Installation

The content below is intended for IT administrators and can be used to help install and evaluate Specops Key Recovery.

The recommended installation is to download the self-extracting installer package, and complete the steps in the installation wizard.

Alternatively, if your organization uses Windows Server Core (without GUI), you can use the PowerShell script based installation procedure. For more information, see Scripted Install.

Requirements


Your organization’s environment must meet the following system requirements.

Item Requirement
Symantec Endpoint Encryption environment You will need to provide certain details relating to your Symantec Endpoint Encryption environment during the Specops Key Recovery setup process, such as:
  • Your Symantec Endpoint Encryption Help Desk URL
  • The credentials for accessing the Help Desk
BitLocker Group policy configured to store recovery passwords and key packages in Active Directory Domain Services for all drives that should be recoverable

For more information on setting up Symantec Endpoint Encryption, please consult Symantec’s documentation.

  • Gatekeeper server computer:
    • Joined to your Active Directory domain
    • Windows Server 2012 R2 or later (core or with desktop experience)
      if the Primary Domain Controller is running a version of Windows Server prior to version 2008 R2, the Allow admins to enroll feature can take up to one hour to take effect.
    • .NET Framework 4.7.2 or later
  • Gatekeeper Admin Tool:
    • Joined to your Active Directory domain
    • Windows 8.1 or later (with desktop experience)
    • .NET Framework 4.7.2 or later
  • Administrative privileges: To both Active Directory and the Gatekeeper server computer. It is recommended to run the installation as a domain administrator.
  • Account options: There are two options for the account the Gatekeeper Windows service will “run as”. Prepare to use any of the following:
    • Managed Service Account (recommended): Using a managed service account for the Gatekeeper is easy, without extra actions required for you as an installation administrator. The script will create a managed service account in your Active Directory. If the Gatekeeper server’s sAMAccountName in Active Directory is “SRV17”, the managed service account name will be “SGkSRV17$”.
    • Domain Account: If you prefer to use a domain account, it must be created before running the installation. You will need the account’s sAMAccountName and password on hand.
  • Security groups: The installation script will create security groups used by Specops Key Recovery. There is no action required by you.
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Authentication web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.

Installation


Create a customer account

  1. To create a customer account, click here.
  2. On the Select data center page, identify the data center you want to use and click Go.
    Specops Authentication is hosted in multiple data centers. There are currently two data centers available: EU (Europe) and NA (North America).
    Ensure that you select the data center you would like your account to be created in. You cannot change data centers after your account has been created.
  3. In the Your organization’s name field, enter the name of your organization.
  4. In the Your organization’s domain name field, enter a domain name.
  5. In the Primary Contact Name field, enter a name. Ideally, this should be the name of the person setting up the account.
  6. In the Primary Contact Email field, enter the email address associated with the primary contact
  7. Click Continue.
  8. On the Cloud account user page, you must create your first Cloud account. This Cloud account is required in order to perform the rest of the installation.
    • In the Account email address field, enter the email address that you want to associate with this Cloud account. A suffix will be added to the email address, to differentiate this Cloud account from an on-premises account with the same email address/UPN.
    • The Full Cloud account name field is read-only. The full Cloud account name is automatically generated from the email address/UPN that you have specified in the Account email address field.
  9. To register your mobile phone with your Cloud account, enter your mobile phone number. When you receive the code on your mobile phone, enter it on the screen to authenticate.
  10. On the Cloud account password page, enter and confirm the password you would like to use for this Cloud account and click OK. This is the password you will sign in with for your Cloud account going forward.
    • Note: The policy for this password cannot be altered.
  11. You will be signed in to the Admin section of Specops Authentication Web. Here you will be able to create a new Gatekeeper. A Gatekeeper is required to sign in with Active Directory accounts.
  12. Click the Create new Gatekeeper button. On the download page, you will see the self-extracting installation package and activation code. The package contains the installation files for the Gatekeeper and your configuration information.
  13. Click Download next to Default self-extracting installation package.
    • Ensure that you have a server ready for installing the package.
    • Take note of the activation code displayed on the page, as you will be prompted for it during installation.
  14. Copy and run the installation file on your server.

Install the Administration Tools

The Administration Tools are used to install and configure the server component, also known as the Gatekeeper. The installation process should be performed on the same server that will be used to run the Gatekeeper.

  1. In the Specops Authentication Setup launcher, click Install the Admin Tools.
  2. Once the Admin Tools have been installed, click Start Admin Tools.

