Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID relies on multiple Windows services to host job functions and a range of IIS Web REST Services to handle its processing. Both the Windows Services and IIS Application Pool Identities require dedicated service accounts with the appropriate privileges to access the EmpowerID database. Before installing EmpowerID, it is essential to create these accounts and grant them the necessary permissions to interact with the EmpowerID database and the local machine where EmpowerID will be installed.

To follow security best practices, EmpowerID recommends implementing the principle of least privilege. This means granting service accounts only the minimum access rights needed to perform their specific tasks. To ensure this configuration, you will need to complete the following steps:

  1. Create Service Accounts: Set up one or more service accounts

for running
  1. to run EmpowerID Windows services and EmpowerID IIS application pools.

  2. Create a Database User Account:

On
  1. Create a user account on the server hosting the EmpowerID Identity

Warehouse, create a user account
  1. Warehouse. This account will need read-and-write access to the database backup folder

, along with
  1. and the ability to restore SQL databases.

  2. Restore the EmpowerID Identity Warehouse: Use the database user account created in the previous step to restore the EmpowerID Identity Warehouse.

  3. Create SQL Logins: Set up SQL logins for each service account and grant

the necessary permissions for access to
  1. permission to access the EmpowerID Identity Warehouse.

  2. Install EmpowerID: Perform the EmpowerID installation using the designated local admin account.

  3. Grant Local Permissions: On each server where EmpowerID is installed, ensure that the service accounts have the required permissions to perform essential tasks, including GAC EmpowerID assemblies and day-to-day operations.


This article takes walks you through each of these steps , demonstrating and demonstrates how to install EmpowerID using the recommended least privilege configuration. 

Macrosuite divider macro
dividerTypetext
dividerWidth100
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000
advancedOptionsOpenfalse
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSize20
fontSize20
textPre-Installation Information
emojiEnabledfalse
dividerColor#DFE1E6
dividerIconbootstrap/CloudsFill

Before beginning the installation process, ensure you have the necessary files and system settings configured for a smooth installation:

  • Required Files: EmpowerID will provide two zip files (*-install.zip and *-EmpowerID.zip) , as well as and a database backup file that should be located on your SQL server.

  • Anti-Virus Settings: Exclude To prevent installation issues, exclude EmpowerID files—including websites and programs—from any anti-virus scanning software to prevent installation issues.

  • User Account Control (UAC): UAC in Windows must be disabled prior to before the installation. This includes:

    • Disabling all UAC settings in secpol.msc.

    • Modifying the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA by setting the DWORD value to 0.

  • Environment Considerations: In a production environment, EmpowerID should not be installed on a domain controller or the same server hosting the EmpowerID SQL database in a production environment.

Procedure

Step 1 – Install EmpowerID using least privilege

  1. Create EmpowerID Service Account

    • Create a service account in your domain that will be used to support the installation and operation of EmpowerID services with

least privilege
    • the fewest privileges.

    • After creating the account, retrieve its SID by running the following command:

      Code Block
      languagetext
themeConfluence
    • WMIC useraccount WHERE Name="EmpowerIDServiceAccount" GET SID
    • The SID will be used to grant this account the necessary permissions to run EmpowerID Windows services.

  1. Create Application Pool Account

    • Create an application pool account for your domain, which will be used to run EmpowerID application pools.

    • Retrieve the account’s SID, as it will also be used to grant the required permissions to run EmpowerID services.

  2. Create a Local SQL User Account and SQL Login

    • On the SQL server hosting the EmpowerID Identity Warehouse, create a local user account with read and write access to the database backup folder.

    • Create a SQL login for this user and grant it permission to restore SQL databases.

  3. Restore the EmpowerID Database

    • Log in to the SQL server as the user created above.

    • Restore the EmpowerID database by following these steps:

      • Right-click on the Databases node in SQL Server Management Studio (SSMS) and select Restore Database.

      • Under Source, select Device and specify the path to the EmpowerID.bak file.

      • Under Destination, enter EmpowerID as the database name.

      • Click OK to begin the restore process. This may take several minutes.

  4. Create SQL Logins for Service Accounts

    • On the SQL Server, create logins for each EmpowerID service account.

