Installation

The content below will guide you through the process of installing Specops Self Service Portal.

Key components

Specops Self Service Portal consists of the following components and does not require any additional servers or resources in your environment.

Web: Manages users and application deployments. The web is an interface to the database.

Administration Tools: Controls the client from the Group Policy Management Console.

Database: Stores information about applications, units, owners, and members.

Specops Deploy Client-Side Extension: Configures Group Policy Object with Software Installation Settings. This controls which computer(s) a user can request software for.

Requirements

Your organization’s environment must meet the following system requirements.

ItemRequirement
Web• .Net Framework 3.5 SP1 or later
• Windows Server 2008 or later
Note: This can be an existing server or a dedicated server.
• IIS installed
• Mail server with SMTP support
• SQL Server 2008 or later
Administration Tools• PowerShell 2.0 or later
• Group Policy Management Console
Client computer• Microsoft Silverlight installed
Installing Specops Self Service Portal

During installation, Specops Self Service Portal will launch the Setup Assistant. The Setup Assistant contains installation and license information.

The Setup Assistant will help you install the following components for Specops Self Service Portal:

  • Web
  • Administration Tools
  1. Download the Setup Assistant.
  2. Save and Run the Setup Assistant locally to a machine where you administer Group Policy

Note: By default the file is extracted to C:\temp\SpecopsSelfServicePortal_Setup_[VersionNumber]

  1. Double click SetupAssistant.exe to launch the Setup Assistant.

Update License

Before installing Specops Self Service Portal, you will need to import your license file in the Setup Assistant.

  1. Click Update License.
  2. Browse to the location of the TXT file, and click Open.

Installing the Specops Self Service Portal Web

Installing the Specops Self Service Portal Web will install the Self Service Portal Database on the local computer. The database stores information about applications, units, and members all of which are configured in the Specops Self Service Portal.

  1. Click Start Installation in the Specops Setup Assistant dialog box.
  2. In the main menu, select Web Installation.
  3. Verify that you have fulfilled the prerequisites. If you do not meet the prerequisites, you may need to do the following:
  4. Verify that a valid .NET Framework is installed.
  5. Verify that you are running a valid operating system.
  6. Verify that IIS is installed and configured.
  7. Click Select… to select a website where the Self Service Portal will be installed.
  8. Click Select User….
  9. Enter the Username and Password of the user account the IIS application pool for Specops Self Service Portal will run as, and click OK.

Note: All operations performed by the Self Service Portal Server will be performed in the context of the user account selected here. The service account selected will be added as a Database Owner.

  1. Click Configure… to configure SMTP Settings.
  2. In the Email Sender Address text field, enter the email address that will be used by the Self Service Portal to communicate with users and admins.

Note: This should be a monitored e-mail address.

  1. Click Select instance… to select the SQL Server to install the database on.

Note: To find the SQL server, the SQL server browser service must be running.

  1. Identify the server(s) you want to install the database on, and click OK.
  2. Click Install.

Installing the Administration Tools

Installing the Administration Tools will install the GPMC snap-in, and the PowerShell Cmdlets. You can use the GPMC snap-in to create Specops Self Service Portal settings in Group Policy. You can use the PowerShell Cmdlets to administer applications, units, and categories.

The Administration Tools should be installed on the computer that you want to administer the product from.

  1. From the Setup Assistant, select Administration Tools Installation.
  2. Verify that you have fulfilled the prerequisites. If you do not meet the prerequisites, you may need to do the following:
  3. Verify that a valid .NET Framework is installed.
  4. Verify that PowerShell is installed.
  5. Click Install.

 

Post-installation configuration

You will need to complete the following post-installation task once you have installed Specops Self Service Portal.

Deploy the Specops Client-Side Extension using Group Policy Software Installation

You can use the Specops Self Service Portal to control which computer(s) a user can request software for. This requires that the Specops Deploy Client Side Extension and the Group Policy Object settings are properly configured. The Client Side Extension is a recommended component for Specops Self Service Portal. You can deploy the Client-Side Extension from the Specops Deploy Setup Assistant.

  1. Launch the Setup Assistant, and click Start Installation from the Specops Deploy / App menu.
  2. Click Deploy Specops Deploy Client Side Extension.
  3. To select the Group Policy Object that will be used to deploy the client, click Select GPO. You will be given the following options:
    Option Step
    Create New GPO 1.    Click Create New GPO.

    2.    Enter a new Group Policy Object name.

    3.    Select the location you want to link the Group Policy object to.

    4.    Click OK.

    Option Step
    Select an existing GPO 1.    Select an existing GPO from the list.

