Installation prerequisites

Before you can run the installation program, make sure you have done all pre-installation preparations.

Server requirements

Make sure that the server requirements for Net iD Portal are met:

Firewall and port settings

Make sure firewalls are configured and that the necessary ports that Net iD Portal needs are open. See below for more information.

System service name Application protocol Protocol Ports

CertSvc

RPC

TCP

135

CertSvc

Randomly high TCP Ports*

TCP

49152–65535

HTTPFilter

HTTPS

TCP

443

MSSQLSERVER

SQL over TCP

TCP

1433

LSASS

LDAPS Server

TCP

636

LSASS

LDAPS Server

UDP

636

Create a service account

Create a service account that Net iD Portal will use.

This could either be a group Managed Service Account (gMSA) or a regular domain user account, depending on your organization’s security policy.

Set up the database service

Do this if you use another SQL server than the one included in the installation.

This installation pack includes an SQL Server Express that will get installed on the Net iD Portal server. Below are instructions in case another, external SQL server is used.

Create three databases on your SQL server:

  • NiPDB

  • NiPDB_log

  • NiPDB_logClient

Give the service account the following permissions on all three databases:

  • db_owner

356384807

Set up the certificate service

A certificate service to manage the certificates (enrollment, revocation) needed by Net iD Portal is required.

Certificate templates are the sets of rules and settings that are configured on a CA to be applied against incoming certificate requests. Certificate templates also give instructions to the client on how to create and submit a valid certificate request.

Create and configure the Net iD Portal Certificate Template

  1. The service account needs the following permissions on the certificate service:

    • Read

    • Issue and Manage Certificates

    • Request Certificates

  2. Right-click on Certificate Templates, and then click Manage.

  3. Right-click certificate template Smartcard User, and then click Duplicate Template.

  4. Click the General tab. In the Template display name box, type the name of your certificate template, and in the Validity period box, type the validity period.
    In this example, we will name it Net iD Portal SmartCard User.

    356417556
  5. Click the Subject Name tab, and in the Subject name format list, select how you want the subject of the certificate to look like.

    356646924
  6. Click the Issuance Requirements tab, and under Require the following for enrollment, click This number of authorized signatures.

  7. In the Application policy list, click Certificate Request Agent.

  8. Click the Sucurity tab. Under Group or user names, click Authenticated Users, and under Permissions for Authenticated Users click Read and Enroll in the Allow column.

  9. Click OK to close the Properties of New Template dialog.

  10. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  11. Click the certificate template you just created, and then click OK. In this example, we named it Net iD Portal SmartCard User.

Configure the Enrollment Agent (Computer) Template

  1. Right-click Certificate Templates and then click Manage.

  2. Right-click the Enrollment Agent (Computer) certificate template, and then click Properties.

  3. Click the Security tab. Under Group or user names, click the server you will install Net iD Portal on, and under Permissions for <server name>, click Read and Enroll in the Allow column.

  4. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  5. Click the certificate template Enrollment Agent (Computer), and then click OK.

Create the Encryption certificate Template

Generate a certificate from the web server template and name it Net iD Portal Encryption on your web server.

  1. Click All Tasks, and then click Request Net Certificate.

  2. Give the certificate the common name (CN) Net iD Portal Encryption.

    356515851
356352009

Web service certificate permissions

  1. Make sure you have a web server certificate with your DNS name installed on the web server. You can either generate an internal one or use a third party certificate provider.

  2. Open Microsoft Management Console (MMC) and go to Certificates – Local Computer (certlm.msc)

  3. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  4. Click Enrollment Agent (Computer) certificate, and then click Enroll.

  5. When the enrollment is done, for each certificate, right-click your Enrollment Agent (Computer) certificate, web server certificate, and encryption certificate, click All Tasks, and then click Manage Private Keys.

    356122634
  6. Give the service account the following permissions:

    • Read

      356483080