    • Grant these accounts the necessary database privileges, including:

      • Connect

      • Authenticate

      • Execute

      • Delete

      • Insert

      • Select

      • Update

      • Alter (only for the following tables, to allow truncation):

        • PersonOrgRoleOrgZoneReEvalTempAccountData

        • PersonOrgRoleOrgZoneReEvalTempPersonData

        • PersonMandatoryAttributesTemp

        • PersonMandatoryAttributesTempPreview

        • PersonMandatoryAttributesOverwritePreview

        • AccountObjectAttributeOutboxPreview

      • EmpowerID has a predefined server role named EmpowerIDService. You can map this role to each service account to simplify privilege management.

Image Removed
      • Image Added

  1. Prepare the EmpowerID Server

    • On your EmpowerID server, create the following directory: C:/Program Files/TheDotNetFactory/

    • Extract the *-install.zip file and then copy the contents (Install Setup folder) into the newly created TheDotNetFactory directory. 

    • Extract the *-EmpowerID.zip file and copy the extracted folder into the TheDotNetFactory directory.

  2. Run the Installation Script

    • Open a PowerShell prompt in the Install Setup folder and execute the installation script. To execute the script, please ensure that there is no interference from your execution policy.

      Code Block
      .\Install-EmpowerID
    • Follow the prompts:

      • Enter the EmpowerID version number when prompted and press ENTER.

      • When asked for the EmpowerID installation directory, press ENTER to accept the default or specify a custom directory path.

  3. Confirm Installation and Connectivity

    • The script checks for internet connectivity and will prompt you to continue the installation process. Enter Y and press ENTER to proceed.

  4. Finalize Installation

    • The script will install EmpowerID, along with the necessary IIS modules (URLRewrite and CORS) and run the EmpowerID Configuration in Install Mode.

    • Once the script completes, close PowerShell and follow the remaining configuration steps in this article to finalize the installation.

Step 2 – Configure your EmpowerID installation

  1. Launch EmpowerID Configurator

    • From the Start menu, search for EmpowerID Configurator.

    • Right-click and select Run as administrator.

    The EmpowerID Configurator window will open. This tool connects EmpowerID to your SQL server, licenses EmpowerID, and configures settings like email, certificates, IIS websites, and Windows services.
    Note:

    If you close the Configurator before completing the configuration and encounter issues logging in as empoweridadmin, you can reopen it in install mode:

    • Navigate to C:\Program Files\TheDotNetFactory\EmpowerID\Programs in File Explorer.

    • Type cmd in the address bar to open a command prompt.

    • Type empowerid.configurator.exe install to launch the Configurator in install mode.

Image Removed
  1. Image Added

  2. General Settings

    • From the General Settings tab, configure the following:

      • SMTP Server: Enter the FQDN of your Exchange server for sending system-generated emails.

      • Email Address: Enter the default email address EmpowerID should use for outgoing system emails.

      • License Key: Enter your EmpowerID license key, then click the Add License File (...) button.

      • In the dialog, locate and select your EmpowerID License File (.eidlic), then click Open.

  3. SQL Connection

    • From the SQL Connection tab:

      • Enter the name or IP address of the SQL server in the Server Name field.

      • Under Authentication, select Windows Authentication (or SQL Azure if using a cloud-based Microsoft Azure SQL Database).

      • Select your EmpowerID database from the Database Name drop-down list.

      • Click Test Connection to confirm the connection is valid.

      • Click OK to close the connection message.

  4. Web Server Configuration

    • From the Web Server tab:

      • Enter the FQDN of your EmpowerID Web server in the Web Server URL field, using the https scheme.

      • Select an existing IIS website from the IIS Website drop-down, or enter a name to create a new site (default is the Default Web site).

      • Under SSL Certificate, click Browse to select an SSL certificate from the local store or browse for a .pfx file.

      • In the Password field, enter the password for the certificate and click OK.

  5. Service Account Configuration

    • Enter the Username and Password for the service account running the EmpowerID application pools.

  6. System Certificates

    • From the System Certificates tab:

      • Under Federation Certificate, click Browse to select the STS certificate for signing SAML assertions (can be the same as the SSL certificate).

      • In the Password field, enter the certificate password and click OK.

      • For Server System Access Certificate, click Generate. Enter a password when prompted and click OK to generate and save the certificate.

  7. Windows Services Setup

    • From the Services tab:

      • Under Windows Services, select each EmpowerID service you wish to install, and provide the Username and Password for the service account.

