- Created by Phillip Hanegan, last modified on Sept 16, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 4 Current »
EmpowerID relies on multiple Windows services to host job functions and a range of IIS Web REST Services to handle its processing. Both the Windows Services and IIS Application Pool Identities require dedicated service accounts with the appropriate privileges to access the EmpowerID database. Before installing EmpowerID, it is essential to create these accounts and grant them the necessary permissions to interact with the EmpowerID database and the local machine where EmpowerID will be installed.
To follow security best practices, EmpowerID recommends implementing the principle of least privilege. This means granting service accounts only the minimum access rights needed to perform their specific tasks. To ensure this configuration, you will need to complete the following steps:
Create Service Accounts: Set up one or more service accounts for running EmpowerID Windows services and EmpowerID IIS application pools.
Create a Database User Account: On the server hosting the EmpowerID Identity Warehouse, create a user account. This account will need read and write access to the database backup folder, along with the ability to restore SQL databases.
Restore the EmpowerID Identity Warehouse: Use the database user account created in the previous step to restore the EmpowerID Identity Warehouse.
Create SQL Logins: Set up SQL logins for each service account and grant the necessary permissions for access to the EmpowerID Identity Warehouse.
Install EmpowerID: Perform the EmpowerID installation using the designated local admin account.
Grant Local Permissions: On each server where EmpowerID is installed, ensure that the service accounts have the required permissions to perform essential tasks, including GAC EmpowerID assemblies and day-to-day operations.
This article takes you through each of these steps, demonstrating how to install EmpowerID using the recommended least privilege configuration.
Before beginning the installation process, ensure you have the necessary files and system settings configured for a smooth installation:
Required Files: EmpowerID will provide two zip files (
*-install.zip
and*-EmpowerID.zip
), as well as a database backup file that should be located on your SQL server.Anti-Virus Settings: Exclude EmpowerID files—including websites and programs—from any anti-virus scanning software to prevent installation issues.
User Account Control (UAC): UAC in Windows must be disabled prior to the installation. This includes:
- Disabling all UAC settings in
secpol.msc
. - Modifying the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
by setting the DWORD value to0
.
- Disabling all UAC settings in
Environment Considerations: EmpowerID should not be installed on a domain controller or the same server hosting the EmpowerID SQL database in a production environment.
Procedure
Step 1 – Install EmpowerID using least privilege
Create EmpowerID Service Account
- Create a service account in your domain that will be used to support the installation and operation of EmpowerID services with least privilege.
After creating the account, retrieve its SID by running the following command:
WMIC useraccount WHERE Name="EmpowerIDServiceAccount" GET SID
The SID will be used to grant this account the necessary permissions to run EmpowerID Windows services.
Create Application Pool Account
- Create an application pool account for your domain, which will be used to run EmpowerID application pools.
- Retrieve the account’s SID, as it will also be used to grant the required permissions to run EmpowerID services.
Create a Local SQL User Account and SQL Login
- On the SQL server hosting the EmpowerID Identity Warehouse, create a local user account with read and write access to the database backup folder.
- Create a SQL login for this user and grant it permission to restore SQL databases.
- Restore the EmpowerID Database
- Log in to the SQL server as the user created above.
- Restore the EmpowerID database by following these steps:
- Right-click on the Databases node in SQL Server Management Studio (SSMS) and select Restore Database.
- Under Source, select Device and specify the path to the
EmpowerID.bak
file. - Under Destination, enter
EmpowerID
as the database name. - Click OK to begin the restore process. This may take several minutes.
- Create SQL Logins for Service Accounts
- On the SQL Server, create logins for each EmpowerID service account.
- Grant these accounts the necessary database privileges, including:
- Connect
- Authenticate
- Execute
- Delete
- Insert
- Select
- Update
- Alter (only for the following tables, to allow truncation):
PersonOrgRoleOrgZoneReEvalTempAccountData
PersonOrgRoleOrgZoneReEvalTempPersonData
PersonMandatoryAttributesTemp
PersonMandatoryAttributesTempPreview
PersonMandatoryAttributesOverwritePreview
AccountObjectAttributeOutboxPreview
- EmpowerID has a predefined server role named
EmpowerIDService
. You can map this role to each service account to simplify privilege management.
