Secret Server Installation Windows Server 2012

Table of Contents
Introduction ..................................................................................................................................... 2
ASP.NET Website .................................................................................................................................... 2
SQL Server Database ............................................................................................................................... 2
Administrative Access ............................................................................................................................. 2
Prerequisites .................................................................................................................................... 2
System Requirements Overview ............................................................................................................. 2
Additional Recommendations ................................................................................................................ 3
Beginning the Installation Process .......................................................................................................... 3
Installing IIS ............................................................................................................................................. 3
.NET Framework 4.5.1............................................................................................................................. 3
Microsoft SQL Server .............................................................................................................................. 3
Secret Server Installer ....................................................................................................................... 8
Download the latest version of Secret Server ........................................................................................ 8
Running the Installer ............................................................................................................................... 8
Completing Secret Server installation from website .......................................................................... 9
Manual Installation (no setup.exe) ................................................................................................. 11
Installing as a Virtual Directory ............................................................................................................. 11
Installing as a Website .......................................................................................................................... 12
Configuring the Application Pool .......................................................................................................... 13
Appendix ........................................................................................................................................ 15
Virtual Accounts .................................................................................................................................... 15
SSL Certificate ....................................................................................................................................... 15
WCF Services ......................................................................................................................................... 15
Installing the .NET Framework 4.5.1 Manually ..................................................................................... 16
Installing IIS Manually ........................................................................................................................... 16

Last updated: July 12, 2016

Page | 1

Secret Server Installation Windows Server 2012

Introduction
This is the installation guide for Windows Server 2012 and Windows 8, as well as Windows Server 2012
R2 and Windows 8.1. For other operating system installation guides, click here.

ASP.NET WEBSITE
Secret Server is installed as an ASP.NET website. The Secret Server installer will set up the website with
the correct permissions and create the settings in IIS. Once the website is set up, the installation will be
completed by a 5-step process within the application itself.

SQL SERVER DATABASE

Secret Server requires an instance of SQL Server for the database backend. The SQL Server database will
require a SQL account with db_owner permission to complete the installation.

ADMINISTRATIVE ACCESS
Throughout the installation, you will be required to be an administrator to perform most of these
actions. Please ensure that you are logged on to your system with a Windows account that has
administrative rights.

Prerequisites
Important: If this is the first time you are installing Secret Server, please take the time to review the
full list of system requirements and recommendations, located HERE.

SYSTEM REQUIREMENTS OVERVIEW

1. One of the following operating systems: 1
Windows 8 or 8.1
Windows Server 2012 or 2012 R2
2. Microsoft SQL Server 2005 or greater (any edition)
3. Microsoft Internet Information Services (IIS)
4. Microsoft .NET Framework 4.5.1, 4.5.2, or 4.6 (32-bit or 64-bit)
Note Windows 8.1 and Server 2012 R2 come with.NET Framework 4.5.1 already installed. If you are using
Windows 8 or Server 2012, you should already have .NET Framework 4.5 but will need to upgrade to .NET
Framework 4.5.1. Find the installer provided by Microsoft HERE.
1

Windows 8 and 8.1 are only supported for testing environments. Microsoft does not support either of these operating
systems being used as a production server environment. Both 32- and 64-bit editions of Windows Server are supported.

Page | 2

Secret Server Installation Windows Server 2012

ADDITIONAL RECOMMENDATIONS
1. Use an SSL certificate for Secret Server.
2. Run Microsoft Update on your server to make sure all components are up to date.

BEGINNING THE INSTALLATION PROCESS

Components should be installed in the following order:
1.
2.
3.
4.

Internet Information Services (IIS)

.NET Framework 4.5.1
SQL Server
Secret Server

INSTALLING IIS
IIS is an internal part of the Windows operating system. If IIS is not found, the Secret Server installer will
install it automatically. If you would prefer to install IIS manually, please refer to the instructions in the
Appendix.

.NET FRAMEWORK 4.5.1

If .NET Framework 4.5.1 is not found, the Secret Server installer will install it automatically. If you would
prefer to install .NET manually, please refer to the instructions in the Appendix.

