Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID uses multiple Windows services to host job functions as well as a variety of IIS Web REST Services to perform its processing. Each of the Windows Services and the IIS Application Pool Identities require a user identity (service account) with the necessary privileges to access the EmpowerID database. Before you install EmpowerID, you should first create these accounts, giving them the necessary access rights to interact with the EmpowerID database and the local machine on which EmpowerID is installed. To delegate the necessary access rights, EmpowerID recommends you follow the security practice of least privilege by granting service accounts the minimum access needed to perform the tasks associated with each. To implement least privilege, you will need to do the following:

  • Create one or more service accounts for running the EmpowerID Windows services and EmpowerID IIS app pools
  • Create a user account on the server hosting the EmpowerID Identity Warehouse and give that account read and write access to the database backup folder, as well as the ability to restore a SQL database
  • Restore the EmpowerID Identity Warehouse using the above specified user account
  • Create SQL logins for each service account and grant those logins the required rights to the EmpowerID Identity Warehouse
  • Install EmpowerID using the specified local admin account
  • On each server hosting an EmpowerID installation, grant the service accounts the required permissions needed to GAC EmpowerID assemblies and perform everyday operations.


This article takes you through each of these steps, demonstrating how to install EmpowerID using the recommended least privilege configuration. 

Warning

Prior to running EmpowerID, you must install the Microsoft IIS CORS and URL Rewrite modules on each EmpowerID server. To do so, please run the PowerShell script below in administrative mode.

Code Block
languagepowershell
themeConfluence
[System.IO.Directory]::CreateDirectory("C:\TempEID")
(New-Object System.Net.WebClient).DownloadFile('https://download.microsoft.com/download/C/9/E/C9E8180D-4E51-40A6-A9BF-776990D8BCA9/rewrite_amd64.msi', 'C:\TempEID\rewrite_amd64.msi'); `
(New-Object System.Net.WebClient).DownloadFile('http://download.microsoft.com/download/2/F/2/2F259559-FC43-4B2C-B53F-DED3E9950912/IISCORS_amd64.msi', 'C:\TempEID\IISCORS_amd64.msi'); `
Start-Process msiexec.exe -ArgumentList '/i', 'C:\TempEID\IISCORS_amd64.msi', '/quiet', '/norestart' -NoNewWindow -Wait
Start-Process msiexec.exe -ArgumentList '/i', 'C:\TempEID\rewrite_amd64.msi', '/quiet', '/norestart' -NoNewWindow -Wait
rm -r 'C:\TempEID'



Tip
  • To ensure a smooth install, make sure EmpowerID files, including websites and programs, are excluded from anti-virus scanning software settings.
  • The User Account Control (UAC) in Windows must be turned off for the installation of EmpowerID. All settings should be disabled in secpol.msc before proceeding. Additionally, ensure the DWORD value is set to 0 on the following registry key: 
  • Please note that installing EmpowerID on a domain controller or on the same server that houses the EmpowerID SQL database is not supported in a production environment.

To install EmpowerID using least privilege

  1. Create an EmpowerID service account for your domain. This account will be used to set the least privileges needed to support GAC'ing EmpowerID assemblies and performing everyday operations. After you create the account, retrieve its SID. The SID will be used to grant the account the necessary privileges to run each EmpowerID Windows service.

  2. Create an application pool account for your domain. This account will be used to run the EmpowerID application pools. After you create the account, retrieve its SID. The SID will be used to grant the account the necessary permissions to run each EmpowerID Windows service. 

    Div
    classshort-code-block


    Code Block
    languagetext
    themeConfluence
    WMIC useraccount WHERE Name="EmpowerIDServiceAccount" GET SID



  3. Create a local user account on the SQL server that is to host the EmpowerID SQL Identity Warehouse and give the account read and write access to the database backup folder.
  4. Create a SQL login for the above user account and grant the login the ability to restore a SQL database. 
  5. Log in to the SQL server as the above user and restore the EmpowerID database by doing the following:
    1. Right-click the Databases node and select Restore Database.
    2. Under Source, select Device and enter the path to the EmpowerID.bak folder.
    3. Under Destination, enter EmpowerID (to avoid the longer database name).
    4. Click OK to restore the database. This process takes several minutes.

