Installation

This documentation provides you with detailed information on setting up SafeNet Authentication Service on Windows, describing the process from start to completion using step-by-step instructions. This encompasses getting aquanted with procedures, inclduing:

1. Install SafeNet Authentication Service

2. Prepare database

3. Configure SafeNet Authentication Service

4. Configure SafeNet Authentication Service for High Availability

5. Configure for MobilePASS and MobilePASS+ enrollment

6. Onboarding for MobilePASS+ enrollment

Important notes

Auto provisioning service

SAS PCE 3.5 (and later versions) does not support running of multiple Auto Provisioning Services. Only one service can be run for any given SAS installation.

The Auto Provisioning Service processes all provisioning rules, including:

• Token Provisioning Rules
• Operator Role Provisioning Rules
• Account Manager Role Provisioning Rules

The Auto Provisioning Service manages the creation of provisioning tasks and revocation of previously assigned tokens.

RADIUS authentication

Information about using SAS with RADIUS authentication is provided in the following sections:

• SAS Agent for FreeRADIUS
• SAS FreeRADIUS Updater
• SAS Agent for NPS

SAS on FIPS mode enabled machines

SafeNet Authentication Service 3.10 (and above) supports the FIPS mode enabled machines.

MS SQL collation

It may be possible that the required collation (SQL_Latin1_General_CP1_CI_AS) is not applied to the MS SQL database due to default server settings. If any other collation is applied, it needs to be changed.

To check the applied collation, run the following query:

SELECT CONVERT (varchar, DATABASEPROPERTYEX('dbname','collation'));

Note that all the services must be stopped, before executing the following query to alter the collation:

USE master;
GO
ALTER DATABASE <dbname>
COLLATE SQL_Latin1_General_CP1_CI_AS;
GO

Recommendation

SSL is disabled and TLS is enforced for HTTPS connections to all web servers. This change does not impact most customers.

Customers who use custom applications accessing the Management API, the GrIDSure API, or the Token Validator API directly (not using the Java or .NET Agents) experience difficulties if their custom applications use SSL only. In these cases, it is recommended to verify that these custom applications behave according to standard practices, and have no issues using TLS when this is enforced by the server.

For SAS Self-Service, Self-Enrollment portal and SAS console

By default, the "Console_SessionId" cookie which is used to maintain a user's sessions in the SAS Admin Console is set without the secure flag enabled. To change this, set the "secure" flag on the "Console_SessionId" cookie and disable HTTP on port 80 on the SAS server(s).

Update the web.config file with the following to allow http only cookies and enable SSL in IIS:
“Add requiredSSL= true in web.config to enable cookie secure in httpCookies section"
For example: <httpCookies httpOnlyCookies="true" requireSSL="true" />