PingAccess

Manually Installing on IIS

Manually install a PingAccess agent for Internet Information Services (IIS), or if the installation failed, manually complete a partial installation.

About this task

For information about preventing a known issue on systems running application pools in 32-bit compatibility mode, see Troubleshooting.

If you use this procedure due to an installation problem, open a support ticket so the underlying issue can be addressed.

  1. Stop Microsoft IIS:

    1. Run the command net stop w3svc.

    2. Run the command net stop was.

  2. Extract the pingaccess-agent-iis.msi installer file from the PingAccess IIS Agent Distribution pingaccess-agent-iis-x.x.x.zip file.

  3. Extract the MSI installer file’s contents.

    C:\Windows\System32\msiexec /a  full path to pingaccess-agent-iis.msi  /qb TARGETDIR=destination path

    From this step on, this procedure will refer to the target directory as TARGETDIR. The files of interest are in TARGETDIR\PFiles.

  4. Copy TARGETDIR\PFiles\Ping Identity\ and its contents to C:\Program Files\.

  5. Download the {microsoft-visual-c}[Microsoft Visual C Redistributable] and install it.

  6. Add the PingAccess agent module configuration schema to IIS:

    1. cd C:[.var]_TARGETDIR_\PFiles\inetsrv\config\schema\

    2. copy paa_schema.xml C:\Windows\System32\inetsrv\config\schema\

  7. Edit C:\Windows\System32\inetsrv\config\applicationHost.config and make the following changes:

    1. Add sectionGroup to the container with name=system.webServer under configSections.

      Example:

      <section name="paa" overrideModeDefault="Deny" allowDefinition="AppHostOnly" allowLocation="false" />
    2. Add the following XML block to the <system.webServer> element.

      Example:

      <paa>
       <paaCertificateDir value="C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\" />
       <paaPropertyFiles>
        <file path="C:\Program Files\Ping Identity\PingAccess Agent for IIS\agent.properties" />
       </paaPropertyFiles>
      </paa>
  8. Open IIS Manager and go to Management → Configuration Editor.

  9. Select the system.webServer/paa section and validate that the paths added to applicationHost.config have the following values:

    paaCertificateDir

    C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\

    paaPropertyFiles

    (Count=1)

    If the changes are not present, ensure that you are using a 64-bit text editor. When using a 32-bit text editor, changes to this file will be transparently saved to %SYSTEMROOT%\SysWOW64\inetsrv\applicationHost.config.

  10. Verify that the C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs folder has been created.

  11. Change the permissions of C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs to include read and write permissions for IIS_IUSRS.

    You might need to manually search for this user when modifying the permissions.

  12. Register the PingAccess agent logging publisher:

    1. Run the following command.

      C:\Windows\System32\wevtutil im paa-event-logging.xml /rf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll" /mf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll"
    2. Run the following three commands to ensure the logging publisher installed successfully.

      C:\Windows\System32\wevtutil gl PingAccess-Agent/Admin
      C:\Windows\System32\wevtutil gl PingAccess-Agent/Analytic
      C:\Windows\System32\wevtutil gl PingAccess-Agent/Debug
  13. Register the agent module with IIS:

    1. Open IIS Manager, then select the web server the agent is being added to.

    2. Click Modules.

    3. Click Configure Native Modules.

    4. Click Register and enter the following information.

      • Name PingAccessAgentModule

      • Path C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll

    5. Click OK.

    6. Click OK.

    7. Execute the command iisreset /restart.

  14. After IIS has restarted, use IIS Manager to ensure that the Default Application Pool has started.

    If the Default Application Pool has not started, you will see 500 series server errors when navigating to a site protected by the agent.

  15. Continue the installation from Step 3 of the installation procedure.

Result

The PingAccess agent writes log information to the PingAccess-Agent logs in the Event Viewer Application and Services logs. Check these logs for any errors if the agent module does not appear to have loaded.