This article applies to Identity Panel version 5.x. For instructions regarding older versions see articles prefixed LEGACY.
Prerequisite Configuration
The following prerequisite configuration tasks should be completed before starting the installation process:
-
Windows Server 2016 or Higher
You must install or upgrade to at least Windows Server 2016.
-
Install MongoDB v6 or Higher
Ensure the service is running, and note the MongoDB connection string. In a simple single-server standalone installation with default network settings the connection string will bemongodb://localhost:27017
-
Install Elasticsearch 7.17 or Higher
Ensure the service is running and note the URL. In a simple single-server standalone installation this will behttp://localhost:9200/
-
Enable IIS
Enable IIS including authentication, redirection and proxy features. This may be done via Server Manager, or from an administrative PowerShell prompt:Install-WindowsFeature -Name @('Web-Common-Http', 'Web-ISAPI-Ext', 'Web-ISAPI-Filter', 'Web-Http-Logging', 'Web-Http-Redirect', 'Web-Request-Monitor', 'Web-Windows-Auth', 'Web-Filtering', 'Web-Performance', 'Web-Mgmt-Console', 'Web-Server', 'Web-Static-Content', 'WAS')
-
Install .NET Core
Identity Panel v6.x requires the LTS release of .NET Core 6 which may be downloaded from Microsoft at https://dotnet.microsoft.com/en-us/download/dotnet/6.0
The required installer is the Windows Hosting Bundle
Identity Panel v7.x requires the LTS release of .NET Core 8 -
Panel Service Account
Create a domain account that will be used as a service account for your Panel Service installation(s).- The Panel Service account will need the Logon as Service permission to run as a service. If you use local security policy to manage this permission (as opposed to GPO), you can allow the setup utility to add the permission.
- Logon as Batch permission is required to configure Panel Check. If you use local security policy to manage this permission (as opposed to GPO), you can allow the setup utility to add the permission.
- OPTIONAL: You may grant, or temporarily grant. logon local permission to the Panel Service account to enable you to run Panel Tools interactively as the service account, which will allow validation of configuration and permissions.
- If configuring Health Check monitoring for server performance, add Panel Service account to Performance Monitor Users
- You will want to grant permissions to this account appropriate to the tasks it will perform. For example, if you are using Identity Panel to manage your MIM 2016 Synchronization Service you will want to add this account to your MIMSyncAdmins group and grant it db_datareader permissions on the MIMSynchronizationService database.
-
Security Groups
Create three domain security groups that will be used for the Identity Panel Admin, Writer, and User roles.- Ensure that your installation account and accounts used to Access Identity Panel are added to the Admin group.
- Ensure that the Panel Service account is added to the Writer group.
-
Email Connectivity (Recommended)
In most configurations Identity Panel will send useful alerts and health notifications. In order for this to happen you will need to enable sending of email in your environment. This may be accomplished with an internal SMTP server, or by configurating an application in your Microsoft Azure tenant with the Microsoft Graph email send permission. You will need to identify either SMTP server host, port, and authentication settings (if needed), or Microsoft Azure application Tenant ID, application ID, and client secret.
-
SSL and DNS Entries (Recommended)
Identity Panel should be installed with dedicated named URLs (e.g. identitypanel.mycompany.com, servicepanel.mycompany.com). These URLs will need DNS entries directing to the web server, and trusted SSL certificates installed on the server for IIS.
-
Custom URL SPNs (Recommended)
If you are using custom URLs to access Identity Panel, you will need to create HTTP/* SPNs to allow kerberos authentication to function. SPNs can be configured automatically by the Identity Panel setup utility if it is executed by a user with domain privileges. If using the default application pool account the SPN should be registered for the server. If using an H/A custom domain account (see below), you should register the SPN for that account. For example:setspn -A HTTP/identitypanel.mycompany.com MYDOMAIN\server$
- Add BackConnectionHostNames registry entries (Recommended)
If local connections are desired, a registry entry will need to be created to allow Kerberos authentication.
