Manual IIS Installation

This topic only applies to Secret Server On-Premises.

See Advanced (Manual) Installation for more information.

IIS is an internal part of the Windows operating system, and only needs to be enabled. If IIS is not found, the Delinea Installer will install it for you. If you would prefer to install IIS manually, please refer to the instructions listed below for example steps in the Windows Server 2016 Operating System. For the most up-to-date setup instructions, see Microsoft's Technical Documentation. Navigate to Docs > Internet Information Services > Install.

Roles and Features

Delinea products recommend the following roles and features to be installed on the Secret Server IIS Server for maximum security and functionality options:

Roles

  • Web Server (IIS)

  • Web Server (IIS)\Web Server

  • Web Server (IIS)\Web Server\Common HTTP Features

    • Default Document

    • Directory Browsing

    • HTTP Errors

    • Static Content

    • HTTP Redirection

  • Web Server (IIS)\Web Server\Health and Diagnostics

    • HTTP Logging

  • Web Server (IIS)\Web Server\Performance

    • Static Content Compression

    • Dynamic Content Compression

  • Web Server (IIS)\Web Server\Security

    • Request Filtering

    • Windows Authentication

  • Web Server (IIS)\Web Server\Application Development

    • .NET Extensibility 4.6

    • Application initialization

    • ASP.NET 4.6

    • ISAPI Extensions

    • ISAPI Filters

  • Web Server (IIS)\Web Server\Management Tools

    • IIS Management Console
    • IIS Management Scripts and Tools

Features

  • .NET Framework 4.x Features

    • .Net Framework 4.x

    • ASP.NET 4.x

    • WCF Services:

      • HTTP Activation

      • TCP Activation

      • TCP Port Sharing

  • Windows PowerShell

    • Windows PowerShell 5.1
  • Windows Process Activation Service
    • Process Model
    • Configuring APIs

Step One: Windows Server 2012–2019 IIS Installation

To install Internet Information Services (IIS) Manager on Windows Server 2016, you will need to give your server the Web Server (IIS) role using the following procedure:

If this is not the first time you have run the wizard (that is, when first installing IIS), the Web Server Role (IIS) and Role Services windows will not appear, and the wizard order changes a bit. Instead, role services are selectable in the Server Roles window.

  1. Click the Server Manager button on your server. The Server Manager Dashboard appears.

  2. Click the Add Roles and Features button. The Add Roles and Features Wizard on the Before You Begin window appears.

  3. Click the Next button. The Select Installation Type window appears.

  4. Click to select Role-based or feature-based installation selection button.

  5. Click the Next button. The Select Destination Server window appears.

  6. Ensure the Select a Server from the Server Pool selection button is selected.

  7. In the Server Pool section, click to select your server.

  8. Click the Next button. The Select Server Roles window appears.

  9. Click to select the Web Server (IIS) check box.

  10. Click the Next button. The Select Features window appears.

  11. In the Features list, Click to select the following checkboxes (If necessary, click the Add Features button when prompted):

    • .NET Framework 4.x Features > WCF Services > HTTP Activation

    • .NET Framework 4.x Features > WCF Services > TCP Activation

  12. Click the Next button. The Web Server Role (IIS) window appears.

  13. Click the Next button. The Select Role Services Window appears.

  14. In the Roles list, click to select the following check boxes:

    Leave all the auto-selected check boxes as is.

    • Web Server (IIS) > Web Server > Common HTTP Features > HTTP Redirection

    • Web Server (IIS) > Web Server > Performance > Dynamic Content Compression

    • Web Server (IIS) > Web Server > Security > Windows Authentication

  15. Click the Next button. The Confirmation window appears

  16. Confirm your installation details.

  17. Click the Install button. Wait for the installation to complete. The Results window appears.

  18. Click the Close button. An IIS tile should now appear on your server.

We recommend you run Windows Update to install the latest security patches for IIS once you have IIS installed.

Step Two: Configure the IIS Website

Follow these steps to configure a website in IIS for Secret Server:

  1. Extract the Secret Server files into C:\inetpub\wwwroot\SecretServeror your location of choice. If you renameSecretServer, do not use more than 20 characters.

