. 6. 7. 8. 9. Enter a new username and password. Select User Mappings from the left menu. Check the checkbox next to your Password Reset Server database. Give the user db_owner permission. Click OK. 15 III. Password Reset Server MSI Tip Make sure you have all prerequisites installed before attempting to setup Password Reset Server. A. Download the latest version of Password Reset Server The latest version of Password Reset Server is available for Download. Once clicking the download button, the setup.exe file will be downloaded to your machine. B. Running the MSI When running the setup.exe file, your first option will be to choose Standard or Advanced. 1. Standard Option This option installs Password Reset Server as a virtual directory under the Default Website. This is recommended if you have existing sites using the Default Website, and is also the fastest way to get up and running. 2. Advanced Option This option installs Password Reset Server as a new website without using the Default Website. This allows you to specify a port number that the website will run under. Using this option assumes some knowledge of IIS and is often followed up by adding a DNS entry on the domain controller. This option must be used if there is no Default Website already present. 3. File Destination This is the location where the application files will exist. The folder is typically C:\inetpub\wwwroot\PasswordResetServer but can be customized to follow your convention. 4. Application Name Application name will be used when creating the Application Pool and either the website or the virtual directory, depending on the selected option above. 5. Completing Installation from Password Reset Server Once the MSI completes, the website will be setup with the correct permissions. The browser will open to allow you to complete the Password Reset Server installation from the webpage. The following section will guide you through this process. 16 IV. Completing Password Reset Server installation from website Password Reset Server is now ready to begin installation through its installer. Open a browser and browse to where your Password Reset Server is located, for example: http://localhost/passwordresetserver Password Reset Server has a 5-step installation process: 1. Step 1 ensures that the identity running the Password Reset Server application pool has write access to the application directory. The account running the IIS application pool requires modify permission (this includes the write permission) to the application folder to continue. 17 If you don’t want to change the permissions of a folder, you can give Password Reset Server a Windows username and password that has modify permissions already, and Password Reset Server will “impersonate” as that user during the installation process. Password Reset Server only needs write permission during installation and upgrade. You can remove the write and modify permissions once the installation process is complete. Once the permissions are set, click Next. Note See the Manual Installation section for more information on account permissions. 2. In Step 2, specify the database. If Password Reset Server is installed on the same machine as SQL Server, you can type (local). If you are using a named instance of SQL, use a slash then the instance name, for instance: (local)\InstanceName. If you are not sure of the instance name, you can open SQL Server Management Studio and select Connect. The full instance name used here is the same one that will be used by Password Reset Server, for example THYCO1\SQLEXPRESS. 18 Note Password Reset Server will create the database for you if it does not exist. Enter the SQL Username and Password if using SQL Server Authentication, or select Windows Authentication. To create a SQL Server user, see Creating the SQL Server User. 3. Review the EULA and check the I Agree box, then click Continue to accept the agreement. Otherwise, Password Reset Server will not be installed. 4. Password Reset Server will now ask you to create your first user. This user will be a local administrator that will be used to configure your Password Reset Server. We recommend choosing a strong password. 5. Step 5 will prompt you to enter a domain and credentials for a domain account that has the required permissions to reset passwords on the domain. See Creating a Domain Account to Reset Passwords. 19 Note The domain name needs to be the Fully Qualified Domain Name (FQDN), for example: use domain.thycotic.com instead of domain. Password Reset Server has now successfully been installed. For more information on configuring and maintaining your Password Reset Server, please see our User Guide. V. Manual Installation – Creating website (No MSI) If you are knowledgeable of IIS and would prefer to manually install the website without using the .msi, you can follow these instructions. Note Make sure you have the required software installed before attempting to setup Password Reset Server. Download the latest version of Password Reset Server. After clicking the download button you will be taken to a page where you can choose to download a .zip file that contains the Password Reset Server files. Use this .zip file for the instructions below. Password Reset Server can be installed in a few different ways: As a virtual directory As a website A. Installing as a Virtual Directory 1. Extract the contents of the .zip file where you would like Password Reset Server to be located on your system (a common location is C:\inetpub\wwwroot). 