MICROSOFT SQL SERVER

Installing Microsoft SQL Server
We recommend using Microsoft SQL Server 2012, 2014, or 2016. An edition called Microsoft SQL Server
Express is available to download for free. When downloading the file, select the filename ending in WT,
which means with tools and will include SQL Server Management Studio.
The instructions given below use Microsoft SQL Server 2012 Express Edition with Tools as an example.
The installation processes for other editions such as Enterprise or Standard may be similar:
1. Download the SQL Server installation package, right-click it, and select Run as
Administrator.
2. From the welcome screen, select Installation from the left menu.
3. Select New SQL Server stand-alone installation or add features to an existing installation.

Page | 3

Secret Server Installation Windows Server 2012

4. After you accept the license terms, you can click Next to install product updates.
5. In the Feature Selection window, ensure that the Database Engine Services and
Management Tools Basic check boxes are selected. Click Next.

6. In the Instance Configuration window, the default setting is to use a named instance called
SQLEXPRESS. If you prefer to use the default instance or specify a custom name for the
named instance, make those changes here. Otherwise, click Next to continue with the
default settings.

Page | 4

Secret Server Installation Windows Server 2012

7. In the Server Configuration window, you have the option to specify a different service
account to run SQL Server Database Engine. Otherwise, click Next to use the default
settings.
8. In the Database Engine Configuration window, you have the choice to select either
Windows authentication mode or Mixed Mode. Select the option that will work best for
your environment. See descriptions below:
a. Mixed Mode (for easiest configuration) Mixed Mode is required if you intend on
using a SQL Server account to authenticate Secret Server to your SQL Server
instance. If you are doing an evaluation and using the Secret Server setup.exe
installer, we recommend using Mixed Mode with a SQL authentication account.
Selecting this option will also require you to set a password for the SQL Server
system administrator (sa) account. See Adding a SQL Server User (below) for
instructions.
b. Windows Mode (recommended for best security) This will prevent SQL Server
account authentication and requires a Windows Service account to run the Secret
Server website. This will also require additional configuration in IIS once Secret
Server is installed. This KB article walks through the advanced setup.

Page | 5

Secret Server Installation Windows Server 2012

9. Your user account should already be shown in the Specify SQL Server administrators box. If
not, click Add Current User, and then click Next.
10. Allow the installation to complete, and then click Close. SQL Server 2012 Express is now
installed.

Creating the SQL Server Database

The Secret Server installer will create the database for you if it does not exist and if the user account has
permission to create a new database (this requires the dbcreator server role).
To create a database manually through SQL Server Management Studio, use the following steps:
1. Open SQL Server Management Studio by searching for it from the Windows Start screen.
2. Connect to your SQL Server instance.
3. Right click the Databases folder and select New Database

4. Enter a name for your database in the Database name field, and then click OK.

Page | 6

Secret Server Installation Windows Server 2012

Adding a SQL Server User
Use the following instructions to add a SQL Server account for Secret Server to use to access the SQL
database:
1.
2.
3.
4.

Open SQL Server Management Studio by searching for it from the Windows Start screen.
Connect to your SQL Server Database.
Expand the Security folder.
Right-click the Logins folder and select New Login

5. Select a method of authentication:

a. SQL Server authentication Use this option to create a new SQL Server account (this
requires Mixed Mode to be enabled). To create the account, enter a new username and
password and then deselect the Enforce password policy check box to prevent the
account from expiring.
b. Windows authentication Use this option to add access to SQL Server for an existing
Windows account. To add the account, enter the login name or click Search to find the
account. It is recommended to use a domain account rather than a local Windows
account.

Page | 7

Secret Server Installation Windows Server 2012

6.
7.
8.
9.

Click User Mapping in the left menu.

Select the check box next to your Secret Server database.
In the Database role membership window below, select the db_owner check box.
Click OK.

Secret Server Installer

Note Ensure you have SQL Server installed before attempting to set up Secret Server.

DOWNLOAD THE LATEST VERSION OF SECRET SERVER

The latest version of Secret Server is available for download. A setup.exe file will be downloaded to your
machine.

RUNNING THE INSTALLER

It is recommended to run the setup.exe file as an administrator.

Prerequisites
The installer will first check the system to determine whether there are any missing prerequisites and
will install the needed features if necessary. These prerequisites include .NET 3.5, .NET 4.5.1, and IIS.
Alternatively, you can choose to enable these features manually before running the installer.

