Install the Web Application

In BeyondTrust Privileged Identity, the web application is the primary method for accessing stored credentials, whether managed or static, as well as auditing access to those credentials. The web app also manages features such as the file store, the personal password store, and privilege escalation. In this section, we'll cover installation of the web app from the management console.

For information on the web app host requirements, please see Web Application Host Requirements.

Management Console - Manage Web App

  1. In the management console, click Manage Web App in the left action pane.

 

Manage Web App Instances

  1. On the Manage Web Application Instances dialog, click Install in the lower left corner.

 

Install Web Application

  1. On the Install Web Application dialog, select the target installation system.
    1. Local system is the computer you're currently working on.
    2. If you choose Remote System, enter the remote system's fully qualified domain name.
    3. Click Check System Compatibility. This checks that IIS and the file system are accessible on the target system, and that remote registry and Remote COM access are possible. Resolve any access errors before continuing.
  2. If the system compatibility check completes successfully, the Web Interface Files section is filled in automatically. If you need to change any of this information, here are the details:
    1. Install to target website - All root web sites on the target server are listed here. Choose the root web site to host the web application.
    2. Install to root of website - This replaces the existing web site configuration at the target web site. The URL of the web application will point to the name of the server, making it easier for end users to remember and type.

       

      If the web server is a shared server, you could unintentionally overwrite another web site.

    3. Install to a virtual directory - This is the safest option, as you won't unintentionally overwrite any other sites if the target is a shared server.

      The default virtual directory name is PWCWeb. You can change this to any name permitted by IIS. This name will be appended to the server name. If left at the default, the URL would be https://servername/pwcweb.

      If you uncheck Update target path if directory already exists, and if a directory with that name is already there, this will replace the existing directory with the new one. If you check this option, then the new directory will be renamed so as not to overwrite the old one.

    4. Web files destination path - This is where the web application files will be copied on the target server. The path is resolved from IIS on the target server, which defaults to %inetpub%\wwwroot. When installing to a virtual directory, the path is appended with the name of the virtual directory.
  3. The Web Application COM Components section defines information for the COM application that is responsible for data access from the web application to the Privileged Identity data store.
    1. COM files destination file path -Defaults to C:\Windows\System32 and installs to \\serverName\admin$\syswow64 (C:\Windows\SysWOW64). Typically, you won't need to change this setting.
    2. COM+ application name - Defaults to PWCWebComApp. You can change this to any name you want. This name is never visible to end users and is only for identification when using the Windows Components snap-in.
    3. Use existing COM+ application/config if possible - If upgrading from an existing installation, this attempts to leave the existing COM application configuration intact and replace only the required COM component files.
    4. COM+ application account - This is the identity that actually runs the COM application. When using Integrated Windows Authentication, this is the account responsible for data access from the database server on the web application's behalf. Enter the username as DomainName\UserName.

      For more information about this account, please see Service Account Requirements.

    5. COM+ application password - Enter the password for the COM application account.
    6. Test COM+ Credentials - You can attempt to validate the COM+ application credentials you provided.
  4. If an SSL certificate is set up for the web server, check Web server uses SSL.
  5. Choose which port the application should use. The default is 80 or 443.
  6. If the URL to access the web application is different from the server name or virtual directory name, check Explicit Site Address and enter the appropriate URL. This URL might be different when using a load balancer or if the server name will be aliased in DNS.

Web App Settings - App Options

  1. Click Web App Settings to configure additional web applicaton options. These options affect security, sessions, and other integrations.
    1. On the App Options tab, find Web service URI for REST web service endpoint at the lower right of the dialog.

      At this point, you have not yet installed the web service. However, if you install the web service on the same machine using the default settings, the URI will be virtually the same as the URL you just set.

      For example, let's say your server uses SSL on port 443 and your SSL certificate uses the fully qualified domain name of the server (server.example.int). The web service adds onto that (/erpmwebservice/authservice.svc/REST), making the URI https://server.example.int/erpmwebservice/authservice.svc/REST.