Prepare the EmpowerID Server
On your EmpowerID server, create the following directory:
C:/Program Files/TheDotNetFactory/
- Extract the *-install.zip file and then copy the contents (Install Setup folder) into the newly created
TheDotNetFactory
directory. - Extract the *-EmpowerID.zip file and copy the extracted folder into the
TheDotNetFactory
directory.
Run the Installation Script
Open a PowerShell prompt in the Install Setup folder and execute the installation script. To execute the script, please ensure that there is no interference from your execution policy.
.\Install-EmpowerID
- Follow the prompts:
- Enter the EmpowerID version number when prompted and press ENTER.
- When asked for the EmpowerID installation directory, press ENTER to accept the default or specify a custom directory path.
- Confirm Installation and Connectivity
- The script checks for internet connectivity and will prompt you to continue the installation process. Enter Y and press ENTER to proceed.
- The script checks for internet connectivity and will prompt you to continue the installation process. Enter Y and press ENTER to proceed.
Finalize Installation
- The script will install EmpowerID, along with the necessary IIS modules (URLRewrite and CORS) and run the EmpowerID Configuration in Install Mode.
- Once the script completes, close PowerShell and follow the remaining configuration steps in this article to finalize the installation.
Step 2 – Configure your EmpowerID installation
Launch EmpowerID Configurator
- From the Start menu, search for EmpowerID Configurator.
- Right-click and select Run as administrator.
The EmpowerID Configurator window will open. This tool connects EmpowerID to your SQL server, licenses EmpowerID, and configures settings like email, certificates, IIS websites, and Windows services.
Note:If you close the Configurator before completing the configuration and encounter issues logging in as
empoweridadmin
, you can reopen it in install mode:- Navigate to
C:\Program Files\TheDotNetFactory\EmpowerID\Programs
in File Explorer. - Type
cmd
in the address bar to open a command prompt. - Type
empowerid.configurator.exe install
to launch the Configurator in install mode.
- General Settings
- From the General Settings tab, configure the following:
- SMTP Server: Enter the FQDN of your Exchange server for sending system-generated emails.
- Email Address: Enter the default email address EmpowerID should use for outgoing system emails.
- License Key: Enter your EmpowerID license key, then click the Add License File (...) button.
- In the dialog, locate and select your EmpowerID License File (
.eidlic
), then click Open.
- From the General Settings tab, configure the following:
SQL Connection
- From the SQL Connection tab:
- Enter the name or IP address of the SQL server in the Server Name field.
- Under Authentication, select Windows Authentication (or SQL Azure if using a cloud-based Microsoft Azure SQL Database).
- Select your EmpowerID database from the Database Name drop-down list.
- Click Test Connection to confirm the connection is valid.
- Click OK to close the connection message.
- From the SQL Connection tab:
Web Server Configuration
- From the Web Server tab:
- Enter the FQDN of your EmpowerID Web server in the Web Server URL field, using the https scheme.
- Select an existing IIS website from the IIS Website drop-down, or enter a name to create a new site (default is the Default Web site).
- Under SSL Certificate, click Browse to select an SSL certificate from the local store or browse for a
.pfx
file. - In the Password field, enter the password for the certificate and click OK.
- From the Web Server tab:
Service Account Configuration
- Enter the Username and Password for the service account running the EmpowerID application pools.
- Enter the Username and Password for the service account running the EmpowerID application pools.
System Certificates
- From the System Certificates tab:
- Under Federation Certificate, click Browse to select the STS certificate for signing SAML assertions (can be the same as the SSL certificate).
- In the Password field, enter the certificate password and click OK.
- For Server System Access Certificate, click Generate. Enter a password when prompted and click OK to generate and save the certificate.
- From the System Certificates tab:
Windows Services Setup
- From the Services tab:
- Under Windows Services, select each EmpowerID service you wish to install, and provide the Username and Password for the service account.
- Services include:
- EmpowerID Web Role Service: Required on all EmpowerID Web servers for managing workflows and global assembly cache synchronization.
- EmpowerID Worker Role Service: Required on a server with IIS to process the Web Service Garden, run scheduled jobs, and handle long-running tasks (e.g., RBAC security compilation, inventory processing).
- From the Services tab:
Reporting Services (Optional)
- If using Reporting Services, configure the following:
- Report Server URL: Enter the web service URL for your report server.