Installation Type
Your first option during the setup will be to choose a Standard or Advanced installation:

Page | 8

Secret Server Installation Windows Server 2012

Standard Installation
This option installs Secret Server as a virtual directory under the Default Web Site in IIS. This is
recommended if you have existing sites using the Default Web Site and it is also the fastest way to get
Secret Server up and running.
Advanced Installation
This option installs Secret Server as a new website in IIS without using the Default Web Site. This option
also allows you to specify a port number that the website will run under. Using this option assumes some
knowledge of IIS and is often followed up by adding a DNS entry for the new website on the domain
controller. This option must be used if there is no Default Web Site in IIS.

File Destination
This is the location where the application files will exist. The folder is typically C:\SecretServer or
C:\inetpub\wwwroot\SecretServer (legacy), but can be customized to follow your convention.

Application Name
The application name will be used when creating the application pool and either the website or virtual
directory in IIS, depending on the option selected above.

Completing Installation from Secret Server

Once the setup.exe installer completes, the website will be setup with the correct permissions. Click
Continue, and the browser will open to allow you to complete the Secret Server installation from the
webpage. The following section will guide you through this process.

Completing Secret Server installation from website

Secret Server is now ready to complete installation. If the setup.exe did not open the browser
automatically, open a browser and navigate to where your Secret Server is located, for example:
http://localhost/secretserver.
From here, Secret Server has a 5-step installation process:
1. Step one ensures that Secret Server has write access to its location. If required, you must
give the correct account write and modify permissions to the application folder to continue.
Once the permissions are set, click Next.
Note (Advanced) If you dont want to change the permissions of a folder, you can give Secret Server
Windows credentials for an account that has the appropriate folder permissions, and Secret Server will
impersonate as that user during the installation process.

Page | 9

Secret Server Installation Windows Server 2012

Note Secret Server only needs write permission to the directory containing the application files during
installation and upgrade. You can remove the write and modify permissions once the installation process
is complete.
2. Step two creates your unique encryption key. This key is generated securely and used to
encrypt and decrypt values stored in the database.
Alternatively, Secret Server can be configured to use a SafeNet HSM (or paired HSMs for
failover). Use of HSM encryption requires an HSM card to be installed on the same server as
Secret Server. To configure Secret Server to use an HSM, click the Advanced link, and then
click the encryption option Use Safenet HSM for Encryption. Use of HSM encryption requires
Secret Server Enterprise Plus Edition.
3. Step 3 is where you specify the database. If Secret Server is installed on the same machine
as SQL Server, you can specify (local). If you are using a named instance of SQL, specify a
slash then the instance name, for instance: (local)\InstanceName. Enter the SQL username
and password if using SQL Server Authentication, or select Windows Authentication. For
information about adding a SQL Server user, see Adding a SQL Server User.
Note If the database name you provide does not yet exist in the specified instance of SQL Server, Secret
Server will attempt to create the database using the SQL or Windows account you have specified. For
that account to create a database, it will need to have the dbcreator server role in SQL Server.
4. Secret Server will now attempt to download and install the latest version from the internet.
You must have an active internet connection. If you do not, Secret Server will continue to
install the current version.
5. Secret Server will ask you to agree to your End User License Agreement. If you do, select the
check box and click continue. Secret Server will then configure your database.
6. Secret Server will now ask you to create your first user. This user will have administrative
access within the application.
7. Once logged into Secret Server, you will be prompted with the Getting Started Wizard. If
you skipped the wizard and would like to return, you can go to HELP > Getting Started from
the top menu. The wizard will guide you through adding your licenses, setting up an email
server, and creating your first group.
Secret Server has now successfully been installed. See Getting Started and the User Guide for
information about using Secret Server.

Page | 10

Secret Server Installation Windows Server 2012

Manual Installation (no setup.exe)
If you are knowledgeable of IIS and would prefer to manually install the website without using the
setup.exe installer, you can follow these instructions.
Note Make sure you have the required software installed before attempting to setup Secret Server.
Download the latest version of Secret Server. After clicking the download button you will be taken to a
page where you can choose to download a .zip file that contains the Secret Server files. Use this .zip file
for the instructions below.
Secret Server can be installed in a few different ways:

As a virtual directory
As a website

INSTALLING AS A VIRTUAL DIRECTORY

1. Extract the contents of the .zip file where you would like Secret Server to be located on your
system (a common location is C:\inetpub\wwwroot).
2. Open Internet Information Services (IIS) Manager.
3. Right-click Default Web Site and select Add Virtual Directory

4. Select an alias for your Secret Server. The alias is what will be appended to the website. For
instance, http://myserver/SecretServer.
5. Select the physical directory for where you unzipped Secret Server.
6. In the tree, right-click the new virtual directory and select Convert to Application.