Open regedit, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
Create or edit the BackConnectionHostNames multi-string key, and add the full DNS hostname(s) that will be used to connect to Identity Panel / Service Panel / Access Panel - Install MongoDB Compass (Optional) Download and install the latest version of MongoDB Compass at https://www.mongodb.com/try/download/compass for GUI interaction with MongoDB
High-Availability Prerequisites
For a high availability installation you will need to configure the following additional items:
- Configure MongoDB as a primary-secondary cluster with at least three servers
- At least two servers must be available to service in the web-server role
- You must have a load-balanced URL configured with a load balancer or proxy server configured to pass requests to the back end servers. The load balancer should be configured for session affinity
- You must have a domain account to use as an application pool service account. This is necessary to allow shared encryption of protected values via DPAPI-NG
- You must create a file share for storing VersionControl assets. This share must be accessible from both web servers and the web app pool service account should have read/write permissions on the share.
Installation
- Download the Identity Panel installer from https://licensing.softwareidm.com/download/<your-license-key>. If you have multiple license keys any of them may be used to download the installer.
- Identity Panel downloads as a self-extracting executable. If you organization blocks .exe downloads you may need to modify the trust or security settings for your browser. Once the download is complete, copy it to the web server where you intend to install Identity Panel. The name of the executable may vary depending on which license was used to download it, but each license references the same binaries.
- Right click and view properties of the executable to verify if it needs to be Unblocked.
- Double-click the executable to extract a folder called IdentityPanel, containing files and a helper utility called PanelSetup.exe
- Double-click on PanelSetup.exe and choose menu option 2 (Install Identity Panel). This will re-validate all prerequisites have been installed and perform the actual Identity Panel installation.
- Answer the prompts to complete the installation. Once the installation is complete the web application will be installed, but you will need to manually complete the configuration of the IIS virtual directory to suit your environment:
- Open IIS and navigate to the Identity Panel virtual directory
- Ensure that Anonymous Authentication is disabled, that Windows Authentication is enabled, and (optionally) verify that the Negotiate provider is preferred
- Remove the default IIS bindings and create new HTTPS (443) bindings using your custom URLs and certificates
- Optional: Modify the Default site to contain HTTP (80) bindings for custom URLs, and perform an HTTP redirect to HTTPS
- Check that the Identity Panel website and app pool have started successfully.
If upgrading from pre-5.x version stop here and return to main walk-through.
Setup Walkthrough
After completing the above steps you should be able to login to the Identity Panel web application at your chosen URL. You will be redirected to /setup to start the configuration walkthrough, which consists of:
- License Key application – apply each of your license keys which have been issued for that environment
- Security configuration – associate your security groups to roles in Identity Panel
- Providers – Create or upload initial provider connection settings (this step may be skipped and performed later)
- Install Service – Configure Panel Service
- you must first press "Create API Key" to initialize the environment with an API Key, then you will be able to download the PanelTools installer.
- The installer downloads as a self-extracting executable with a helper program called SetupService.exe
- Run SetupService.exe to install or upgrade Panel Service.
You should perform three steps (which correspond to the Setup Helper menu options 1-3):- Install Panel Service
- Validate by running Panel Tool as the service account
- NOTE: If the application fails to launch with a file not found error you may need to manually edit your System Environment Variables so that the PATH value contains the install location of Panel Tools.
- After editing PATH you will need to exit and relaunch ServiceSetup.exe
- Configure Panel check health monitoring
- After installing services, use Panel Tool to perform initial data scans of configured providers
- Next open Windows Service and start the SoftwareIDM Web Maintenance service
- Finally, you can complete the setup walkthrough and refer to other guides to setup Schedules, Dashboards, Health Monitoring, Workflows, etc.
Comments
0 comments
Please sign in to leave a comment.