Manually Installing on IIS
Manually install a PingAccess agent for Internet Information Services (IIS), or if the installation failed, manually complete a partial installation.
About this task
For information about preventing a known issue on systems running application pools in 32-bit compatibility mode, see Troubleshooting. |
If you use this procedure due to an installation problem, open a support ticket so the underlying issue can be addressed. |
Steps
-
Stop Microsoft IIS:
-
Run the command
net stop w3svc
. -
Run the command
net stop was
.
-
-
Extract the
pingaccess-agent-iis.msi
installer file from the PingAccess IIS Agent Distributionpingaccess-agent-iis-x.x.x.zip
file. -
Extract the MSI installer file’s contents.
C:\Windows\System32\msiexec /a <full path to pingaccess-agent-iis.msi> /qb TARGETDIR=<destination path>
From this step on, this procedure will refer to the target directory as <TARGETDIR>. The files of interest are in
<TARGETDIR>\PFiles
. -
Copy
TARGETDIR\PFiles\Ping Identity\
and its contents toC:\Program Files\
. -
Download the Microsoft Visual C++ Redistributable and install it.
-
Add the PingAccess agent module configuration schema to IIS:
-
cd C:\ <TARGETDIR>\PFiles\inetsrv\config\schema\
-
copy paa_schema.xml C:\Windows\System32\inetsrv\config\schema\
-
-
Edit
C:\Windows\System32\inetsrv\config\applicationHost.config
and make the following changes:-
Add
sectionGroup
to the container withname=system.webServer
underconfigSections
.Example:
<section name="paa" overrideModeDefault="Deny" allowDefinition="AppHostOnly" allowLocation="false" />
-
Add the following XML block to the
<system.webServer>
element.Example:
<paa> <paaCertificateDir value="C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\" /> <paaPropertyFiles> <file path="C:\Program Files\Ping Identity\PingAccess Agent for IIS\agent.properties" /> </paaPropertyFiles> </paa>
-
-
Open IIS Manager and go to Management → Configuration Editor.
-
Select the
system.webServer/paa
section and validate that the paths added toapplicationHost.config
have the following values:- paaCertificateDir
-
C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\
- paaPropertyFiles
-
(Count=1)
If the changes are not present, ensure that you are using a 64-bit text editor. When using a 32-bit text editor, changes to this file will be transparently saved to
%SYSTEMROOT%\SysWOW64\inetsrv\applicationHost.config
.
-
Verify that the
C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs
folder has been created. -
Change the permissions of
C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs
to include read and write permissions forIIS_IUSRS
.You might need to manually search for this user when modifying the permissions.
-
Register the PingAccess agent logging publisher:
-
Run the following command.
C:\Windows\System32\wevtutil im paa-event-logging.xml /rf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll" /mf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll"
-
Run the following three commands to ensure the logging publisher installed successfully.
C:\Windows\System32\wevtutil gl PingAccess-Agent/Admin C:\Windows\System32\wevtutil gl PingAccess-Agent/Analytic C:\Windows\System32\wevtutil gl PingAccess-Agent/Debug
-
-
Register the agent module with IIS:
-
Open IIS Manager, then select the web server the agent is being added to.
-
Click Modules.
-
Click Configure Native Modules.
-
Click Register and enter the following information.
Name
PingAccessAgentModule
Path
C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll
-
Click OK.
-
Click OK.
-
Execute the command
iisreset /restart
.
-
-
After IIS has restarted, use IIS Manager to ensure that the Default Application Pool has started.
If the Default Application Pool has not started, you will see 500 series server errors when navigating to a site protected by the agent.
-
Continue the installation from Step 3 of the installation procedure.
Result
The PingAccess agent writes log information to the PingAccess-Agent logs in the Event Viewer Application and Services logs. Check these logs for any errors if the agent module does not appear to have loaded.