Install the Web Application

In BeyondTrust Privileged Identity, the web application is the primary method for accessing stored credentials, whether managed or static, as well as auditing access to those credentials. The web app also manages features such as the file store, the personal password store, and privilege escalation. In this section, we'll cover installation of the web app from the management console.

For information on the web app host requirements, please see Web Application Host Requirements.

Management Console - Manage Web App

  1. In the management console, click Manage Web App in the left action pane.

 

Manage Web App Instances

  1. On the Manage Web Application Instances dialog, click Install in the lower left corner.

 

Install Web Application

  1. On the Install Web Application dialog, select the target installation system.
    1. Local system is the computer you're currently working on.
    2. If you choose Remote System, enter the remote system's fully qualified domain name.
    3. Click Check System Compatibility. This checks that IIS and the file system are accessible on the target system, and that remote registry and Remote COM access are possible. Resolve any access errors before continuing.
    4. You will receive prompt to specify connection credentials. To use the currently logged in user account, click No. To specify a different account, click Yes, then enter the access credentials and click OK.
  2. If the system compatibility check completes successfully, the Web Interface Files section is filled in automatically. If you need to change any of this information, here are the details:
    1. Install to target website - All root web sites on the target server are listed here. Choose the root web site to host the web application.
    2. Web files destination path - This is where the web application files will be copied. The path is resolved from IIS on the target server, which defaults to %inetpub%\wwwroot.
  3. If the URL to access the web application is different from the server name or virtual directory name, check Explicit Site Address and enter the appropriate URL. This URL might be different when using a load balancer or if the server name will be aliased in DNS.
  1. Click Install.
  2. You may receive a COM Account Confirmation warning. This appears if the COM account specified on the installation dialog is different from the currently logged in user. The warning asks you to be sure that the account specified has data store access. If it does not, the web app will fail to function until the access issue is resolved.

    If you are sure about the account information, click Yes to continue. Alternatively, click No to change to a different account.

Web Application Installed

  1. When the web application install is complete, a success prompt appears. Click OK.

 

Launch Browser to Web Application Instance

  1. You will be prompted to launch the web application. Click No at this time.
  2. Click Close. In the management console, the Manage Web Application Instances dialog will now be populated with a list of all known web applications.

Supported Browsers

The web app has been tested with:

  • Internet Explorer 11
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox
  • Apple Safari
  • Konqueror
  • Opera

Following are known caveats when working with these browsers.

  • On Windows Servers with Internet Explorer Enhanced Security Mode enabled, the web app will not work unless its URL is added as a trusted site.
    1. In Internet Explorer, select Tools > Internet Options > Security.
    2. Select the Trusted sites icon.
    3. Click Sites.
    4. Add your web app URL to the list (e.g., https://server.example.int).
    5. After closing the options, refresh your browser. The web app should now appear.
  • CORS support is available only on Internet Explorer 10 or later. To enable CORS, you may need to set this option:
    1. In Internet Explorer, select Tools > Internet Options > Security.
    2. Select the appropriate internet zone.
    3. Click Custom Level.
    4. Under Miscellaneous, enable Access data sources across domains.
  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • This browser does not support the ClickOnce extenson needed to support application launching.
  • The IE Tab extension is required to support the ActiveX control needed to launch RDP sessions. This is currently supported only by Chrome for Windows.
  • Only Chrome for Windows supports the ClickOnce extension needed to support application launching.
  • SSL certificates that do not include a properly formatted subject alternative name are shown as insecure sites. This causes the user extra prompts and will likely break access to the web service, required for web app functionality.
  • For Chrome to support Integrated Windows Authentication in scenarios where cross-origin requests (CORS) must be used, you must launch Chrome with the following flags:

    --disable-web-security --user-data-dir=SOMEDIRECTORY

    Chrome will display a security warning. You can ignore this warning.

  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • Only Firefox for Windows supports the ClickOnce extension needed to support application launching.
  • For Firefox to allow Integrated Windows Authentication, the operating system must be joined to a trusted domain, and the following configuration must be made to the browser's profile:
    • For Kerberos authentication: network.negotiate-auth.trusted-uris
    • If Kerberos ticket passing is required: network.negotiate-auth.delegation-uris
    • If NTLM authentication is allowed: network.automatic-ntlm-auth.trusted-uris

    For the Kerberos exchange, define the domain name. If your domain name were example.int, you would enter .example.int (notice the leading dot).

  • When the web app and web service are on separate machines and work with cross-origin requests (CORS), Firefox may not function properly when using Integrated Windows Authentication.
  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • This browser does not support the ClickOnce extenson needed to support application launching.
  • CORS support is available only on Safari 9 or later.