Thycotic Software has received several inquiries about installing Secret Server, Password Reset Server or Group Management Server in Windows Small Business Server. For those of you who aren’t familiar with Windows Small Business Server (SBS), this is Microsoft’s description:
“Windows Small Business Server is an affordable, all-in-one solution to reduce complexity and increase manageability of server technology in a small business environment.”
SBS is not an edition of Windows Server OS, but an OS bundled with pre-configured server technologies aimed at the small business sector. SBS has a large number of strict requirements and here is a list of the important ones:
- Only one SBS installation per domain (other Windows server OSes are allowed.)
- Must be the Active Directory root server and cannot trust other domains or have child domains.
- Maximum user/workstation count is 75.
- There are licensing restrictions and RAM restrictions (differs in versions.)
- The SQL Server 2008 Standard is the version included with SBS 2008.
Secret Server, Password Reset Server and Group Management Server share many of the same technical requirements. Installing any of these products in SBS would likely have the exact same challenges. Here are the steps taken make Secret Server function in the most basic form:
- Start with a typical installation of SBS 2008, followed by installing Windows updates (120 of them.)
- Check that .NET 3.5 is updated and installed.
- Run SQL Server Surface Area Configuration Tool to take ownership of the preinstalled and preconfigured SBS SQL database.
- Run the SQL Server Configuration Manager, editing Client Protocols, services and other settings.
- Install Secret Server in a folder isolated from the INETPUB folder due to stock SBS pieces interfering with Secret Server pages.
- Edit the permissions on the isolated application folder to allow users the ability to use the application.
- Set the App Pool pipeline to Classic mode as it is preconfigured for Integrated mode.
- Specify a non-standard port for Secret Server traffic (not 80 or 443.) These ports were already configured for SBS functionality of SharePoint, Reporting and other sites.
After the changes outlined above, the Secret Server login functioned and information was able to be stored in the password database. However, these changes to standard functionality in SBS will break functionality in other areas. Additionally, some of the advanced security settings for Windows found in Secret Server were not applied nor were other typical Secret Server advanced features.
Altering SBS to allow Secret Server-like applications to function requires changes that cause SBS to function as a typical Windows Server. There is a potential to minimize some of these changes by using a database external to the SBS server. This would likely defeat the purpose of SBS in the first place. In summary, the recommendation is to not use SBS as the host for installing Thycotic products. However, this could be true of many .NET web applications with a SQL database.