  6. On the SQL Server, create logins for each service account and give those accounts the right to alter the database. Specifically, each service account must have the following database capabilities:
    • Connect
    • Authenticate
    • Execute
    • Delete
    • Insert
    • Select
    • Update
    • Alter — Needed on the following tables only to allow for truncation:
      • PersonOrgRoleOrgZoneReEvalTempAccountData
      • PersonOrgRoleOrgZoneReEvalTempPersonData
      • PersonManadatoryAttributesTemp
      • PersonMandatoryAttributesTempPreview
      • PersonMandatoryAttributesOverwritePreview
      • AccountObjectAttributeOutboxPreview

        Div
        stylemargin-left:-60px; margin-top:20px;


        Info

        To facilitate the granting of these privileges, EmpowerID has created a Server Role named EmpowerIDService. You can map this role to each service account on the EmpowerID database.



        Div
        stylemargin-left: -95px;;margin-top: 20px;


        Note

        If you are installing a build that is newer than 6.0.142.0, please skip the below steps and following the steps in the Installing EmpowerID in Post 6.0.142.0 Builds drop-down.



  7. Next, log in to the server that is to host the EmpowerID installation as a local administrator and open the EmpowerID.msi.
  8. In the EmpowerID Server Setup that appears, click Next to begin the installation.



  9. Accept the license agreement and click Next to continue.



  10. Review the path where EmpowerID will be installed and click Next. If you want to install EmpowerID in a different directory, click the Change button to choose a new path and then click Next.

    Image Modified

  11. Click Install to begin the installation.

    Image Modified

  12. Wait for the installer to complete the installation and then click Finish to close the installer.

    Image Modified

    Anchor
    newinstallmethod
    newinstallmethod

Info
iconfalse




To configure your EmpowerID installation

  1. From the Start menu, search for the EmpowerID Configurator, right-click it and select Run as administrator from the context menu.

    EmpowerID Configurator opens. You use the configurator to connect EmpowerID to your SQL server, license your copy of EmpowerID, as well as to configure default email settings, certificates, IIS Web Sites, and the EmpowerID Windows services.

    Note

    If you close the Configurator before you finish, to avoid becoming unable to log in as empoweridadmin, here is how to reopen it in install mode:

    1. In File Explorer, navigate to C:\Program Files\TheDotNetFactory\EmpowerID\Programs.
    2. In the address bar, type cmd.
    3. In the command prompt that appears, type empowerid.configurator.exe install.



    Image Modified

  2. From the General Settings tab of the EmpowerID Configurator, do the following:
    1. In the SMTP Server field, type the FQDN of the Exchange server EmpowerID should use for sending any automated emails generated by the system.
    2. In the Email Address field, type the default email address EmpowerID should use for sending any automated emails generated by the system.
    3. Type the licensing key you received from EmpowerID in the License Key field and then click the Add License File (...) button.



    4. In the Open File dialog that appears, locate and select the EmpowerID License File (.eidlic) you received from EmpowerID and then click Open.

  3. From the SQL Connection tab of the EmpowerID Configurator, do the following:
    1. Type the name or IP address of the SQL server you are using for EmpowerID in the Server Name field.
    2. Under Authentication, select Windows Authentication.

      Info

      Or select Sql Azure to use a cloud-based Microsoft Azure SQL Database.


    3. Select the EmpowerID database from the Database Name drop-down.
    4. Test the connection by clicking Test Connection.



