Security Administration: configuring Transforms.xml and creating/installing the application

This section explains how to create the Security Administration and Document Generation Services databases and install Security Administration.

Prerequisites

You will need to install the following before utilizing Security Administration:

  • Powershell 4.0
  • .NET Core Windows Server Hosting 3.1.
    Note: You can download the package here. The link is available at the bottom of the page under Windows Server Hosting. Be sure you download version 1.0.4; downloading different versions may result in a 500.19 error.
    Note: SQL DAC Framework is required to install and seed the STSAuth database. Most systems will already have this installed. The default script expects to work with SQL 2012, and uses a VisualStudio 2013 tools path by default. If this path does not exist, the installer attempts to find another version of the DAC Framework installed on your system. If you are getting a DbInstaller error similar to: 
    Initializing deployment (Failed)
*** Could not deploy package.
Unable to connect to target server.

    It may be that you are running a newer version of SQL Server and/or you have multiple older versions of the DAC Framework in play. In this case you can explicitly specify the path to the DAC Framework you want to use with the parameter "SqlPackagePath". Older versions of DAC will throw the error above when attempting to connect to a newer SQL version.

  • Microsoft® SQL Server® Data-Tier Application Framework: https://www.microsoft.com/en-us/download/details.aspx?id=42293.
  • Verify that you have SQL Server installed for step 5 or will run installdatabase.ps1 on the database server.
  1. From the STS\DBInstallerScripts folder, edit installdatabase.ps1.
  2. Edit the following server names for each application:
    • $dbHost
    • $dgshost
    • $ezConfigHost
    • $adminHost
    • $webHelpHost
  3. Update the list of $appUsers accounts on line 43. This can be a machine or user account, whichever your applications are using.
  4. Edit LocalDevClientParameters.json. Change the thumbprint for the following:
    • wsFederation (thumbprint for OspreyApplicationIdentify cert)
    • stsTestClient (thumbprint for WKFS.STSv3.Tests cert)
     {
  "wsFederation": {
    "ClientSecrets": [ "F790C2E42186EAE1C464B243DF1CB55D8FF72439" ]
  },
  "stsTestClient": {
    "ClientSecrets": [ "ee288e3782a5e99127555d785b881319f13eab3c" ]
  },
    • STSAdministration.ClientSecrets (thumbprint for WKFS.STSv3.Administration)
    "STSAdministration": {
    "ClientSecrets": [ "988b03f2e9c92ee60a36304ea68c69c50e3e686c" ],
    "ClientSharedSecrets": [ "rfKETSw8WFlmrV4Ip5UuIzTc40HFK85mb305JCr608ZEuIv9Y8my6BQEgbuWY6zWka1lvhx5W2KsUuUDx2EQ8Q==" ],
    "ClientSharedSecretsPlainText": [ "55058308-58E8-4F11-8D02-437A028EDC4C" ]
},
    • EZ Config (Packages and Packets)
    • EZ Config Default Data Client 
     {
"ezConfig": {     
  "ClientSecrets": [ "DF94877C0AF5986F6C636A8D7952D7EDB548CE9C" ]     
},  
"ezDefaultDataClient": {         
  "ClientSecrets": [ "702ED47578E02402477140FC205D3D9D615AE8C8" ]     
},
  5. Run InstallDatabase.ps1 with Powershell in Admin mode. This creates the Security Administration and Document Generation Services databases.
    Note: Run this on the database server or verify that you have SQL Server installed.
  6. In ReleaseFiles\STS\InstallTransformKit folder, edit the Transforms.xml file, change all host and database server names to the desired server name or URL. Note that these servers can be load-balanced. The following properties require configuration:
    • STS.WsFedSigningCertificateThumbprint = WKFS.STSv3.OIDC.SigningCertificate thumbprint
    • Global.KeyRepositoryCertificateThumbprint = WKFS-STSv3.Key.Protection thumbprint
    • STS.SigningCertificateThumbprint = WKFS.STSv3.OIDC.SigningCertificate thumbprint
    • STS.RootCertificateThumbprint = WKFS.STSv3.RootCA thumbprint
    • STSAdmin.ClientCertThumbprint = WKFS.STSv3.Administration thumbprint
    Note: Consult appendix for comprehensive list of properties.
  7. In the Transforms.xml file, locate STS.TokenSigningCertThumbprint. Insert the thumbprint value available from the Details tab for the STS OIDC Signing certificate (WKFS.STSv3.OIDC.SigningCertificate). Remove the spaces from the value and verify no hidden characters appear.
  8. Change the database name in the connection string if not using the default.
  9. Run "run.bat" to create the Security Administration installation file (for example: STSv3Installer.msi; this name matches the FileName property in the Transforms.xml file) in the Installs folder.
  10. Run the .msi file.
  11. Open your internet browser, enter https://{server}/STSAdministration. Enter Username and Password.
    Note:
    • Username: Admin1
    • Password: Today123!
  12. Change password for Admin1 by accessing the Users tab (admin1) and click Reset Password.