Page | 11

Secret Server Installation Windows Server 2012

7. Create a new application pool.

8. Right-click your Secret Server virtual directory in IIS and select Manage Application >
Advanced Settings
9. In the new window, change the Application Pool to the one you created in step 7. Click OK.

10. Ensure that the Secret Server folder has the proper permissions by checking that the
account running the application pool in IIS has Modify permissions on the folder where
Secret Server is installed.
Secret Server is now ready to be installed. Go to Completing Secret Server installation from website.

INSTALLING AS A WEBSITE
1. Extract the contents of the .zip file where you would like Secret Server to be located on your
system (a common location is C:\inetpub\wwwroot).

Page | 12

Secret Server Installation Windows Server 2012

2. Open Internet Information Services (IIS) Manager.
3. Create a new application pool.
4. Ensure that the account running your newly created application pool in IIS has Modify
permissions on the folder where Secret Server is installed.
5. In IIS, right-click Sites and select Add Website
6. Enter a Site name.
7. Click Select and choose the application pool you created in step 3 from the drop-down
menu. Click OK.
8. Click the button beside the Physical path field and select the directory containing the
unzipped Secret Server files (for example, C:\inetpub\wwwroot\secretserver). Click OK.
9. Click OK at the bottom of the Add Website window to save your settings.
Secret Server is now ready to be installed. Go to Completing Secret Server installation from website.

CONFIGURING THE APPLICATION POOL

During a manual installation, Secret Server may be placed in the DefaultAppPool application pool, which
may not be set to use the correct pipeline for Secret Server. Secret Server requires that the application
pools managed pipeline mode be set to Classic. To resolve this, you can modify the existing application
pool settings or create a new one.
Note It is recommended that you create a new application pool for Secret Server if you have other web
applications running on the same server. This will help avoid changing the configuration for another
application.

Changing the Pipeline Mode

You can modify the pipeline mode for Secret Servers application pool using the following instructions:
1. Open Internet Information Services (IIS) Manager and select the Application Pools node.
2. Double-click the DefaultAppPool (or the application pool you wish to change).
3. For the Managed Pipeline Mode, select Classic. Click OK.

Page | 13

Secret Server Installation Windows Server 2012

Creating a New Application Pool
Follow the steps below to create an entirely new application pool to use for Secret Server:
1. Open Internet Information Services (IIS) Manager and right-click the Application Pools
node.
2. Select Add Application Pool
3. Enter a new name for your application pool in the Name field.
4. Ensure that the .NET CLR Version (in Windows 8 and Windows Server 2012 this will be
called the .NET Framework Version) is set to .NET Framework v4.0.30319.
5. For the Managed Pipeline Mode select Classic. Click OK.
6. (Optional) configure the application pool identity.
Note The Windows Server 2012 R2 and Windows 8.1 Add Application Pool window will appear slightly
different than in Windows Server 2012 and Windows 8:

IIS Application Pool - Windows 8 / Server 2012

IIS Application Pool - Windows 8.1 / Server 2012 R2

Configuring an Application Pool Identity

Windows 8 / Server 2012 will default new application pool identities to a virtual identity,
ApplicationPoolIdentity. For easiest configuration, use either this or NETWORK SERVICE as the identity.
For better security, you can specify your own Windows service account. See the Appendix for further
information on using a virtual identity for Secret Server in IIS.
To configure an application pool identity, follow the steps below:
1. Open Internet Information Services (IIS) Manager.
2. Click the Application Pools node.

Page | 14

Secret Server Installation Windows Server 2012

3. Right-click the application pool you would like to modify and select Advanced Settings
4. Under the Process Model section, click the Identity field to select a Built-in account or
specify a Custom account. For more information about using a custom account, see Running
Secret Server IIS Application Pool with a Service Account. After youve selected an account,
click OK.

