Install the Web Service

You will now install the web service, which is required by the web app, PowerShell, and session recording.

For web service host requirements, please see Web Service Host Requirements. For web service account requirements, please see Service Account Requirements.

You must install the web service locally to its host; it cannot be pushed to a target system from the management console.

To install the web service on the same machine as the management console, click Manage Web App from the left action pane, and then click Install Web Service at the bottom of the Manage Web Application Instances dialog.

To install the web service on a separate host, copy and use the manual installer. This is found in the installation directory, typically C:\Program Files (x86)\Lieberman\Roulette\SupplementalInstallers\ERPMWebService.exe.

  1. On the web service host system, launch the web service installer.

Welcome to the Installation Wizard for BeyondTrust PI Web Service

  1. On the welcome page, click Next.


Web Service Installer - COM+ Object Identity

  1. On COM+ object identity, choose an identity and then click Next:
    1. Network Service - Choose this when using native-authentication mode to connect to the database.
    2. Interactive User - (Not recommended) Choose this when you want the user calling the web service to pass their authentication token to the database. This works when using Integrated Windows Authentication but requires considerably more security configurations in the program data store.
    3. Specific User - (Recommended, default) Choose this when using Integrated Windows Authentication to the database or when you want to minimize rights granted to the COM application. This is the most compatible option. Supply the username as DomainName\Username.


Web Service Installer - Web Installation Type

  1. On Web Installation Type, select the location in IIS to install the web service, and then click Next:
    1. Virtual Directory - (Recommended, default) This installs the web service to a virtual directory named ERPMWebService, located under the parent web site you'll select next. This is the safest option to choose for both security and configuration reasons.
    2. Site - Use this option to install the web service to the root web site.

If you choose Site and if there are multiple root web sites configured on the host, you will be required to choose a root site.


Web Service Installer - Parent Site

  1. If you chose Virtual Directory on Web Installation Type, select a web site on Parent Site, and then click Next.


Web Service Installer - Web Site Configuration

  1. If you chose Site on Web Installation Type, configure site options on Web Site Configuration.




Web Service Installer - Authentication Type

  1. On Authentication Type, choose how to connect to the web service, and then click Next:
    1. Anonymous Auth with SSL - Use this when SSL is configured but Integrated Windows Authentication will not be used.
    2. Anonymous Auth without SSL - (Not recommended) Use this when neither SSL nor Integrated Windows Authentication will be used. Some features will not work with this configuration.
    3. Integrated Auth with SSL - Use this when SSL and Integrated Windows Authentication will be used.
    4. Integrated Auth without SSL - Use this when Integrated Windows Authentication will be used but SSL is NOT configured. Some features will not work with this configuration.
    5. SSL with User Certificates - Use this when users must supply a user-based certificate (smart card, biometrics, etc.) to authentication to the web site and web service. This will cause more overhead in the overall configuration and may cause problems with some features.

    Only methods available to the target parent web site are displayed.

Web Service Installer - Destination Folder

  1. On Destination Folder, choose where to install the web service, and then click Next. The default location is C:\inetpub\wwwroot\ERPMWebService, which automatically grants all permissions required for proper hosting. If you change the location, a web administrator may have to make further configurations.


Web Service Installer - Reay to Install the Program

  1. Click Install.


Web Service Installer - Installation Wizard Completed

  1. Click Finish when the installer completes its process. The web service web page and tester will now open.


Web Service Tester

  1. On the Web Service Tester, make note of the Web Service REST URI; this is required for web app configuration.
  2. If the web service and web app are installed on the same host, the web service requires no further configuration.


Manage Web App Instances

  1. On the Manage Web Application Instances dialog, select the web app, then click Edit.
  2. When prompted to confirm settings overwrite, click Yes.

Web App Settings - App Options

  1. On the App Options tab, find Web service URI for REST web service endpoint at the lower right of the dialog. Paste in the web service REST URI.


If you have installed the web service on the same machine as the web app using the default settings, the web service REST URI is virtually the same as the web app URL.

For example, let's say your server uses SSL on port 443 and your SSL certificate uses the fully qualified domain name of the server ( The web service adds onto that (/erpmwebservice/authservice.svc/REST), making the URI

If you were behind a load balancer and the name of the load balanced cluster was, the web service URI would be

  1. Click Test Connection to verify the settings.
  2. Click OK. When prompted that the settings have updated, click OK again.



If you installed to a virtual directory, the install process creates a virtual directory called ERPMWebService. This directory inherits the authentication settings, SSL settings, and other settings from the parent web site. If the parent site is configured to use anonymous authentication and the web service installer is configured to use Integrated Windows Authentication, the virtual directory is created with faulty settings. To correct this, you must open IIS and reconfigure the authentication settings after install.


If you install the web service on a machine that is NOT also hosting the web app, you must export the web app settings from the management console and import them onto the web service host. Otherwise, the web service will fail to load. To export the settings from the management console:

  1. Click Manage Web App from the left action pane.
  2. Select the desired web application instance from the list.
  3. From the top tools menu, select Advanced > Export web app registry config. This exports a regedit file, which you'll save locally.
  4. You will be prompted to generate the file for 64-bit Windows. Click Yes.
  5. Copy the registry export to the target web service host and double-click the file to import it.

These steps provide the web service with the necessary information to connect to the data store, the hardware security module, the encryption key, and other settings. Any time these settings change on the web app host, you must repeat these steps.


If the web service and web app have different host systems, and if the systems are accessed through different URLs (specifically the protocol, server name, or port), your web browser will block access to the web service, causing processes to malfunction.

To resolve this, enable cross-origin resource sharing (CORS). After you've installed the web service, open web.config and set EnableCORS to true.

Your specific browser may require additional configuration and may not work in all configurations. Please refer to your browser's documentation for more information on enabling CORS support.

Please see Final Setup Steps for additional steps and verifications.