2. Open Internet Information Services (IIS) Manager. 3. Right-click Default Web Site and select Add Virtual Directory… 4. Select an alias for your Password Reset Server. The alias is what will be appended to the website. For instance, http://myserver/PasswordResetServer. 5. Select the physical directory for where you unzipped Password Reset Server. 6. In the tree, right-click the new virtual directory and select Convert to Application. 20 7. Create a new application pool. 8. Right-click your Password Reset Server virtual directory in IIS and select Manage Application > Advanced Settings… 9. In the new window, change the Application Pool to the one you created in step 7. Click OK. 21 10. Ensure that the Password Reset Server folder has the proper permissions by checking that the account running the application pool in IIS has Modify permissions on the folder where Password Reset Server is installed. Password Reset Server is now ready to be installed. See Completing Password Reset Server installation. B. Installing as a Website 1. Extract the contents of the .zip file where you would like Password Reset Server to be located on your system (a common location is C:\inetpub\wwwroot). 2. Open Internet Information Services (IIS) Manager. 3. Create a new application pool. 4. Ensure that the account running your newly created application pool in IIS has Modify permissions on the folder where Password Reset Server is installed. 5. In IIS, right-click Sites and select Add Website… 6. Enter a Site name. 7. Click Select… and choose the application pool you created in step 3 from the drop-down menu. Click OK. 8. Click the … button beside the Physical path field and select the directory containing the unzipped Password Reset Server files (for example, C:\inetpub\wwwroot\passwordresetserver). Click OK. 9. Click OK at the bottom of the Add Website window to save your settings. Password Reset Server is now ready to be installed. Go to Completing Password Reset Server installation from website. C. Configuring the Application Pool During a manual installation, Password Reset Server may be placed in the DefaultAppPool application pool, which may not be set to use the correct pipeline for Password Reset Server. Password Reset Server requires that the application pool’s managed pipeline mode be set to Classic. To resolve this, you can modify the existing application pool settings or create a new one. Note It is recommended that you create a new application pool for Password Reset Server if you have other web applications running on the same server. This will help avoid changing the configuration for another application. 1. Changing the Pipeline Mode You can modify the pipeline mode for Password Reset Server’s application pool using the following instructions: 1. Open Internet Information Services (IIS) Manager and select the Application Pools node. 2. Double-click the DefaultAppPool (or the application pool you wish to change). 3. For the Managed Pipeline Mode, select Classic. Click OK. 22 2. Creating a New Application Pool Follow the steps below to create an entirely new application pool to use for Password Reset Server: 1. 2. 3. 4. 5. 6. Open Internet Information Services (IIS) Manager and right-click the Application Pools node. Select Add Application Pool… Enter a new name for your application pool in the Name field. Ensure that the .NET Framework Version is set to .NET Framework v2.0.50727. For the Managed Pipeline Mode select Classic. Click OK. (Optional) configure the application pool identity. 23 3. Configuring an Application Pool Identity Windows 7 / Server 2008 will default new application pool identities to a virtual identity, ApplicationPoolIdentity. For easiest configuration, use either this or NETWORK SERVICE as the identity. For better security, you can specify your own Windows service account. See the Appendix for further information on using a virtual identity for Password Reset Server in IIS. To configure an application pool identity, follow the steps below: 1. 2. 3. 