Appendix
VIRTUAL ACCOUNTS
Virtual Accounts, or Managed Service Accounts, is a feature included in Windows 8 and Windows Server
2012. Windows will create a virtual account for the name of the application pool. Thus, if your application
pools name is DefaultAppPool and its identity is set to ApplicationPoolIdentity, you would assign folder
permissions to the account IIS AppPool\DefaultAppPool. This account can then optionally be used to
connect Secret Server to the SQL database by adding db_owner access to the database as a Windows
account. See Adding a SQL Server User. For more information on virtual accounts as application pool
identities, see this article by Microsoft.

SSL CERTIFICATE
What is an SSL Certificate?
An SSL (Secure Sockets Layer) Certificate greatly enhances the security between the users browser and
the server Secret Server is installed on. It encrypts all data between the server and the clients browser
so if an attacker were to look at the data being transmitted between the two, they would not be able to
decipher it.

Where can I obtain an SSL Certificate?

A certificate can be obtained from various companies such as Thawte or VeriSign. It is also possible to
create your own, see Creating and installing your own.

WCF SERVICES
Starting in Secret Server version 8.9.000000, the use of Secret Server's Distributed Engine requires that
one of following two server features be installed when the Secret Server website is running on a
Windows Server 2012:
.NET Framework 4.5 Features -> WCF Services -> HTTP Activation
.NET Framework 4.5 Features -> WCF Services -> TCP Activation

Page | 15

Secret Server Installation Windows Server 2012

The choice of which to install depends on which Protocol is selected in the Engine Callback Settings. If
HTTPS is selected, then the HTTP Activation feature is required. If TCP is selected, then TCP Activation is
required.
If the feature is not installed, there will be the following error message in the Engine logs: (405) Method
Not Allowed. ---> System.Net.WebException: The remote server returned an error: (405) Method Not
Allowed.

INSTALLING THE .NET FRAMEWORK 4.5.1 MANUALLY

For operating systems other than Windows 8.1 or Windows Server 2012 R2, .NET Framework 4.5.1 is not
included by default. To install version 4.5.1, use the offline installer provided by Microsoft, found HERE.

INSTALLING IIS MANUALLY

IIS is an internal part of the Microsoft Windows operating system. Its installation process will vary
depending on which operating system version you are using.

Windows 8 / 8.1
In Windows 8 and 8.1, IIS is added as a Windows feature:

Page | 16

Secret Server Installation Windows Server 2012

1. Open the Control Panel by typing Control Panel from the Windows Start screen and
selecting the Control Panel result.
2. In the Control Panel window, select Programs and then click Turn Windows features on or
off.

3. Expand Internet Information Services and expand Web Management Tools.

4. Select the IIS Management Console check box.

5. Expand World Wide Web Services.

6. Under Application Development Features, select the ASP.NET 4.5 check box. This will
automatically select other needed dependencies.

Page | 17

Secret Server Installation Windows Server 2012

7. Under Common Http Features, select the Default Document and Static Content check
boxes.

8. Click OK and wait for Windows to install the features.

9. Internet Information Services (IIS) Manager is now installed. You can verify the installation
of IIS by searching for IIS from the Windows Start screen. IIS Manager can also be
accessed from the Control Panel under Administrative Tools.
We recommend you run Windows Update to install the latest security patches for IIS once you have IIS
installed.

Windows Server 2012 / R2

To install Internet Information Services (IIS) Manager on Windows Server 2012 / R2, you will need to give
your server the Web Server (IIS) role using the following procedure:

Page | 18

Secret Server Installation Windows Server 2012

1. Open the Server Manager for your server. From the Manage menu, select Add Roles and
Features.

2. Select Role-based or feature-based installation, and then click Next.

3. On the next screen, ensure your local server is selected as the target server from the Server
Pool window. Click Next.
4. In the Roles window, select the Web Server (IIS) check box. Click Next.

5. A dialog may appear asking to confirm required features. Click Add Features, and then click
Next.

Page | 19

Secret Server Installation Windows Server 2012

6. On the Features page, click Next.

7. In the Role services window, expand Common HTTP Features and ensure that Default
Document, HTTP Errors, and Static Content are selected.

8. Scroll down and expand Application Development, and then select the ASP.NET 4.5 check
box. A window will appear confirming the addition of required features. Click Add Features,
and then click Next.

Page | 20

Secret Server Installation Windows Server 2012

9. Confirm your installation details, and then click Install. Wait for the installation to complete.

Page | 21