- Report Server Folder: Specify the folder name for reports.
- SAML Connection: Enter the SAML service provider connection for SSRS
- If using Reporting Services, configure the following:
Miscellaneous Settings
- From the Miscellaneous tab:
- To use a CDN for delivering static content (CSS, images, scripts), enter the CDN URL in the CDN Server URL field.
- Enable Minification: Minification of CSS and JavaScript is enabled by default. Deselect if not required (though minification is recommended).
- From the Miscellaneous tab:
Summary
- Review the configuration changes in the Summary tab.
- Click Save to apply the changes.
- When prompted, click Yes to confirm and apply all changes.
- Click OK to close the "Settings have been saved" dialog.
Export Options (Optional)
- From the Export Options tab:
- Select files you want to export, such as the EmpowerID MSI.
- Browse to the MSI file location and select it.
- Choose the output folder for the exported files, then click Export.
- Click OK when the export completes.
- From the Export Options tab:
Configure IIS
- Open Internet Information Services (IIS) Manager from the Start menu.
- In the Connections pane, expand Sites and select your EmpowerID site.
- In the Actions pane, click Basic Settings.
In the dialog, change the Physical Path to C:\Program Files\TheDotNetFactory\EmpowerID\Web Sites\EmpowerID.Web.SiteRoot.
This updates the web configuration to use the latest and most secure settings.
Finalize EmpowerID Installation
- Open Services.msc and stop the EmpowerID Web Role Service.
- The next step is to grant your EmpowerID service account access to the necessary files and folders on your EmpowerID server, ensuring it has the permissions to run the EmpowerID Windows services and manage local machine rights.
Step 3 – Grant Local Machine Rights
The EmpowerID service account interacts with the local machine to perform various maintenance tasks, including distributing and maintaining workflows and other Workflow Studio items. To ensure proper operation, the service account requires the following access rights on the local machine:
Required Access Rights:
- Install files into the local Global Assembly Cache (GAC)
- Read the registry
- Read certificates from the local certificate store
- Execute child processes
- Run the C# compiler in the background when necessary
- Create files in the temp folder
- Run remote PowerShell for Microsoft Exchange (if the Exchange Server Role is enabled in EmpowerID)
- Create files and folders in:
C:\ProgramData
C:\Program Files\TheDotNetFactory\Programs
Granting Rights via PowerShell
Run the following PowerShell cmdlet in administrative mode to grant the required permissions. Replace EIDSrvcPrinciple
with the appropriate service account for your environment:
param( [string]$EIDPath ,[string]$EIDSrvcPrinciple ) Configuration EmpowerID_SecureInstallConfig { Import-DscResource -ModuleName cNtfsAccessControl Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName Carbon $WinNet2AssemblyDir_Val = "C:\Windows\assembly" $WinNet35AssemblyDir_Val = "C:\Windows\Microsoft.NET\assembly" $nLogFilePath_Val = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log" $fusionPubPolicyRegPath_Val = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default" File EidDir { Ensure = "Present" DestinationPath = $EIDPath Type = 'Directory' } File WinNet2AssemblyDir { Ensure = "Present" DestinationPath = $WinNet2AssemblyDir_Val Type = 'Directory' } File WinNet35AssemblyDir { Ensure = "Present" DestinationPath = $WinNet35AssemblyDir_Val Type = 'Directory' } File nLogFilePath { Ensure = "Present" DestinationPath = $nLogFilePath_Val Type = 'File' } Registry fusionPubPolicyRegPath { Ensure = "Present" Key = $fusionPubPolicyRegPath_Val ValueName = "" } cNtfsPermissionEntry PermissionSet1 { Ensure = 'Present' Path = $EIDPath Principal = $EIDSrvcPrinciple AccessControlInformation = @( cNtfsAccessControlInformation { AccessControlType = 'Allow' FileSystemRights = 'Modify' Inheritance = 'ThisFolderSubfoldersAndFiles' NoPropagateInherit = $false } ) DependsOn = '[File]EidDir' } cNtfsPermissionEntry PermissionSet2 { Ensure = 'Present' Path = $WinNet2AssemblyDir_Val Principal = $EIDSrvcPrinciple AccessControlInformation = @( cNtfsAccessControlInformation { AccessControlType = 'Allow' FileSystemRights = 'Modify' Inheritance = 