  2. Open Internet Information Server (IIS) Manager: On the taskbar, click Server Manager > Tools > Internet Information Services (IIS) Manager.

  3. In the Connections pane, expand the server name.

  4. Click on the Application Pools node. The Application Pools window appears.

  5. Click the Add Application Pool link. The Add Application Pool dialog box appears.

  6. Type SecretServer in the Name text box.

  7. Click to select 4.x in the .NET Framework Version dropdown list.

  8. Click to select Integrated in the Managed Pipeline Mode dropdown list.

  9. Click the OK button to save the new application pool. The dialog box closes.

  10. (optional) Customize the Windows account Secret Server runs as:

    1. Right click the new application pool and select Advance Settings…

    2. Click the Identity setting in the Process Model section to select the desired account. Using this, you can, for example, set Secret Server to use IWA to connect to SQL.

  11. Expand the Sites node on the Connections tree.

  12. Click on the Default Web Site node.

  13. In the Actions pane, click Bindings to set your desired website. The Edit Bindings dialog box appears.

  14. Edit or add bindings as desired. We recommend using HTTPS with a real SSL certificate.

  15. Click the Close button.

  16. In the Connections tree, expand the Default Website node.

  17. Either, If you see the default folder, SecretServer, which you created earlier:

    1. Right click the SecretServer folder and select Convert to Application. The Add Application dialog box appears.

    2. Click the Select… button to choose the pool you created earlier for Secret Server.

    Or, If you used a custom location instead:

    1. right click the Default Website. The Add Application dialog box appears.

    2. Type SecretServer in the Alias text box.

    3. Click Select… and pick the app pool created for Secret Server.

    4. Type the path where you extracted the Secret Server files in the Physical Path text box.

  18. Click the OK button.

Step Three: Ensure IIS Does Not Stop the Worker Process

When using IIS version 7.0 and above, by default, the worker process terminates after an inactive period. If Secret Server is in its own application pool, that application pool will stop after a period of no requests. To ensure this does not happen, perform the following procedure. Additionally, by default, IIS launches a worker process when the first request for the Web application is received, so if the Secret Server application takes a long time to start, issues can result. Thus, we recommend launching the Secret Server application pool worker process as soon as IIS starts by setting the start mode to "AlwaysRunning."

Procedure:

  1. Open Internet Information Server (IIS) Manager:

    • If you are using Windows Server 2012 or Windows Server 2012 R2: On the taskbar, click Server Manager > Tools > Internet Information Services (IIS) Manager.

    • If you are using Windows Server 2008 or Windows Server 2008 R2: On the taskbar, click Start > Administrative Tools > Internet Information Services (IIS) Manager.

  2. In the Connections pane, expand the server name.

  3. Click Application Pools.

  4. Determine which application pool Secret Server is running as:

    1. Expand Sites at the left.

    2. Find the website Secret Server is running on.

    3. Click on the Secret Server website or virtual directory (if it is running on one).

    4. Click Basic Settings on the right panel. This indicates Secret Server's application pool.

  5. Right-click the application pool and select Advanced Settings… The Advance Settings dialog appears.

  6. In the General section, set Start Mode to AlwaysRunning.

  7. In the Process Model section, set Idle Time-out (minutes) to 0.

  8. In the Recycling section, set Regular Time Interval (minutes) to 0.

  9. In the Recycling section, click the > next to Specific Times to ensure there are no times set. If there are, click the to clear them.

  10. Leave IIS Manager open—we will return to it below.

Step Four: Ensure the User Profile Always Loads

As of version 10.2, Secret Server requires its application pool "Load User Profile" setting enabled. Otherwise, Secret Server reports a critical alert to system admins.

Even without the setting enabled, Secret Server loads to give access to secrets but many internal operations may malfunction, so we recommend resolving this issue as soon as possible.

Procedure:

  1. Right-click the Secret Server application pool in IIS Manager and select Advanced Settings… The Advance Settings dialog appears.

  2. Go to the Process Model section in the Advanced Settings dialog.

  3. Set Load User Profile to True.

  4. Preform an iisreset on the server (in an administrator command prompt).