Installation
The content below is intended for IT administrators and can be used to
install and evaluate Specops uReset 8.
For more information about the components and concepts used below, see the
Overview.
The recommended installation is to download the self-extracting installer
package, and complete the steps in the installation wizard.
Alternatively, if your organization uses Windows Server Core (without
GUI), you can use the PowerShell script based installation procedure.
Your organization’s environment must meet the following requirements:
Requirements
Component |
Requirement |
Gatekeeper server computer
|
- Fully patched operating system is required
- Joined to your Active Directory domain
-
Windows Server 2012 R2 or later (core or with desktop
experience)
NOTE
If the Primary Domain Controller is running a version of
Windows Server prior to version 2008 R2, the
Allow admins to enroll feature can take up to one
hour to take effect.
-
For Windows Server 2012 R2, vcredist2015 is required prior to
installing
- .NET Framework 4.7.2 or later
|
Gatekeeper Admin Tool
|
- Joined to your Active Directory domain
- Windows 8.1 or later (with desktop experience)
- .NET Framework 4.7.2 or later
|
Specops Authentication Client
|
-
Supported on Windows 10/11 x64
NOTE
When running on a server, Windows Server 2016 is required.
- .Net Framework 4.7.1 SP1 or later
-
For password resets with uReset 8 and Specops Password Reset,
the Specops Cefsharp runtime MSI should be installed.
|
Administrative privileges
|
To both Active Directory and the Gatekeeper server computer. It is
recommended to run the installation as a domain administrator.
|
Account options
|
There are two options for the account the Gatekeeper Windows
service will “run as”. Prepare to use any of the following:
-
Managed Service Account (recommended): Using a managed service
account for the Gatekeeper is easy, without extra actions
required for you as an installation administrator. The script
will create a managed service account in your Active
Directory. If the Gatekeeper server’s sAMAccountName in Active
Directory is “SRV17”, the managed service account name will be
“SGkSRV17$”.
-
Domain Account: If you prefer to use a domain account, it must
be created before running the installation. You will need the
account’s sAMAccountName and password on hand.
|
Security groups
|
The installation script will create security groups used by
Specops Authentication. There is no action required by you.
- Admin Group: Users that are members of this group will
be portal administrators. The current user will be
automatically added to this group.
- User Admin Group: Users that are members of this group
will be able to access the user management features on the
Authentication Web. The current user will be automatically
added to this group.
- Gatekeepers Group: Service accounts that are members of
this group will have permission to read user information. The
account running the Gatekeeper will be added to the
Gatekeepers security group.
|
Installing the Gatekeeper, Administration Tools and Client
Creating a customer account
-
To create a customer account, click
here.
-
On the Select data center page, identify the data center you want to
use and click Go.
NOTE
Specops Authentication is hosted in
multiple data centers. There are currently two data centers
available: EU (Europe) and NA (North America).
WARNING
Ensure that you select the data center you would like your account
to be created in. You cannot change data centers after your
account has been created.
-
In the Your organization’s name field, enter the name of
your organization.
-
In the Your organization’s domain name field, enter a domain
name.
-
In the Primary Contact Name field, enter a name. Ideally, this
should be the name of the person setting up the account.
-
In the Primary Contact Email field, enter the email address
associated with the primary contact
- Enter a checkmark for every product you have licensed.
- Enter a checkmark for any additional packages you have licensed.
- Agree to the Terms and Conditions by inserting a checkmark.
- Click Continue.
Cloud Account page
-
On the Cloud account user page, you must create your first
Cloud account. This Cloud account is required in order to perform the
rest of the installation.
-
In the Account email address field, enter the email address
that you want to associate with this Cloud account. A suffix will
be added to the email address, to differentiate this Cloud account
from an on-premises account with the same email address/UPN.
-
The Full Cloud account name field is read-only. The full
Cloud account name is automatically generated from the email
address/UPN that you have specified in the
Account email address field.
- Click Continue.
Mobile Code page
-
To register your mobile phone with your Cloud account, enter your
mobile phone number with the correct country code and click Send. You will receive a code on your mobile phone,
enter it on the screen to authenticate.
Cloud Account Password page
-
On the Cloud account password page, enter and confirm the
password you would like to use for this Cloud account and click
OK. This is the password you will sign in with for your Cloud
account going forward.
NOTE
The policy for this password cannot be altered.
Authentication Web
-
You will be signed in to the Admin section of
Specops Authentication Web. Here you will be
able to create a new Gatekeeper. A Gatekeeper is required to
sign in with Active Directory accounts.
-
Click the Create new Gatekeeper button. On the download page,
you will see the self-extracting installation package and activation
code. Click Copy next to the activation code to store it in the clipboard. If you are not currently on the server the Gatekeeper will be installed on, make a note of the activation code.
-
Click Download next to
Default self-extracting installation package. The package contains the installation files for the Gatekeeper
and your configuration information. By default, the package will be downloaded to your Downloads folder.
-
Ensure that you have a server ready for installing the package.
-
Take note of the activation code displayed on the page, as you
will be prompted for it during installation.
- Copy the installation package to your server if it's not already there, and run the installation file on your server.
Installing the Administration Tools
The Administration Tools are used to install and configure the server
component, also known as the Gatekeeper. The installation process should
be performed on the same server that will be used to run the Gatekeeper.
-
In the Specops Authentication Setup
launcher (sterted by double-clicking the installer package), click Install the Admin Tools.