      • Services include:

        • EmpowerID Web Role Service: Required on all EmpowerID Web servers for managing workflows and global assembly cache synchronization.

        • EmpowerID Worker Role Service: Required on a server with IIS to process the Web Service Garden, run scheduled jobs, and handle long-running tasks (e.g., RBAC security compilation, inventory processing).

  8. Reporting Services (Optional)

    • If using Reporting Services, configure the following:

      • Report Server URL: Enter the web service URL for your report server.

      • Report Server Folder: Specify the folder name for reports.

      • SAML Connection: Enter the SAML service provider connection for SSRS

  9. Miscellaneous Settings

    • From the Miscellaneous tab:

      • To use a CDN for delivering static content (CSS, images, scripts), enter the CDN URL in the CDN Server URL field.

      • Enable Minification: Minification of CSS and JavaScript is enabled by default. Deselect if not required (though minification is recommended).

  10. Summary

    • Review the configuration changes in the Summary tab.

    • Click Save to apply the changes.

    • When prompted, click Yes to confirm and apply all changes.

    • Click OK to close the "Settings have been saved" dialog.

  11. Export Options (Optional)

    • From the Export Options tab:

      • Select files you want to export, such as the EmpowerID MSI.

      • Browse to the MSI file location and select it.

      • Choose the output folder for the exported files, then click Export.

      • Click OK when the export completes.

  12. Configure IIS

    • Open Internet Information Services (IIS) Manager from the Start menu.

    • In the Connections pane, expand Sites and select your EmpowerID site.

    • In the Actions pane, click Basic Settings.

    • In the dialog, change the Physical Path to C:\Program Files\TheDotNetFactory\EmpowerID\Web Sites\EmpowerID.Web.SiteRoot.

    • This updates the web configuration to use the latest and most secure settings.

  13. Finalize EmpowerID Installation

    • Open Services.msc and stop the EmpowerID Web Role Service.

    • The next step is to grant your EmpowerID service account access to the necessary files and folders on your EmpowerID server, ensuring it has the permissions to run the EmpowerID Windows services and manage local machine rights.

Step 3 – Grant Local Machine Rights

The EmpowerID service account interacts with the local machine to perform various maintenance tasks, including distributing and maintaining workflows and other Workflow Studio items. To ensure proper operation, the service account requires the following access rights on the local machine:

Required Access Rights:

  • Install files into the local Global Assembly Cache (GAC)

  • Read the registry

  • Read certificates from the local certificate store

  • Execute child processes

  • Run the C# compiler in the background when necessary

  • Create files in the temp folder

  • Run remote PowerShell for Microsoft Exchange (if the Exchange Server Role is enabled in EmpowerID)

  • Create files and folders in:

    • C:\ProgramData

    • C:\Program Files\TheDotNetFactory\Programs

Granting Rights via PowerShell

Run the following PowerShell cmdlet in administrative mode to grant the required permissions. Replace EIDSrvcPrinciple with the appropriate service account for your environment:

Code Block
languagepowershell
themeConfluence
param(
        [string]$EIDPath
        ,[string]$EIDSrvcPrinciple
    )

Configuration EmpowerID_SecureInstallConfig
{
    Import-DscResource -ModuleName cNtfsAccessControl
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName Carbon

    $WinNet2AssemblyDir_Val = "C:\Windows\assembly"
    $WinNet35AssemblyDir_Val = "C:\Windows\Microsoft.NET\assembly"
    $nLogFilePath_Val = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log"
    $fusionPubPolicyRegPath_Val = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default"

    File EidDir
    {
        Ensure = "Present"
        DestinationPath = $EIDPath
        Type = 'Directory'
    }

    File WinNet2AssemblyDir
    {
        Ensure = "Present"
        DestinationPath = $WinNet2AssemblyDir_Val
        Type = 'Directory'
    }

    File WinNet35AssemblyDir
    {
        Ensure = "Present"
        DestinationPath = $WinNet35AssemblyDir_Val
        Type = 'Directory'
    }

    File nLogFilePath
    {
        Ensure = "Present"
        DestinationPath = $nLogFilePath_Val
        Type = 'File'
    }