      If you were behind a load balancer and the name of the load balanced cluster was securestore.example.com, the web service URI would be https://securestore.example.com/erpmwebservice/authservice.svc/REST.

      Because the web service is not yet installed, clicking Test Connection at this time will result in an error.

      If you need to update this information later, in the management console, click Manage Web App in the left action pane. Select the web application instance, and then click Edit.

    2. Click OK.
  2. Click Install.
  3. You may receive a COM Account Confirmation warning. This appears if the COM account specified on the installation dialog is different from the currently logged in user. The warning asks you to be sure that the account specified has data store access. If it does not, the web app will fail to function until the access issue is resolved.

    If you are sure about the account information, click Yes to continue. Alternatively, click No to change to a different account.

Web Application Installed

  1. When the web application install is complete, a success prompt appears. Click OK.

 

Launch Browser to Web Application Instance

  1. You will be prompted to launch the web application. Click Yes to open your default browser to the URL specified above.
  2. You will be logged into the web app as [WebApplicationManager]. This is a built-in account with a randomly generated password.

A red error message may appear, saying, Error while attempting to get data from /Config/WebSessionSettings. Once you have installed the web service, this error should be resolved.

  1. In the management console, the Manage Web Application Instances dialog will now be populated with a list of all known web applications.

Supported Browsers

The web app has been tested with:

  • Internet Explorer 9-11
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox
  • Apple Safari
  • Konqueror
  • Opera

Following are known caveats when working with these browsers.

  • On Windows Servers with Internet Explorer Enhanced Security Mode enabled, the web app will not work unless its URL is added as a trusted site.
    1. In Internet Explorer, select Tools > Internet Options > Security.
    2. Select the Trusted sites icon.
    3. Click Sites.
    4. Add your web app URL to the list (e.g., https://server.example.int).
    5. After closing the options, refresh your browser. The web app should now appear.
  • CORS support is available only on Internet Explorer 10 or later. To enable CORS, you may need to set this option:
    1. In Internet Explorer, select Tools > Internet Options > Security.
    2. Select the appropriate internet zone.
    3. Click Custom Level.
    4. Under Miscellaneous, enable Access data sources across domains.
  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • This browser does not support the ClickOnce extenson needed to support application launching.
  • The IE Tab extension is required to support the ActiveX control needed to launch RDP sessions. This is currently supported only by Chrome for Windows.
  • Only Chrome for Windows supports the ClickOnce extension needed to support application launching.
  • SSL certificates that do not include a properly formatted subject alternative name are shown as insecure sites. This causes the user extra prompts and will likely break access to the web service, required for web app functionality.
  • For Chrome to support Integrated Windows Authentication in scenarios where cross-origin requests (CORS) must be used, you must launch Chrome with the following flags:

    --disable-web-security --user-data-dir=SOMEDIRECTORY

    Chrome will display a security warning. You can ignore this warning.

  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • Only Firefox for Windows supports the ClickOnce extension needed to support application launching.
  • For Firefox to allow Integrated Windows Authentication, the operating system must be joined to a trusted domain, and the following configuration must be made to the browser's profile:
    • For Kerberos authentication: network.negotiate-auth.trusted-uris
    • If Kerberos ticket passing is required: network.negotiate-auth.delegation-uris
    • If NTLM authentication is allowed: network.automatic-ntlm-auth.trusted-uris

    For the Kerberos exchange, define the domain name. If your domain name were example.int, you would enter .example.int (notice the leading dot).

  • When the web app and web service are on separate machines and work with cross-origin requests (CORS), Firefox may not function properly when using Integrated Windows Authentication.
  • This browser does not support the ActiveX control needed to launch RDP sessions.
  • This browser does not support the ClickOnce extenson needed to support application launching.
  • CORS support is available only on Safari 9 or later.