Installation

The content below is intended for IT administrators and can be used to install and evaluate Specops uReset 8. For more information about the components and concepts used below, see the Overview.

The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure.

Requirements

Your organization’s environment must meet the following requirements:

Requirements
Component Requirement
Gatekeeper server computer
  • Fully patched operating system is required
  • Joined to your Active Directory domain
  • Windows Server 2016/2019/2022 (core or desktop experience)
  • .Net Framework 4.7.2 or later
Gatekeeper Admin Tool
  • Joined to your Active Directory domain
  • Windows 10/11 or Windows Server 2016/2019/2022
  • .Net Framework 4.7.2 or later
Specops Client
  • Windows 10 x64, Windows 11 x64 or Windows Server 2016/2019/2022
  • Secure Access not supported on domain controllers.
  • .Net Framework 4.7.2 or later
  • For password resets with uReset 8, Secure Access and Specops Password Reset, the Specops Cefsharp runtime MSI should be installed.
  • Specops Secure Access requires .Net 8 Desktop Runtime deployed on client computers.
Administrative privileges To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
Account options There are three options for the account the Gatekeeper Windows service will run as. Prepare to use any of the following:
  • Managed Service Account (recommended): Using a managed service account for the Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
  • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Group Managed Service Account: A valid service account that the Gatekeeper computer is permitted to use, must first be created.
Security groups The installation script will create security groups used by Specops Authentication. There is no action required by you.
  • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
  • User Admin Group: Users that are members of this group will be able to access the user management features on the Authentication Web. The current user will be automatically added to this group.
  • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.

Installing the Gatekeeper, Administration Tools and Client

Creating a customer account

  1. To create a customer account, click here.
  2. On the Select data center page, identify the data center you want to use and click Go.
    NOTE
    Specops Authentication is hosted in multiple data centers. There are currently two data centers available: EU (Europe) and NA (North America).
    WARNING
    Ensure that you select the data center you would like your account to be created in. You cannot change data centers after your account has been created.
  3. In the field, enter the name of your organization.
  4. In the field, enter a domain name.
  5. In the field, enter a name. Ideally, this should be the name of the person setting up the account.
  6. In the field, enter the email address associated with the primary contact
  7. Enter a checkmark for every product you have licensed.
  8. Enter a checkmark for any additional packages you have licensed.
  9. Agree to the Terms of Service by inserting a checkmark.
  10. Click Continue.

    11. page

  11. On the page, you must create your first . This is required in order to perform the rest of the installation.
    • In the field, enter the email address that you want to associate with this . A suffix will be added to the email address, to differentiate this from an on-premises account with the same email address/UPN.
    • The Full cloud account name field is read-only. The full name is automatically generated from the email address/UPN that you have specified in the field.
  12. Click Continue.
  13. A code will be sent to the email address you provided. Input the code into the Code field and click Confirm

    14. Mobile Code page

  14. To register your mobile phone with your , enter your mobile phone number with the correct country code and click Send. You will receive a code on your mobile phone, enter it on the screen to authenticate.

    15. Password page

  15. On the password page, enter and confirm the password you would like to use for this and click OK. This is the password you will sign in with for your going forward.
    NOTE
    The policy for this password cannot be altered.

    16. Authentication Web

  16. You will be signed in to the Admin section of Specops Authentication Web. Here you will be able to create a new Gatekeeper. A Gatekeeper is required to sign in with Active Directory accounts.
  17. Click the Create new Gatekeeper button. On the download page, you will see the self-extracting installation package and activation code. Click copy next to the Activation Code to store it in the clipboard. If you are not currently on the server the Gatekeeper will be installed on, make a note of the activation code.
  18. Click Download next to Default self-extracting installation package. The package contains the installation files for the Gatekeeper and your configuration information. By default, the package will be downloaded to your Downloads folder.
    • Ensure that you have a server ready for installing the package.
    • Take note of the activation code displayed on the page, as you will be prompted for it during installation.
  19. Copy the installation package to your server if it's not already there, and run the installation file on your server.

Installing the Administration Tools

The Administration Tools are used to install and configure the server component, also known as the Gatekeeper. The installation process should be performed on the same server that will be used to run the Gatekeeper.

  1. In the Specops Authentication Setup launcher (sterted by double-clicking the installer package), click Install the Admin Tools.
  2. Once the Admin Tools have been installed, click Start Admin Tools.

