Scripted Install
To get started with Specops Authentication for uReset 8, you will need to install the Gatekeeper component in your Active Directory. The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.
Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure. This guide will walkthrough the script based installation procedure.
Requirements
Your organization’s environment must meet the following requirements:
- Gatekeeper server computer:
- Joined to your Active Directory domain
- Windows Server 2012 R2 or newer (core or with desktop experience)
- .NET Framework 4.7 or later
- Administrative privileges: To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
- Account options: There are two options for the account the
Gatekeeper Windows service will “run as”. Prepare to use any of the
following:
- Managed Service Account (recommended): Using a managed service account for the Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
- Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
- Security groups: The installation script will create security
groups used by Specops Authentication
. There
is no action required by you.
- Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
- User Admin Group: Users that are members of this group will be able to access the user management features on the Authentication web. The current user will be automatically added to this group.
- Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.
Create your customer account
To get started with Specops Authentication for uReset 8, you will require a customer account. You can create your customer account, from:
https://login.specopssoft.com/Authentication/Account/Signup-
Enter the following information:
- Your organization’s name
- Your organization’s domain name
- Primary contact name, enter the name of the person setting up the account
- Primary contact email, enter the email address associated with the primary contact
- Click Save.
Download the Gatekeeper setup
On the Gatekeeper download page, use the Download script based installation (.zip) option. Remember to write down or save the Activation code. The code is only valid for 24 hours after creating your customer account.
-
Unblock the downloaded zip file after download. From Windows Explorer,
right-click the file, Properties, General tab, and click
Unblock.
- Copy/extract the zip to the Gatekeeper computer’s C:TempGatekeeper folder, or another folder you select.
-
The script-based installation can be started from a PowerShell remote
session or from the Hyper-V console.
when installing using a remote session initiated with the
Enter-PsSessioncommand, it is likely that you will run into an ‘Access Denied’ error. This can be resolved by using CredSSP instead:Enter-PsSession -Authentication CredSSP.If CredSSP has not been enabled on your client and server, it can be enabled by issuing the following commands:
>On the client
Enable-WSManCredSSP -Role Client -DelegateComputerserverwhere server designates the server’s fully qualified machine name
On the server
Enable-WSManCredSSP -Role ServerTo start the installation, start PowerShell (either remotely or from the console), run Install.ps1 with the proper parameters, depending on your installation type. See example usages below:
- Managed Service Account:
C:\TempGatekeeper\Install.ps1 -ManagedServiceAccount -ActivationCode:'12345678'Optional parameters
Parameter: -ScopeDn
Example: -ScopeDn:’DC=test,DC=acme,DC=org’
Notes: To restrict Gatekeeper permission to a specific organization unit, and its children in Active Directory, use the “-ScopeDn” parameter. If “-ScopeDn” is not provided, users from the entire Active Directory domain can use Specops Authentication .
Parameter: -DelegationRoot
Example: -DelegationRoot:’DC=contoso,DC=com’
Notes: The path in Active Directory under which you wish to manage Specops Authentication. The provided example is the default location. If not provided, the default will be used.
Parameter: -SettingsRoot
Example: -SettingsRoot:’CN=System,DC=contoso,DC=com’
Notes: The path in Active Directory under which you wish to store the Specops Authentication settings. The provided example is the default location. If not provided, the default will be used. - Domain Account: The installation script will prompt for the
provied account’s password, so have it available when running the
script.
C:\TempGatekeeper\Install.ps1 -DomainServiceAccount -DomainServiceAccountName:'Gatekeeper' -ActivationCode:'12345678'
Optional Parameters
Parameter: -ScopeDn
Example: -ScopeDn:’DC=test,DC=acme,DC=org’
Notes: To restrict Gatekeeper permission to a specific organization unit, and its children in Active Directory, use the “-ScopeDn” parameter. If “-ScopeDn” is not provided, users from the entire Active Directory domain can use Specops Authentication .
Parameter: -DelegationRoot
Example: -DelegationRoot:’DC=contoso,DC=com’
Notes: The path in Active Directory under which you wish to manage Specops Authentication. The provided example is the default location. If not provided, the default will be used.
Parameter: -SettingsRoot
Example: -SettingsRoot:’CN=System,DC=contoso,DC=com’
Notes: The path in Active Directory under which you wish to store the Specops Authentication settings. The provided example is the default location. If not provided, the default will be used.
- Managed Service Account:
- Once the installation procedure is ready, start the Gatekeeper Admin Tool , and remotely connect to the Gatekeeper. The admin tool installation MSI is available in the downloaded zip file, under MSISpecopssoft.Authentication.Gatekeeper.Admin-x64.msi.