4. Open Internet Information Services (IIS) Manager. Click the Application Pools node. Right-click the application pool you would like to modify and select Advanced Settings… Under the Process Model section, click the Identity field to select a Built-in account or specify a Custom account. For more information about using a custom account, see Running Password Reset Server IIS Application Pool with a Service Account. After you’ve selected an account, click OK. VI. Appendix A. Microsoft SQL Server 2008/2012 Express Prerequisites SQL Server 2008 Express requires some software to be installed before it can be installed. Note Only the Express Edition requires these components to be installed separately. If you are installing another edition of SQL such as Standard or Enterprise, these components will be installed for you. Windows PowerShell 1.0. Microsoft .NET Framework 3.5 SP1 is required for Microsoft SQL Server 2008 Express Edition. Note that Microsoft SQL Server 2012 Express Edition requires Microsoft .NET Framework 4.0. Windows Installer 4.5. Get Windows Installer 4.5. B. Installing PowerShell 1. Windows Vista Simply download and run the installer that you can download here: Get PowerShell 1.0 2. Windows 7 Windows 7 includes PowerShell 2.0. There is no need to install anything. 3. 1. 2. 3. 4. 5. 6. Windows Server 2008 / Windows Server 2008 R2 Open Server Manager. Select Features on the left. Select Add Features. Check Windows PowerShell. Click Next. Click Install. PowerShell is now installed for Windows Server 2008 / Server 2008 R2. C. Virtual Accounts Virtual Accounts, or Managed Service Accounts, is a feature included in Windows 7 and Windows Server 2008. Windows will create a virtual account for the name of the application pool. Thus, if your application pool’s name is DefaultAppPool and its identity is set to ApplicationPoolIdentity, you would assign folder permissions to the account IIS AppPool\DefaultAppPool. This account can then optionally be used to connect Password Reset Server to the SQL database by adding db_owner access to the database as a Windows account. See Adding a SQL Server User. For more information on virtual accounts as application pool identities, see this article by Microsoft. 24 D. Creating a Domain Account to Reset Passwords In order for Password Reset Server to reset passwords, it must be given access to an account that is able to reset passwords on the domain users. Setting up the exact permissions is detailed below. We recommend creating a new account that will only be used by Password Reset Server. Note You must be a member of the “Domain Admins” to perform these steps. 1. Open the Active Directory Users and Computers MMC snap-in and connect to your domain. 2. Right click Users under your domain and select New > User. 3. In the Full name and User logon name fields, enter a descriptive name and unique username, respectively. Click Next. 25 4. Enter a strong password. Note We recommended selecting Password never expires, because if the password expires and it is not changed, Password Reset Server will not be able to change passwords for domain users. 5. Click Next, and then Finish. The domain account used to synchronize and reset passwords for the domain must have the following permissions to reset a user's account: Read all properties, Change Password, Reset Password, Write lockoutTime, Write pwdLastSet: 6. Configure Active Directory Users and Computers to display Advanced Features by clicking View from the top menu, and then Advanced Features. 26 7. Select the top-level domain node, right-click, and select Properties. Tip If desired, you may apply the permissions to specific Organizational Units instead of the entire domain. These actions must be repeated for each Organizational Unit. 8. Select the Security tab and then click Advanced. 27 9. On the Advanced Properties screen, click Add. 10. Select the user created above. 11. On the Object tab, select Descendant User Objects for the Apply to drop-down menu, then in the box below select the Allow check box for Read All Properties, Change password, and Reset password. 28 12. On the Properties tab, select Descendant User Objects in the Apply to drop-down menu, then in the box below select the Allow check box for Write lockoutTime and Write pwdLastSet. 29 13. Click OK in each dialog to apply the settings to the domain account. You can now use this account to reset passwords using Password Reset Server. Tip You may want to modify your domain’s Group Policy to deny local login for this account under User Rights Assignment. Note The “dssec.dat” file located in %WINDIR%\SYSTEM32 contains a list of “filtered” properties. A property listed here may not be visible under the Properties tab as indicated in 9 above. In order to make a filtered property visible, delete the line under the appropriate object (e.g. [User]) or change the value to 0. For further information, see: http://support.microsoft.com/kb/296490 E. SSL Certificate 1. What is an SSL Certificate? An SSL (Secure Socket Layer) Certificate greatly enhances the security between the user’s browser and the server Password Reset Server is installed on. It encrypts all data between the server and the client’s browser so if an attacker were to look at the data being transmitted between the two, they would not be able to decipher it. 2. Where can I obtain an SSL Certificate? A certificate can be obtained from various companies such as Thawte or VeriSign. It is also possible to create your own, see Creating and installing your own. 30
© Copyright 2024