Installation

The content below is intended for IT administrators and can be used to install and evaluate Specops Authentication. For more information about the components and concepts used below, see the Specops Authentication Overview.

The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure.

Requirements


Your organization’s environment must meet the following requirements:

Requirements
Component Requirement
Gatekeeper server computer
  • Fully patched operating system is required
  • Joined to your Active Directory domain
  • Windows Server 2016/2019/2022 (core or desktop experience)
    NOTE
    If the Primary Domain Controller is running a version of Windows Server prior to version 2008 R2, the Allow admins to enroll feature can take up to one hour to take effect.
  • For Windows Server 2012 R2, vcredist2015 is required prior to installing
  • .Net Framework 4.7.2 or later
Gatekeeper Admin Tool
  • Joined to your Active Directory domain
  • Windows 10/11 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
Specops Authentication Client
  • Windows 10 x64, Windows 11 x64 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
  • For password resets with uReset 8 and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed.
Administrative privileges To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
Account options There are three options for the account the Gatekeeper Windows service will run as. Prepare to use any of the following:
  • Managed Service Account (recommended): Using a managed service account for the Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
  • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Group Managed Service Account: A valid service account that the Gatekeeper computer is permitted to use, must first be created.
Security groups The installation script will create security groups used by Specops Authentication. There is no action required by you.
  • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
  • User Admin Group: Users that are members of this group will be able to access the user management features on the Authentication Web. The current user will be automatically added to this group.
  • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.

For provisioning to O365:

  • An O365 account with global administrator rights on Microsoft Entra ID:
    You can purchase an O365 account or register for an Enterprise Free trial account from: https://www.office.com/?cosmicflight=cosmicredirect
  • A valid domain name with access and edit rights on your domain host.
    Note: You cannot use the default *.onmicrosoft.com domain.

Before you begin


  1. Enable modern authentication in O365. This should be done for Exchange Online and Skype for Business Online (if used).
    • Exchange Online, click here.
    • Skype for Business Online, click here.
  2. If your O365 implementation is using ADFS or another identity provider, you will need to de-federate the domain you want to federate with Specops Authentication.

Installation


Create a customer account

  1. To create a customer account, click here.
  2. On the Select data center page, identify the data center you want to use and click Go.
    NOTE
    Specops Authentication is hosted in multiple data centers. There are currently two data centers available: EU (Europe) and NA (North America).
    WARNING
    Ensure that you select the data center you would like your account to be created in. You cannot change data centers after your account has been created.
  3. In the Your organization’s name field, enter the name of your organization.
  4. In the Your organization’s domain name field, enter a domain name.
  5. In the Primary Contact Name field, enter a name. Ideally, this should be the name of the person setting up the account.
  6. In the Primary Contact Email field, enter the email address associated with the primary contact
  7. Click Continue.
  8. On the Cloud account user page, you must create your first Cloud account. This Cloud account is required in order to perform the rest of the installation.
    • In the Account email address field, enter the email address that you want to associate with this Cloud account. A suffix will be added to the email address, to differentiate this Cloud account from an on-premises account with the same email address/UPN.
    • The Full Cloud account name field is read-only. The full Cloud account name is automatically generated from the email address/UPN that you have specified in the Account email address field.
  9. To register your mobile phone with your Cloud account, enter your mobile phone number. When you receive the code on your mobile phone, enter it on the screen to authenticate.
  10. On the Cloud account password page, enter and confirm the password you would like to use for this Cloud account and click OK. This is the password you will sign in with for your Cloud account going forward.
    NOTE
    The policy for this password cannot be altered.
  11. You will be signed in to the Admin section of Specops Specops Authentication Web. Here you will be able to create a new Gatekeeper. A Gatekeeper is required to sign in with Active Directory accounts.
  12. Click the Create new Gatekeeper button. On the download page, you will see the self-extracting installation package and activation code. The package contains the installation files for the Gatekeeper and your configuration information.
  13. Click Download next to Default self-extracting installation package.
    • Ensure that you have a server ready for installing the package.
    • Take note of the activation code displayed on the page, as you will be prompted for it during installation.
  14. Copy and run the installation file on your server.

Install the Administration Tools

The Administration Tools are used to install and configure the server component, also known as the Gatekeeper. The installation process should be performed on the same server that will be used to run the Gatekeeper.

  1. In the Specops Authentication Setup launcher, click Install the Admin Tools.
  2. Once the Admin Tools have been installed, click Start Admin Tools.

Install the Gatekeeper

  1. Click Install Gatekeeper.
  2. You will be asked to only proceed if you have the activation code from the Gatekeeper download page on the Specops Authentication web. Click Next.
  3. If you do not have permissions to install Specops Authentication at the domain level, you will be presented with the option to configure the Gatekeeper for an organizational unit where you are an administrator. Limit the delegation root, and settings objects location, and click Next.
  4. Select the Active Directory Scope where permissions should be created, and click Add. Multiple locations can be selected for multiple scopes of management. The Active Directory scope determines which users can use the Specops Authentication Service. If you don’t want administrators, and managers to be within the scope of management but want them to still manage the system or authenticate users, click Allow admins and managers to be outside of the selected scope.
  5. Click Next.
  6. The Gatekeeper will run as a windows service. Select the account context the Gatekeeper service should run as.
    • If Custom Domain Account is selected, enter the account name and password of the user account the Gatekeeper service will run as.
  7. Click Next.
  8. If your organization is using a forward proxy server to route internet traffic externally, you will be prompted to configure the proxy server to allow the Gatekeeper to reach the internet. Otherwise, the installation wizard will skip this step.
  9. The following security groups will be created. You can either keep the default group names, or enter a new name:
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Specops Authentication Web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.
  10. Click Next.
  11. Enter the activation code from the Gatekeeper download page on the Specops Authentication web, and click Activate.
  12. You will receive a message that the Gatekeeper has been configured and activated successfully.
  13. Click Finish.
  14. Verify that the Cloud connection status states Connected.

Domain Verification

In order to enable email notifications, you have to verify all the domains associated with this account. Read more about Domain Verification.

Post-installation


Complete the following configurations once you have installed Specops Authentication.

  1. Create a Specops Authentication GPO:
    1. In the Selected GPOs section of the Gatekeeper, tag the GPOs you want to use with Specops Authentication. Affected users can have their authentication, provisioning, and license settings configured from the Specops Authentication web.
    2. Click Tag GPOs, select the Group Policy, and click OK.Alternatively, if you want Specops Authentication to be applied to the scope selected during the Gatekeeper installation, skip this step, and select Cloud in the last step when configuring Specops Authentication with O365.
  2. Enable Windows Integrated Authentication.