Installing the Gatekeeper

  1. Click Install Gatekeeper.
  2. You will be asked to only proceed if you have the activation code from the Gatekeeper download page on the Specops Authentication Web. Click Next.
  3. Select the Active Directory domain controller to connect.
  4. If you do not have permissions to install Specops Authentication at the domain level, you will be presented with the option to configure the Gatekeeper for an organizational unit where you are an administrator. Limit the delegation root, and settings objects location, and click Next.
  5. Select the Active Directory Scope where permissions should be created, by highlighting the scope in the AD tree, and clicking Add Selected. Multiple locations can be selected for multiple scopes of management. The Active Directory scope determines which users can use the Specops Authentication Service. If you don’t want administrators, and managers to be within the scope of management but want them to still manage the system or authenticate users, put a checkmark next to Allow admins and managers to be outside of the selected scope.
  6. Click Next.
  7. The Gatekeeper will run as a windows service. Select the account context the Gatekeeper service should run as. You can choose between Managed Service Account, Group Managed Service Account and Custom Domain Account.
    • Default is Group Managed Service Account (GMSA) and is recommended for most organizations
    • If Custom Domain Account is selected, enter the account name and password of the user account the Gatekeeper service will run as.
    • Using Group Managed Service Account has additional requirements, see Group Managed Service Account here.
  8. Click Next.
  9. Next you will be presented with and overview of the Security Groups associated with Specops Authentication. As a default, the following security groups will be created. You can either keep the default group names, or enter a new name:
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Specops Authentication Web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.
    NOTE
    In this step you can also add members to security groups by clicking the Edit members link for the security group, then clicking Add member. Note also that this is only available when performing a clean install of the Gatekeeper.
  10. Click Next.
  11. If domain administrators are included in the scope for this installation, Administrator Enrollment will have to be configured. If you wish to allow domain admins to enroll, enter a checkmar in the appropriate box. Click Next.
  12. If your organization is using a forward proxy server to route internet traffic externally, you will be prompted to configure the proxy server to allow the Gatekeeper to reach the internet. Otherwise, the installation wizard will skip this step.
  13. Enter the activation code from the Gatekeeper download page on the Specops Authentication Web, and click Activate.
  14. You will receive a message that the Gatekeeper has been configured and activated successfully.
  15. Click Finish.
  16. Verify that the Cloud connection status in the Communication Settings section states Connected.

Domain Verification

In order to enable email notifications, you have to verify all the domains associated with this account. Read more about Domain Verification.

Installing the Specops Client

The Specops Client is installed with an MSI-based installer. Note that upgrading the Specops Client will overwrite the installed Client.

If installed, the Specops Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.

NOTE
Older versions of the Specops Client can be identified as “Specops uReset Client” or “Specops Password Client.”

The Specops Client can be used across the following Specops Software products:

  • Specops Password Reset
  • Specops Password Policy
  • Specops uReset

Upgrading the Specops Client

Organizations using Specops Password Policy only, need to deploy the Specops Client MSI. The CefSharp Runtime MSI is not required for this scenario.

Organizations using Specops uReset or Specops Password Reset, need to deploy the CefSharp Runtime MSI in addition to the Specops Client MSI. The CefSharp Runtime MSI is required by the Secured Browser used for resetting passwords.

Since the Specops Client uses a specific version of the CefSharp Runtime MSI, it is important to deploy the latest CefSharp Runtime MSI at the same time or before deploying the Specops Client MSI.

While the Specops Client MSI only can be installed with exactly 1 version, multiple versions of the CefSharp Runtime MSI can be installed at the same time. The purpose with this is to simplify deployment in a larger organization.

The recommended flow for upgrading the Specops Client is:

  1. Deploy the latest CefSharp Runtime MSI, if it's not already deployed
  2. Deploy the latest Specops Client MSI
  3. Undeploy any previous versions of the CefSharp Runtime MSI, if necessary
  4. Download and update the administrative (ADMX) templates to have the latest version in place. In most cases no configuration changes are needed, unless explicitly stated in release notes. See the section below about configuration of the Specops Client.
NOTE

When using Specops Client in conjunction with a password reset tool:

The latest CefSharp browser runtime version is required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Client itself.

Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Client can be upgraded. This will make it easier to make sure that the Specops Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.

The Specops Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.

Downloading the Specops Client

Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.

Deploying the Specops Client

To deploy the Specops Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.

Manually Installing or upgrading the Specops Client

  1. Open the Specops Client Setup wizard you just downloaded (.msi file)
  2. In the wizard, click Next.
  3. Accept the License Agreement by checking the checkbox, and click Next.
  4. Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Client\), then click Next.
  5. Click Install.
  6. Once the installation has completed, click Finish.

Configuring the Specops Client

The Specops Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Client page.

Installing NPS for Secure Access

Organizations with users accessing their network remotely using a VPN, or accessing computers via a Remote Desktop Gateway (RDGW) can protect their users by adding a second factor for those logins. The VPN server or Remote Desktop Gateway can, using RADIUS, be configured to call Microsoft Network Policy Server (NPS) with Specops NPS companion installed and configured, which enables the use of Secure Access.

In order for this to work, Microsoft NPS needs to be installed. For more information on the installation of NPS, please refer to this page.

Installing Specops NPS Companion

NPS works in conjunction with Specops NPS Companion. NPS Companion needs to be installed separately.

You can download the installer here.