    2.    Select a link for the chosen GPO, and click OK.

  4. To install the Client on all computers in your organization you can:
    Option Step
    Create a network share on the local computer and copy the Client-side extension package to the new network share 1.    Click Create Share.

    2.    Select a local path to create the share for, and click OK.

    3.    Click Select share.

    4.    Verify that the network path to the network share you created is correct, and click OK.

    Option Step
    Select an existing network share and manually copy the Client-side extension package to the existing network share 1.    Click Select Share

    2.    Browse to the location of the msi-package, and click OK.

    Note: It is recommended that you use a Distributed File Share (DFS). If DFS is used with load balancing verify that the setup files are copied to all servers before proceeding.

  5. To create the packages for x86 and x64 deployments in the selected GPO, click Add Settings.

Delegate permissions

Delegate control to service account

To allow the Self Service Portal to manage group memberships, you must delegate control to the service account. A best practice is to create a separate root organizational unit with sub organizational units for various services that can be managed through Self Service Portal.

Note: Do not delegate control from the Domain Root, this could give the SSP Service Account more access than intended.

  1. Open Active Directory Users and Computer and navigate to the root organizational unit where the security groups are located.
  2. Right-click on the organizational unit, and click Delegate Control….
  3. Click Next.
  4. Click Add… to select the Specops Self Service Portal Service Account you want to delegate control to.
  5. In the text field, enter the object name, and click OK.
  6. Click Next.
  7. From the Delegate the following common tasks: list, select Modify the membership of group.
  8. Click Next.
  9. Click Finish.

Delegate permission to client

Computer accounts in Active Directory must be running the Specops Deploy Client Side Extension and configured to update the ManagedBy attribute in Active Directory. A user can only request applications to a PC he is “owner of.”

  1. Open Active Directory Users and Computer and navigate to the root organizational unit where the computers are located.
  2. Right-click on the organizational unit and click Delegate Control….
  3. Click Next.
  4. Click Add… to select the computer accounts in the organizational unit you want to delegate permissions to.
  5. In the text field, type self, and click Check Names.
  6. Click OK.
  7. Click Next.
  8. Enable Create a Custom task to delegate, and click Next.
  9. Enable Only the following objects in the folder.
  10. From the list, select Computer Object, and click Next
  11. Enable Property-Specific.
  12. Enable the following permissions:
  • Read Managed By
  • Write Managed By
  1. Click Next.
  2. Click Finish.

Enable remote management

If you want to manage the client remotely, you will need to enable remote gpupdate and configure Windows Firewall to allow remote management.

Enable remote gpupdate

To allow the Self Service Portal to perform a remote gpupdate on a client and initiate a software installation, the Specops Self Service Portal Account requires permissions on the client. You can enable remote gpupdate on all clients in the environment by creating a new GPO or using an existing GPO that is applied to all clients that will use the Self Service Portal.

Add the Self Service Portal Service Account to the Local Administrators Group

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration, Preferences, Control Panel Settings.
  4. Right-click on Local Users and Group, and select New, Local Group.
  5. From the Action drop down box, select Update.
  6. From the Group name drop down box, select Administrators (built-in).
  7. Click Add….
  8. In the text field, enter the Self Service Portal Service account, and click OK.
  9. Close the Group Policy Management Console, and force a gpupdate on a client.

Configure Windows Firewall to allow remote management

If you have a firewall, Remote Administration must be allowed to pass from the Self Service Portal Server to the client. If this feature is not enabled, the client will install software at the next group policy update, which is executed manually, or executed every 90-120 minutes.

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Network, Network Connections, Windows Firewall, and select Domain Profile.
  4. In the details pane, double-click Windows Firewall: Allow remote administration exception.
  5. In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled.
  6. In the details pane, double-click Windows Firewall: Allow ICMP exception.
  7. In the Windows Firewall: Allow ICMP exception properties dialog box, on the Settings tab, click Enabled.
  8. Close the Group Policy Management Console, and force a gpupdate.

Enabling authentication to the Self Service Portal

Authentication to the portal is done through Windows Integrated Authentication. It is required that the service is identified as an intranet server for this to work. If Windows Integrated Authentication is not used, the user will be prompted for their username and password which will use “Basic Authentication” and send user information over HTTP.