    Registry fusionPubPolicyRegPath
    {
        Ensure = "Present"
        Key = $fusionPubPolicyRegPath_Val
        ValueName = ""
    }

    cNtfsPermissionEntry PermissionSet1
    {
        Ensure = 'Present'
        Path = $EIDPath
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]EidDir'
    }

    cNtfsPermissionEntry PermissionSet2
    {
        Ensure = 'Present'
        Path = $WinNet2AssemblyDir_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]WinNet2AssemblyDir'
    }

    cNtfsPermissionEntry PermissionSet3
    {
        Ensure = 'Present'
        Path = $WinNet35AssemblyDir_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]WinNet35AssemblyDir'
    }

    cNtfsPermissionEntry PermissionSet4
    {
        Ensure = 'Present'
        Path = $nLogFilePath_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]nLogFilePath'
    }

    Carbon_Permission PermissionSet5
    {
        Ensure = 'Present'
        Path = "HKLM:\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default"
        Identity = $EIDSrvcPrinciple
        ApplyTo = 'ContainerAndChildContainersAndChildLeaves'
        Permission = 'FullControl'
        DependsOn = '[Registry]fusionPubPolicyRegPath'
    }
}


<#
. .\SetLeastPrivsDSC.ps1 -EIDPath 'C:\Program Files\TheDotNetFactory' -EIDSrvcPrinciple 'eiddoc\eidsvcaccount' 

$outputDir = EmpowerID_SecureInstallConfig 
Start-DscConfiguration -Path $outputDir.Directory -Force -Verbose -Wait
#>

Verify Permissions

After running the PowerShell script, verify that the service account has full permissions to the following directories and registry keys:

  • %windir%\assembly

  • %windir%\Microsoft.Net\assembly

  • %windir%\Microsoft.Net\Framework64\v4.0.30319\ngen.log

  • EmpowerID Installation folder

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default

Additionally, ensure the service account has read permissions to the following folder and full permissions to the registry key:

  • %windir%\System32\inetsrv\config

  • HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory

If any permissions are missing, they must be manually set to ensure the EmpowerID service account can perform all required functions.

Step 4 – Grant Rights to the Application Pool Identity

The application pool identity needs read access to the EmpowerID website folders and permission to restart the EmpowerID Windows services. Follow the steps below to grant the necessary permissions to the EmpowerID Web Role Service and EmpowerID Worker Role Service.

  1. Retrieve the SID for the Application Pool Account

    • Use the following command to retrieve the Security Identifier (SID) for the EmpowerID Web Services application pool account. Replace AppPoolAccountName with the actual name of your application pool account:

      Code Block
      languagepowershell
themeConfluence
    • WMIC useraccount WHERE Name="AppPoolAccountName" GET SID
  1. Display the Security Descriptor for the EmpowerID Web Role Service

    • Open a command prompt in administrative mode and run the following command to view the security descriptor of the EmpowerID Web Role Service. This command will output the descriptor to a text file named EIDWebRole_SecurityDescriptor.txt:

      Code Block
      languagepowershell
theme
Confluence
    • sc sdshow "EmpowerID Web Role Service" > EIDWebRole_SecurityDescriptor.txt
  1. View the Security Descriptor

    • Open the text file to view the security descriptor by running:

      Code Block
      languagetext
themeConfluence
    • notepad.exe > EIDWebRole_SecurityDescriptor.txt
    • You should see output similar to the following:

      Code Block
      languagetext
theme
Confluence
    • D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  1. Modify the Security Descriptor

    • Locate the permissions for Built-in administrators (BA) in the text file. Copy the permissions line for BA and paste it again within the same file.

    • Update the second set of permissions by replacing the BA with the SID of the application pool account (retrieved earlier). The file should now look like the following (your SID will differ):

      Code Block
      languagetext
themeConfluence
    • D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  1. Set the Updated Security Descriptor

    • Return to the command prompt and apply the updated security permissions by running:

      Code Block
      languagetext
themeConfluence
    • sc sdset D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1871625359-1900012290-2536039220-1591)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  1. Repeat for the EmpowerID Worker Role Service

    • Follow steps 2 through 5 for the EmpowerID Worker Role Service to grant the necessary permissions for that service as well.

  2. Restart the EmpowerID Web Role Service

    • Once permissions are configured, restart the EmpowerID Web Role Service to apply the changes.

Div
stylefloat: left; position: fixed; padding: 5px;
idtoc
classtopicTOC

Div
stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

In this article:

Table of Contents
minLevel1
maxLevel3
outlinefalse
stylenone
typelist
printabletrue