-
Once the Admin Tools have been installed, click
Start Admin Tools.
Installing the Gatekeeper
- Click Install Gatekeeper.
-
You will be asked to only proceed if you have the activation code from
the Gatekeeper download page on the
Specops Authentication Web. Click
Next.
- Select the Active Directory domain controller to connect.
-
If you do not have permissions to install
Specops Authentication at the domain level,
you will be presented with the option to configure the Gatekeeper for
an organizational unit where you are an administrator. Limit the
delegation root, and settings objects location, and click Next.
-
Select the Active Directory Scope where permissions should be created, by highlighting the scope in the AD tree,
and clicking Add Selected. Multiple locations can be selected for multiple
scopes of management. The Active Directory scope determines which
users can use the
Specops Authentication Service. If you don’t
want administrators, and managers to be within the scope of management
but want them to still manage the system or authenticate users, put a checkmark next to
Allow admins and managers to be outside of the selected scope.
- Click Next.
-
The Gatekeeper will run as a windows service. Select the account
context the Gatekeeper service should run as. You can choose between Managed Service Account and Custom Domain Account.
-
If Custom Domain Account is selected, enter the account
name and password of the user account the Gatekeeper service will
run as.
- Click Next.
-
Next you will be presented with and overview of the Security Groups associated with Specops Authentication. As a default, the following security groups will be created. You can either keep the
default group names, or enter a new name:
- Admin Group: Users that are members of this group will be
portal administrators. The current user will be automatically
added to this group.
- User Admin Group: Users that are members of this group will
be able to access the user management features on the
Specops Authentication Web. The current
user will be automatically added to this group.
- Gatekeepers Group: Service accounts that are members of
this group will have permission to read user information. The
account running the Gatekeeper will be added to the Gatekeepers
security group.
NOTE
In this step you can also add members to security groups by clicking the Edit members link for the security group, then clicking Add member. Note also that this is only available when performing a clean install of the Gatekeeper.
- Click Next.
- If domain administrators are included in the scope for this installation, Administrator Enrollment will have to be configured. If you wish to allow domain admins to enroll, enter a checkmar in the appropriate box. Click Next.
-
If your organization is using a forward proxy server to route internet
traffic externally, you will be prompted to configure the proxy server
to allow the Gatekeeper to reach the internet. Otherwise, the
installation wizard will skip this step.
-
Enter the activation code from the Gatekeeper download page on the
Specops Authentication Web, and
click Activate.
-
You will receive a message that the Gatekeeper has been configured and
activated successfully.
- Click Finish.
-
Verify that the Cloud connection status in the Communication Settings section states
Connected.
Domain Verification
In order to enable email notifications, you have to verify all the domains associated with this account. Read more about Domain Verification.
Installing the Specops Authentication Client
The Specops Authentication Client is installed with an MSI-based installer. Note that upgrading the Specops Authentication Client will overwrite the installed Client.
If installed, the Specops Authentication Client can be found in “Add/Remove Programs” or “Programs and Features” from within the Windows Control Panel. Versions and releases may vary.
NOTE
Older versions of the Specops Authentication Client can be identified as “Specops uReset Client” or “Specops Password Client.”
The Specops Authentication Client can be used across the following Specops Software products:
- Specops Password Reset
- Specops Password Policy
- Specops uReset
NOTE
When using Specops Authentication Client in conjunction with a password reset tool:
As of Specops Authentication Client version 7.18.22314.1, the new CefSharp browser runtime version 105.3.390.0 is required if Specops uReset/Specops Password Reset is used (Specops Password Policy only customers don't need the CefSharp browser runtime). It is recommended to deploy the CefSharp browser runtime before the Specops Authentication Client itself.
Installation/upgrade behavior for CefSharp browser runtime has been changed. Installing a newer CefSharp runtime will no longer replace the older installed runtime. Instead, multiple CefSharp browser versions can co-exist. The intention is to be able to do a rollout in an organization, where the new CefSharp browser first is deployed. Once deployed, the Specops Authentication Client can be upgraded. This will make it easier to make sure that the Specops Authentication Client works on all computers during an upgrade, regardless of whether the latest CefSharp browser runtime has been deployed yet or not.
The Specops Authentication Client needs to be installed on the organization’s client computers, either by installing manually or by deploying using a deployment tool.
Downloading the Specops Authentication Client
Download the MSI from the download page directly. Users installing Specops Password Policy can also access the download page via the Password Policy installer's Download Client Installation Files section.
Deploying the Specops Authentication Client
To deploy the Specops Authentication Client to all users, use GPSI, Specops Deploy/App, or any other deployment tool. Specops Authentication Client supports silent install when deploying using a deployment tool. The client MSI can be deployed silently using standard MSI switches (e.g. /qn). There are no Specops command line parameters for the MSI installation.
Manually Installing or upgrading the Specops Authentication Client
- Open the Specops Authentication Client Setup wizard you just downloaded (.msi file)
- In the wizard, click Next.
- Accept the License Agreement by checking the checkbox, and click Next.
- Select the location where the Client should be installed (default path is C:\Program Files\Specopssoft\Specops Authentication Client\), then click Next.
- Click Install.
- Once the installation has completed, click Finish.
Configuring the Specops Authentication Client
The Specops Authentication Client can be configured using the administrative template in the Group Policy Management Console. For more information on its configuration, please refer to the Specops Authentication Client page.