    5. Click OK to close the connection message.

  4. From the Web Server tab of the EmpowerID Configurator, do the following:
    1. Type the FQDN of your EmpowerID Web server in the Web Server URL field. Be sure to use the https scheme.
    2. Select an existing Web site to host the EmpowerID Web application from the IIS Website drop-down or enter a name to create a new site. By default, EmpowerID selects the Default Web site.
    3. Under SSL Certificate, click Browse, choose whether to select the SSL certificate from the local certificate store or browse for the certificate PFX file and then click OK.
    4. Locate and select the SSL certificate you want to use for encrypting EmpowerID communications and click Open.
    5. In the Password field of the Enter Certificate Details dialog that appears, enter a password and then click OK to close the dialog. 

      Info
      iconfalse

      A password is required for exporting the private key of the certificate from the local certificate store to the EmpowerID certificate store.





    6. Enter the Username and Password for the service account running the EmpowerID application pools.




  5. From the System Certificates tab of the EmpowerID Configurator, do the following:
    1. Under Federation Certificate, click the Browse button and select the STS certificate EmpowerID should use for signing SAML assertions. The format for the certificate is PFX.

      Tip

      This certificate can be the same certificate as the one you selected for SSL.


    2. In the Password field of the Enter Certificate Details dialog that appears, enter a password and then click OK to close the dialog. 
    3. Under Server System Access Certificate, click the Generate button.
    4. In the Password field of the Enter Certificate Details dialog that appears, enter a password and then click OK to close the dialog. 
    5. Review the information in the Certificate information window that appears and then click OK to close the window.

      Image Modified

  6. From the Services tab of the EmpowerID Configurator, do the following:
    1. Underneath Windows Services, select each EmpowerID Windows service you want to install on the server, providing the user name and password for the service account identity that is to run each. These services include the following:
      • EmpowerID Web Role Service — This service is required on all EmpowerID Web servers and is responsible for managing workflow-related services and global assembly cache content synchronization.
      • EmpowerID Worker Role Service — This service must be on a server with IIS installed and is responsible for processing the EmpowerID Web Service Garden as well as running scheduled EmpowerID jobs and long running tasks, such as RBAC security compilation and inventory processing.
      • EmpowerID Radius Service — This service provides RADIUS authentication for routers, switches and other RADIUS-compliant devices



    2. If you are using Reporting Services for EmpowerID reports, underneath Reporting Services do the following:
      • Type your report server web service URL in the Report Server URL field.
      • Type the report server folder name in the Report Server Folder field.
      • Type the SAML service provider connection for SSRS in the SAML Connection field.

  7. From the Miscellaneous tab of the EmpowerID Configurator do the following:
    1. To use a separate CDN (Content Delivery Network) in place of your default EmpowerID Web server to deliver the CSS, image and script files used by the EmpowerID Web application, type the URL to the CDN in the CDN Server URL field. 

      Info

      You can deploy EmpowerID's static content to a separate, resolvable server (with a different DNS), or you can deliver the content to a true CDN with replication and geographical load-balancing, such as those offered by AWS or Azure. Using a separate CDN in this way can improve response times because the browser caches the content and EmpowerID refrains from sending cookies on each call (as it does in the default configuration).


    2. Deselect Enable Minification if you do not want to minify the CSS and JavaScript files. Please note that minification is recommended.

  8. Click the Summary tab and review the changes you are about to make to the system and click Save when ready.



  9. Click Yes when asked if you want to apply all the changes.
  10. Click OK to close the Settings have been saved dialog.
  11. Optionally, from the Export Options tab, do the following:
    1. Select each file you want to export.
    2. Click the EmpowerID MSI ellipses button (...) and browse to the EmpowerID MSI file location on your server.
    3. Select the MSI and click Open.
    4. Select the folder for the exported files by clicking the Output Folder ellipses (...) button and browsing to the desired folder.
    5. Click Export and then click OK to close the Export Success message.