Install the Gatekeeper

  1. Click Install Gatekeeper.
  2. You will be asked to only proceed if you have the activation code from the Gatekeeper download page on the Specops Authentication web. Click Next.
  3. If you do not have permissions to install Specops Authentication at the domain level, you will be presented with the option to configure the Gatekeeper for an organizational unit where you are an administrator. Limit the delegation root, and settings objects location, and click Next.
  4. Select the Active Directory Scope where permissions should be created, and click Add. Multiple locations can be selected for multiple scopes of management. The Active Directory scope determines which users can use the Specops Authentication Service. If you don’t want administrators, and managers to be within the scope of management but want them to still manage the system or authenticate users, click Allow admins and managers to be outside of the selected scope.
  5. Click Next.
  6. The Gatekeeper will run as a windows service. Select the account context the Gatekeeper service should run as.
    • If Custom Domain Account is selected, enter the account name and password of the user account the Gatekeeper service will run as.
  7. Click Next.
  8. If your organization is using a forward proxy server to route internet traffic externally, you will be prompted to configure the proxy server to allow the Gatekeeper to reach the internet. Otherwise, the installation wizard will skip this step.
  9. The following security groups will be created. You can either keep the default group names, or enter a new name:
    • Admin Group: Users that are members of this group will be portal administrators. The current user will be automatically added to this group.
    • User Admin Group: Users that are members of this group will be able to access the user management features on the Specops Authentication web. The current user will be automatically added to this group.
    • Gatekeepers Group: Service accounts that are members of this group will have permission to read user information. The account running the Gatekeeper will be added to the Gatekeepers security group.
  10. Click Next.
  11. Enter the activation code from the Gatekeeper download page on the Specops Authentication web, and click Activate.
  12. You will receive a message that the Gatekeeper has been configured and activated successfully.
  13. Click Finish.
  14. Verify that the Cloud connection status states Connected.

Set up Specops Key Recovery for Symantec Endpoint Encryption


  1. On the Gatekeeper Admin Tool, select Key Recovery, and click Setup Specops Key Recovery.
  2. The Setup Wizard will open. On the Begin page of the setup wizard, you will see a brief explanation of the prerequisites that must be in place before Specops Key Recovery can work successfully, including the minimum permissions that must be set. This includes:
  3. Click Next.
  4. If you have multiple Gatekeepers installed, an additional page (Select Gatekeepers) will be displayed, and you will need to complete steps 4a-b. If you only have one gatekeeper installed, this step will be automatically skipped.
    1. Configuration of Specops Key Recovery is stored on each Gatekeeper and cannot be replicated between Gatekeepers. Select the checkbox next to the Gatekeeper you want to configure.
    2. Click Next.
  5. On the FindSymantec Endpoint Encryption service page of the setup wizard, enter the required information to enable Specops Key Recovery to access your company’s Symantec Endpoint Encryption environment. For more information, see Setting up your Symantec Endpoint Encryption account with Specops Key Recovery.
    1. Enter your Symantec Endpoint Encryption URL: For example, https://mydomain.com//8080/WebConsole/
    2. Enter your Symantec Endpoint Encryption Username: For example, DOMAIN\User
    3. Enter your Symantec Endpoint Encryption Password: Enter the password for your Symantec Endpoint Encryption environment
    4. Click Test Connection to ensure that Specops Key Recovery has successfully connected to your Symantec Endpoint Encryption environment.
    5. Click Next.
  6. On the SQL preparations page of the setup wizard, and you will need to: Create an Active Directory security group, grant the group access to the Symantec Endpoint Encryption SQL database, and enable remote access to the SQL Server. To complete these steps using the PowerShell script in the set-up wizard, complete steps 6a-c. To complete these steps manually, or for more information, see Symantec Endpoint Encryption SQL configurations.
    1. Select the PowerShell link on the right-hand side of the Active Directory section. Copy the script, run it in PowerShell, and click OK.
    2. Select the PowerShell link on the right-hand side of the SQL Server section. Copy the script, run it in PowerShell, and click OK.
    3. Click Next.
      The user running the above scripts must have:
      • Permissions to create a security group, and add the Specops Gatekeepers group to that security group, and restart the Gatekeeper.
      • Permission to enable remoting on the Symantec Endpoint Encryption SQL server, and add logins and roles.
  7. On the Database page of the setup wizard, grant access to Symantec Endpoint Encryption by providing your SQL Server Instance and SQL Server Database Name.
    1. Click Test Connection to ensure the connection has been successful.
    2. Click Next.
  8. On the Summary page of the setup wizard, you will see an overview of all the configured settings. If you are satisfied with the configuration, click Finish.

Setup Specops Key Recovery for BitLocker


  1. On the Gatekeeper Admin Tool, select Key Recovery, and click Setup Specops Key Recovery.
  2. The Setup Wizard will open. On the Begin page of the setup wizard, you will see a brief explanation of the steps that the wizard will perform. This includes:
    • Creating an Active Directory Security Group for Specops Key Recovery for BitLocker.
    • Defining the scope where the computers that can be recovered are located.
    • Giving your Gatekeepers permission to read recovery passwords for BitLocker.
    • Restarting the Gatekeeper(s).
  3. Click Next.
  4. Select where you want to create the Active Directory security group for Specops Key Recovery for BitLocker.
  5. Click Next.
  6. Select where your computers that are using Microsoft BitLocker are located. Permissions will be configured here for the security group, to allow Gatekeepers to read recovery passwords.
  7. Click Next.
  8. A summary is displayed. Verify that your configuration is correct, and press Finish to finalize the setup.

Domain Verification

In order to enable email notifications, you have to verify all the domains associated with this account. Read more about Domain Verification.