Thycotic Products installed in Windows Small Business Server

16 07 2012

Thycotic Software has received several inquiries about installing Secret Server, Password Reset Server or Group Management Server in Windows Small Business Server.  For those of you who aren’t familiar with Windows Small Business Server (SBS), this is Microsoft’s description:

“Windows Small Business Server is an affordable, all-in-one solution to reduce complexity and increase manageability of server technology in a small business environment.”

SBS is not an edition of Windows Server OS, but an OS bundled with pre-configured server technologies aimed at the small business sector.  SBS has a large number of strict requirements and here is a list of the important ones:

  • Only one SBS installation per domain (other Windows server OSes are allowed.)
  • Must be the Active Directory root server and cannot trust other domains or have child domains.
  • Maximum user/workstation count is 75.
  • There are licensing restrictions and RAM restrictions (differs in versions.)
  • The SQL Server 2008 Standard is the version included with SBS 2008.

Secret Server, Password Reset Server and Group Management Server share many of the same technical requirements.  Installing any of these products in SBS would likely have the exact same challenges.  Here are the steps taken make Secret Server function in the most basic form:

  1. Start with a typical installation of SBS 2008, followed by installing Windows updates (120 of them.)
  2. Check that .NET 3.5 is updated and installed.
  3. Run SQL Server Surface Area Configuration Tool to take ownership of the preinstalled and preconfigured SBS SQL database.
  4. Run the SQL Server Configuration Manager, editing Client Protocols, services and other settings.
  5. Install Secret Server in a folder isolated from the INETPUB folder due to stock SBS pieces interfering with Secret Server pages.
  6. Edit the permissions on the isolated application folder to allow users the ability to use the application.
  7. Set the App Pool pipeline to Classic mode as it is preconfigured for Integrated mode.
  8. Specify a non-standard port for Secret Server traffic (not 80 or 443.)  These ports were already configured for SBS functionality of SharePoint, Reporting and other sites.

After the changes outlined above, the Secret Server login functioned and information was able to be stored in the password database.  However, these changes to standard functionality in SBS will break functionality in other areas.   Additionally, some of the advanced security settings for Windows found in Secret Server were not applied nor were other typical Secret Server advanced features.

Altering SBS to allow Secret Server-like applications to function requires changes that cause SBS to function as a typical Windows Server.  There is a potential to minimize some of these changes by using a database external to the SBS server.  This would likely defeat the purpose of SBS in the first place.  In summary, the recommendation is to not use SBS as the host for installing Thycotic products.  However, this could be true of many .NET web applications with a SQL database.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Group Management Server, Password Reset Server, Secret Server

Secret Server on Windows Server 2008 x64

7 02 2008

ss40win2008x64 With the new release of Windows Server 2008, we wanted to make sure that Secret Server is always able to use the latest technology. So, we set out to prove that Secret Server would work on Windows Server 2008. To take it even further, we wanted to see it work on the 64-bit platform. So how did Secret Server do?

We’re excited to say that yes, Secret Server does work on Windows Server 2008 x64 Edition. Here was our setup:

- Windows Server 2008 Enterprise x64 Edition (IIS 7.0)
- SQL Server 2005 Developer x64 Edition
- Secret Server 4.0.000003.

There are a few things to note before Secret Server will function properly. IIS 7.0 had some ground breaking changes with the way it integrates with ASP.NET 2.0. Unfortunately, Secret Server currently cannot support this. This is called "Integrated Managed Pipeline Mode". Secret Server currently will only work properly with IIS’s Pipeline mode configured to "Classic". Fortunately, this isn’t a problem at all. It is really as simple as changing the Application Pool that Secret Server is in to use Classic Pipeline.

While Secret Server is functional in this environment, we can’t officially support it yet; there are a few features of Secret Server that are problematic due to the new environment. The immediate one is a lack of support for IPv6 for the IP Address Restrictions, which we will be addressing in a release in the near future. This is due to the fact that the IPv6 protocol is installed by default on Windows Server 2008. The same problem arises when the IPv6 protocol is installed on a previous version of Windows.

We still have a lot of testing to do on Windows Server 2008. We want to make sure that Secret Server works just as well as it always has on previous versions of Windows Server. Once we have finished our testing process, and resolved any issues that arose, we will be able to officially support the Windows Server 2008 x64 and x86 platform.

In the near future, we will be testing Secret Server against the up-and-coming SQL Server 2008.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Secret Server, Tips & Tricks


Follow

Get every new post delivered to your Inbox.