  12. From the Start menu, open Internet Information Services (IIS) Manager and do the following:



    1. In the Connections pane, expand Sites and select your EmpowerID site.
    2. In the Actions pane, click Basic Settings.
    3. In the Edit Site dialog that appears, change the Physical Path to a path like the following:
      C:\Program Files\TheDotNetFactory\EmpowerID\Web Sites\EmpowerID.Web.SiteRoot

      Info

      This connects EmpowerID to the latest web.config file that contains the most secure settings.


    4. Click OK to save the setting.

  13. Open Services.msc and stop the EmpowerID Web Role Service.

    Now that you have installed and configured EmpowerID, the next step is to grant your dedicated EmpowerID service account the access to a number of folders and files on your EmpowerID server,. permissions for EmpowerID Windows services and local machine rights that account needs to run EmpowerID.

To grant local machine rights

The EmpowerID service account interacts with the local machine to perform a variety of maintenance procedures, including the distribution and maintenance of new workflows and other Workflow Studio published items. The service account needs the following access rights on the local machine:

  • Install files in to the local global assembly cache (GAC)
  • Read the registry
  • Read certificates in the local certificate store
  • Spin child processes
  • Run C# compiler in the background if and when necessary
  • create files in the temp folder
  • Run remote PowerShell for Microsoft Exchange, if that Server Role is enabled in EmpowerID
  • Create files and folders in the following locations:
    • C:\ProgramData
    • C:\Program Files\TheDotNetFactory\Programs

To grant these rights, run the following PowerShell cmdlet in administrative mode on the local machine.

Info

Be sure to replace the value for EIDSrvcPrinciple with the domain/principle for your environment.


Div
classshort-code-block


Code Block
languagepowershell
themeConfluence
param(
        [string]$EIDPath
        ,[string]$EIDSrvcPrinciple
    )

Configuration EmpowerID_SecureInstallConfig
{
    Import-DscResource -ModuleName cNtfsAccessControl
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName Carbon

    $WinNet2AssemblyDir_Val = "C:\Windows\assembly"
    $WinNet35AssemblyDir_Val = "C:\Windows\Microsoft.NET\assembly"
    $nLogFilePath_Val = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log"
    $fusionPubPolicyRegPath_Val = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default"

    File EidDir
    {
        Ensure = "Present"
        DestinationPath = $EIDPath
        Type = 'Directory'
    }

    File WinNet2AssemblyDir
    {
        Ensure = "Present"
        DestinationPath = $WinNet2AssemblyDir_Val
        Type = 'Directory'
    }

    File WinNet35AssemblyDir
    {
        Ensure = "Present"
        DestinationPath = $WinNet35AssemblyDir_Val
        Type = 'Directory'
    }

    File nLogFilePath
    {
        Ensure = "Present"
        DestinationPath = $nLogFilePath_Val
        Type = 'File'
    }

    Registry fusionPubPolicyRegPath
    {
        Ensure = "Present"
        Key = $fusionPubPolicyRegPath_Val
        ValueName = ""
    }

    cNtfsPermissionEntry PermissionSet1
    {
        Ensure = 'Present'
        Path = $EIDPath
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]EidDir'
    }

    cNtfsPermissionEntry PermissionSet2
    {
        Ensure = 'Present'
        Path = $WinNet2AssemblyDir_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]WinNet2AssemblyDir'
    }

    cNtfsPermissionEntry PermissionSet3
    {
        Ensure = 'Present'
        Path = $WinNet35AssemblyDir_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                Inheritance = 'ThisFolderSubfoldersAndFiles'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]WinNet35AssemblyDir'
    }

    cNtfsPermissionEntry PermissionSet4
    {
        Ensure = 'Present'
        Path = $nLogFilePath_Val
        Principal = $EIDSrvcPrinciple
        AccessControlInformation = @(
            cNtfsAccessControlInformation
            {
                AccessControlType = 'Allow'
                FileSystemRights = 'Modify'
                NoPropagateInherit = $false
            }
        )
        DependsOn = '[File]nLogFilePath'
    }