Enable integrated authentication in Internet Explorer

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration, Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Explorer Control Panel, and select Security Page.
  4. In the details pane, double-click Site to Zone Assignment List.
  5. Click Enable.
  6. Click Show….
  7. In the Value name text field, add your URL.
  8. In the Value text field, use the value “2” for entries into the trusted zone.
  9. In the Show Contents dialog box, click OK.
  10. Click OK to finish.

Enable integrated authentication in Firefox

You can configure Firefox to use Windows Integrated Authentication.

  1. Open Firefox.
  2. In the address bar type about:config
  3. You will receive a security warning. To continue, click I’ll be careful, I promise.
  4. You will need to change the following settings:
    Setting Value
    network.negotiate-auth.delegation-uris MySprServer.domain.com
    Setting Value
    network.automatic-ntlm-auth.trusted-uris MySprServer.domain.com
    Setting Value
    network.automatic-ntlm-auth.allow-proxies True
    Setting Value
    network.negotiate-auth.allow-proxies True

Enable integrated authentication in Chrome

To enable Chrome to use Windows Integrated Authentication, you must configure Chrome.exe. It is recommended that most organizations use the command line alternative or modify the registry on one or a few computers. In other organizations, such as schools, where a teacher should be able to reset student passwords, it might be best to use a GPO for the teacher’s OU.

Use the command line

You can add a chrome.exe shortcut on the user’s desktop. Start Chrome with a command line containing the following:

–auth-server-whitelist=”MYSPRSERVER.DOMAIN.COM” –auth-negotiate-delegate-whitelist=”MYSPRSERVER.DOMAIN.COM” –auth-schemes=”digest,ntlm,negotiate”

Modify the registry

Configure the following registry settings with the corresponding values:

Registry Value
AuthSchemes Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\Google\Chrome\AuthSchemes

Mac/Linux preference name:

AuthSchemes

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which HTTP Authentication schemes are supported by Google Chrome. Possible values are ‘basic’, ‘digest’, ‘ntlm’ and ‘negotiate’. Separate multiple values with commas. If this policy is left not set, all four schemes will be used.

Value:

“basic,digest,ntlm,negotiate”

 

Registry Value
AuthServerWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\Google\Chrome\AuthServerWhitelist

Mac/Linux preference name:

AuthServerWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Specifies which servers should be whitelisted for integrated authentication. Integrated authentication is only enabled when Google Chrome receives an authentication challenge from a proxy or from a server which is in this permitted list. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will try to detect if a server is on the Intranet and only then will it respond to IWA requests. If a server is detected as Internet then IWA requests from it will be ignored by Chrome.

Value:

“MYSPRSERVER.DOMAIN.COM”

Registry Value
AuthNegotiateDelegateWhitelist Data type:

String (REG_SZ)

Windows registry location:

Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist

Mac/Linux preference name:

AuthNegotiateDelegateWhitelist

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 9

Supported features:

Dynamic Policy Refresh: No, Per Profile: No

Description:

Servers that Google Chrome may delegate to. Separate multiple server names with commas. Wildcards (*) are allowed. If you leave this policy not set Chrome will not delegate user credentials even if a server is detected as Intranet.

Example value:

“MYSPRSERVER.DOMAIN.COM”

Configure GPO

  1. Download Zip file of ADM/ADMX templates and documentation from: chromium.org/administrators/policy-templates.
  2. Add the ADMX template to your central store. For more information see the Specops Password Reset Administration Guide.

Configure a GPO with Specops Password Reset server dns host name with Kerberos delegation server whitelist and Authentication server whitelist enabled.

Configure client ownership criteria

To enable a user to request and deploy software to a computer, you must designate a user as manager of that client. The Specops Self Service Portal reads the ManagedBy attribute to determine the owner of a client. A client can only have one owner. This prevents users from ordering software to other clients.

Note: You will only need to perform the below tasks if you are also using Specops Deploy / OS.

Configure how the owner is decided

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand Computer Configuration, Policies, Software Settings, and select Specops Self Service Portal.
  4. Click Edit Policy….
  5. Configure the number of days to record logon history.
  6. Enable Save logon history.
  7. You can enable the below items to configure how the computer owner is decided:
  • Set computer as primary device for the last logged on user
  • Set computer as primary device for the most frequent user
  1. Click Save.

Configure which users are allowed to be owner of a client

  1. Open the Group Policy Management Console.
  2. Right-click on the GPO node, and select Edit.
  3. In the Group Policy Management Editor, expand User Configuration, Policies, Software Settings, and select Specops Self Service Portal.
  4. Click Edit Policy….
  5. Enable Allow user to own computers.
  6. Click Save.
  • Was this Helpful ?
  • Yes   No