Step 1: Trial Installation Prerequisites

This topic only applies to Secret Server On-Premises.

Below are our suggested guidelines for preparing to run a trial or proof-of-concept (POC) of Secret Server.

System Requirements

Please review the detailed System Requirements for Secret Server. The Minimum Requirements are for trial, sandbox, and POC environments. The Recommended Requirements are for production deployments.

Hardware Requirements

Secret Server can be installed on a physical server or virtual machine.

If you would like to set up front-end (application) clustering, you need to have two or more servers available.

For testing of high availability for the SQL Server, you can use either existing Microsoft AlwaysOn infrastructure or database mirroring. If you choose to test this, this is something your database team needs to prepare in advance.

Software Requirements

Checklist

  • Windows Server 2012 or newer (recommended) (one server, minimum)
  • SQL Server (one instance, minimum)
  • Application server prerequisites
  • SSL certificate

SQL Server

Delinea does not support using SQL Express in a production environment due to size and performance limitations.

You can create the SQL database in an existing SQL instance, or a new installation of SQL Server. For high availability, this needs to be a paid edition of SQL Server (not SQL Express). If you are using a new installation of SQL Server, please have this installed beforehand.

Detailed instructions for installation and configuration of SQL Server are included in one of the installation guides below (choose the guide matching the OS that SQL server will be installed on).

Application Server

We recommend installing Secret Server on Windows Server 2012 or greater. Include IIS, ASP.NET and .NET Framework. Refer to the System Requirements above to view prerequisite details.

Application Configuration

Service Account

Set up a service account:

  1. Log on as a batch job (on the server that Secret Server runs on)

  2. Modify permissions to the Secret Server application directory (typically C:\inetpub\wwwroot) and C:\Windows\temp.

  3. Provide access to your SQL Server instance by adding the db_owner permission to the Secret Server database.

For detailed instructions on how to configure the permissions for the service account, see Running the IIS Application Pool As a Service Account. The installation guides include instructions for assigning db_owner permission to the service account in SQL Server.

If you would like to test features that rely on Active Directory, such as AD group sync or discovery, you should also have accounts available with the appropriate permissions (described below). One option is to use the same account for both features.

Active Directory Group Sync

Active Directory group synchronization means that Secret Server can automatically add users and enable or disable them to log into Secret Server based off of their Active Directory group membership. You can choose which groups to sync. When configuring AD group sync in Secret Server, you are required to specify an account that can read the properties of users and groups. See Active Directory Rights for Synchronization Account for a detailed list of required permissions.

Discovery

To test discovery, please have some machines available for Secret Server to connect to for discovering accounts. An account is required to sync with AD and also scan the machines found for Windows local account and service account discovery. Account Permissions for Discovery describes the permissions required for an AD account to be used for discovery.

Test Accounts

We recommend having a few test accounts available to represent the types of accounts you want to manage using Secret Server. These could be local Windows accounts, service accounts running scheduled tasks or services, SQL server accounts, and others.

Email Notifications

To test email notifications, which can be used for event subscription notifications or requests for approval to passwords, you need configuration information for the company SMTP server:

  • Service account to run the application and connect to SQL
  • Domain (test or production)
  • Domain account to be used for AD sync and discovery
  • Test machines (if testing discovery)
  • Test accounts
  • SMTP server settings

SSL Certificate

We recommend setting up SSL (or https) for access to Secret Server. To do so, you will need an SSL certificate. You may use an existing wildcard certificate, create your own domain certificate, or purchase a third-party SSL certificate for Secret Server.

Firewalls and Ports

Secret Server must connect directly to a target system to change its password. For devices that are firewalled off from Secret Server, remote agent can provide connectivity to them, but they also require connectivity from them to the target systems for password changing.

Please see Ports and IP Addresses Used by Secret Server for a list of ports needed by Secret Server for password changing, discovery, and other features.