    Carbon_Permission PermissionSet5
    {
        Ensure = 'Present'
        Path = "HKLM:\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default"
        Identity = $EIDSrvcPrinciple
        ApplyTo = 'ContainerAndChildContainersAndChildLeaves'
        Permission = 'FullControl'
        DependsOn = '[Registry]fusionPubPolicyRegPath'
    }
}


<#
. .\SetLeastPrivsDSC.ps1 -EIDPath 'C:\Program Files\TheDotNetFactory' -EIDSrvcPrinciple 'eiddoc\eidsvcaccount' 

$outputDir = EmpowerID_SecureInstallConfig 
Start-DscConfiguration -Path $outputDir.Directory -Force -Verbose -Wait
#>



After running the above cmdlet, verify that the service account has full permissions to the below files, folders and registry key. These permissions are needed to support installing files to the local global assembly cache (GAC):

  • %windir%\assembly 
  • %windir%\Microsoft.Net\assembly
  • %windir%\Microsoft.Net\Framework64\v4.0.30319\ngen.log
  • EmpowerID Installation folder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default

After running the above cmdlet, verify that the service account has read permissions to the following folder, as well as full permissions to the registry key. These permissions are needed to support the day-to-day operations of EmpowerID:

  • %windir%\System32\inetsrv\config
  • HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory


Info

If any of the permissions are missing, you will need to manually set them.

To grant rights to the application pool identity

The application pool identity requires read access to the EmpowerID web site folders. Additionally, the application pool identity needs to be able to restart the EmpowerID Windows services. To grant the necessary permissions to the Windows services do the following:

  1. Retrieve the SID for the EmpowerID Web Services application pool account.
  2. Open a command prompt in administrative mode and display the security descriptor for the EmpowerID Web Role Service by running the below command for the EmpowerID Web Role Service. In the command, we are writing the output to a text file named "EIDWebRole_SecurityDescriptor."

    Div
    classshort-code-block


    Code Block
    languagetext
    themeConfluence
    sc sdshow "EmpowerID Web Role Service" > EIDWebRole_SecurityDescriptor.txt



  3. Run the following command to open the text file: 

    Div
    classshort-code-block


    Code Block
    languagetext
    themeConfluence
    notepad.exe > EIDWebRole_SecurityDescriptor.txt


     You should see the following output in the text file:

    Div


    Code Block
    languagetext
    themeConfluence
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)



  4. Locate and copy the permissions for the Built-in administrators so that the file looks as follows: 

    Div


    Code Block
    languagetext
    themeConfluence
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)



  5. In the second set of permissions for the Built-in administrators, replace BA with the SID of the application pool account so that the file looks similar to that shown below. Please note that the SID for your account will differ accordingly.

    Div


    Code Block
    languagetext
    themeConfluence
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1871625359-1900012290-2536039220-1591)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)



  6. Return to the command prompt and set the new security permissions. 

    Div


    Code Block
    languagetext
    themeConfluence
    sc sdset D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1871625359-1900012290-2536039220-1591)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)



  7. Repeat steps 2 through 6 above for the EmpowerID Worker Role Service.

  8. When ready, start the EmpowerID Web Role Service to GAC EmpowerID DLLs.

    This completes installing EmpowerID for least privilege.

    Info

    Please note that full GAC'ing can take several minutes to complete. Ensure that all DLLs have been added to the GAC before running any EmpowerID Workflows or performing any further configuration of the system. You can view the results in the EmpowerIDServerGACReference table of the EmpowerID Identity Warehouse. When the process is completed, the number of records in the EmpowerIDServerGACReference table should be the same as those in the GACReferenceLibrary table.






Div
stylefloat: left; position: fixed; top: 85px; padding: 5px;
idtoc
classtopicTOC


Div
stylemargin-left: 40px; margin-bottom: 40px;

Live Search
spaceKeyE2D
placeholderSearch the documentation
typepage


Div
stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

In this article



Table of Contents
stylenone