'ThisFolderSubfoldersAndFiles' NoPropagateInherit = $false } ) DependsOn = '[File]WinNet2AssemblyDir' } cNtfsPermissionEntry PermissionSet3 { Ensure = 'Present' Path = $WinNet35AssemblyDir_Val Principal = $EIDSrvcPrinciple AccessControlInformation = @( cNtfsAccessControlInformation { AccessControlType = 'Allow' FileSystemRights = 'Modify' Inheritance = 'ThisFolderSubfoldersAndFiles' NoPropagateInherit = $false } ) DependsOn = '[File]WinNet35AssemblyDir' } cNtfsPermissionEntry PermissionSet4 { Ensure = 'Present' Path = $nLogFilePath_Val Principal = $EIDSrvcPrinciple AccessControlInformation = @( cNtfsAccessControlInformation { AccessControlType = 'Allow' FileSystemRights = 'Modify' NoPropagateInherit = $false } ) DependsOn = '[File]nLogFilePath' } Carbon_Permission PermissionSet5 { Ensure = 'Present' Path = "HKLM:\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default" Identity = $EIDSrvcPrinciple ApplyTo = 'ContainerAndChildContainersAndChildLeaves' Permission = 'FullControl' DependsOn = '[Registry]fusionPubPolicyRegPath' } } <# . .\SetLeastPrivsDSC.ps1 -EIDPath 'C:\Program Files\TheDotNetFactory' -EIDSrvcPrinciple 'eiddoc\eidsvcaccount' $outputDir = EmpowerID_SecureInstallConfig Start-DscConfiguration -Path $outputDir.Directory -Force -Verbose -Wait #>
Verify Permissions
After running the PowerShell script, verify that the service account has full permissions to the following directories and registry keys:
%windir%\assembly
%windir%\Microsoft.Net\assembly
%windir%\Microsoft.Net\Framework64\v4.0.30319\ngen.log
- EmpowerID Installation folder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default
Additionally, ensure the service account has read permissions to the following folder and full permissions to the registry key:
%windir%\System32\inetsrv\config
HKEY_LOCAL_MACHINE\SOFTWARE\TheDotNetFactory
If any permissions are missing, they must be manually set to ensure the EmpowerID service account can perform all required functions.
Step 4 – Grant Rights to the Application Pool Identity
The application pool identity needs read access to the EmpowerID website folders and permission to restart the EmpowerID Windows services. Follow the steps below to grant the necessary permissions to the EmpowerID Web Role Service and EmpowerID Worker Role Service.
Retrieve the SID for the Application Pool Account
Use the following command to retrieve the Security Identifier (SID) for the EmpowerID Web Services application pool account. Replace
AppPoolAccountName
with the actual name of your application pool account:WMIC useraccount WHERE Name="AppPoolAccountName" GET SID
Display the Security Descriptor for the EmpowerID Web Role Service
Open a command prompt in administrative mode and run the following command to view the security descriptor of the EmpowerID Web Role Service. This command will output the descriptor to a text file named
EIDWebRole_SecurityDescriptor.txt
:sc sdshow "EmpowerID Web Role Service" > EIDWebRole_SecurityDescriptor.txt
View the Security Descriptor
Open the text file to view the security descriptor by running:
notepad.exe > EIDWebRole_SecurityDescriptor.txt
You should see output similar to the following:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Modify the Security Descriptor
- Locate the permissions for Built-in administrators (BA) in the text file. Copy the permissions line for BA and paste it again within the same file.
Update the second set of permissions by replacing the
BA
with the SID of the application pool account (retrieved earlier). The file should now look like the following (your SID will differ):D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Set the Updated Security Descriptor
Return to the command prompt and apply the updated security permissions by running:
sc sdset D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1871625359-1900012290-2536039220-1591)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
- Repeat for the EmpowerID Worker Role Service
- Follow steps 2 through 5 for the EmpowerID Worker Role Service to grant the necessary permissions for that service as well.
- Follow steps 2 through 5 for the EmpowerID Worker Role Service to grant the necessary permissions for that service as well.
- Restart the EmpowerID Web Role Service
Once permissions are configured, restart the EmpowerID Web Role Service to apply the changes.
- No labels