Manually install a PingAccess agent for Internet Information Services (IIS), or if the installation failed, manually complete a partial installation.
For information about preventing a known issue on systems running application pools in 32-bit compatibility mode, see Troubleshooting.
If you use this procedure due to an installation problem, open a support ticket so the underlying issue can be addressed.
-
Stop Microsoft IIS:
-
Run the command
net stop w3svc
. -
Run the command
net stop was
.
-
Run the command
- Extract the pingaccess-agent-iis.msi installer file from the PingAccess IIS Agent Distribution pingaccess-agent-iis-x.x.x.zip file.
-
Extract the MSI installer file's contents.
C:\Windows\System32\msiexec /a <full path to pingaccess-agent-iis.msi> /qb TARGETDIR=<destination path>
Note:From this step on, this procedure will refer to the target directory as <TARGETDIR>. The files of interest are in <TARGETDIR>\PFiles.
- Copy TARGETDIR\PFiles\Ping Identity\ and its contents to C:\Program Files\.
- Download the Microsoft Visual C++ Redistributable and install it.
-
Add the PingAccess agent module configuration schema to IIS:
- cd C:\<TARGETDIR>\PFiles\inetsrv\config\schema\
- copy paa_schema.xml C:\Windows\System32\inetsrv\config\schema\
-
Edit C:\Windows\System32\inetsrv\config\applicationHost.config and
make the following changes:
-
Add
sectionGroup
to the container withname=system.webServer
underconfigSections
.<section name="paa" overrideModeDefault="Deny" allowDefinition="AppHostOnly" allowLocation="false" />
-
Add the following XML block to the
<system.webServer>
element.<paa> <paaCertificateDir value="C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\" /> <paaPropertyFiles> <file path="C:\Program Files\Ping Identity\PingAccess Agent for IIS\agent.properties" /> </paaPropertyFiles> </paa>
-
Add
- Open IIS Manager and go to Management > Configuration Editor.
-
Select the
system.webServer/paa
section and validate that the paths added toapplicationHost.config
have the following values:- paaCertificateDir
- C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs\
- paaPropertyFiles
- (Count=1)
Note:If the changes are not present, ensure that you are using a 64-bit text editor. When using a 32-bit text editor, changes to this file will be transparently saved to
%SYSTEMROOT%\SysWOW64\inetsrv\applicationHost.config
. - Verify that the C:\Program Files\Ping Identity\PingAccess Agent for IIS\certs folder has been created.
-
Change the permissions of C:\Program Files\Ping Identity\PingAccess Agent for
IIS\certs to include read and write permissions for
IIS_IUSRS
.You might need to manually search for this user when modifying the permissions.
-
Register the PingAccess agent logging publisher:
-
Run the following command.
C:\Windows\System32\wevtutil im paa-event-logging.xml /rf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll" /mf:"C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll"
-
Run the following three commands to ensure the logging publisher installed
successfully.
C:\Windows\System32\wevtutil gl PingAccess-Agent/Admin C:\Windows\System32\wevtutil gl PingAccess-Agent/Analytic C:\Windows\System32\wevtutil gl PingAccess-Agent/Debug
-
Run the following command.
-
Register the agent module with IIS:
- Open IIS Manager, then select the web server the agent is being added to.
- Click Modules.
- Click Configure Native Modules.
-
Click Register and enter the following information.
Name PingAccessAgentModule
Path C:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll
- Click OK.
- Click OK.
-
Execute the command
iisreset /restart
.
-
After IIS has restarted, use IIS Manager to ensure that the Default Application Pool has
started.
Note:
If the Default Application Pool has not started, you will see 500 series server errors when navigating to a site protected by the agent.
- Continue the installation from Step 3 of the installation procedure.
The PingAccess agent writes log information to the PingAccess-Agent logs in the Event Viewer Application and Services logs. Check these logs for any errors if the agent module does not appear to have loaded.