Lithnet Access Manager
PricingRequest a trial or quoteDownloads
v2.0
v2.0
  • Home
  • What's new in Access Manager v2
  • How does Lithnet Access Manager help prevent lateral movement?
  • Access Manager Editions
  • Licensing
  • Change log
  • Installation
    • Getting started
    • System Requirements
    • Downloads
    • Upgrading from Access Manager v1
    • Installing the Access Manager Server
      • Creating a service account for the Access Manager Service
      • SQL installation options
      • Installing the Access Manager Service
      • High availability options
        • Load balancing Access Manager
        • Installing Access Manager in a Failover Cluster
    • Installing the Access Manager Agent
      • Choosing between the Microsoft and Lithnet agents for LAPS support
      • Installing the Access Manager Agent on Windows
      • Installing the Access Manager Agent on Linux
      • Installing the Access Manager Agent on macOS
  • Configuration
    • Setting up Authentication
      • Setting up authentication with ADFS
      • Setting up authentication with Azure AD
      • Setting up authentication with Okta
      • Setting up smart card authentication
      • Setting up integrated windows authentication
    • Deploying Features
      • Setting up Microsoft LAPS for Active Directory
      • Setting up Microsoft LAPS for Azure Active Directory
      • Setting up Lithnet LAPS
        • Preparing the AMS directory
        • Setting the AMS directory for Lithnet LAPS clients
        • Setting up Lithnet LAPS for Azure AD joined and registered devices
        • Setting up Lithnet LAPS for domain-joined devices
        • Setting up Lithnet LAPS for macOS and Linux
        • Setting up Lithnet LAPS for standalone Windows devices
      • Setting up BitLocker access
      • Setting up JIT for computers
      • Setting up JIT for roles
    • Importing authorization rules
      • Import Microsoft LAPS permissions from Active Directory
      • Importing BitLocker permissions from Active Directory
      • Importing local administrator group membership from domain-joined Windows devices
      • Import mappings from a CSV file
      • Importing rules from the Lithnet LAPS web app
      • Performing an offline discovery of local admins
  • Help and support
    • Frequently asked Questions
    • Troubleshooting
    • Quick start guides
      • Getting started with Windows LAPS and Lithnet Access Manager
      • Getting started with Windows LAPS for Active Directory
      • Getting started with Windows LAPS for Azure Active Directory
    • Support Articles
      • KB000001: The Access Manager Agent cannot connect and logs a token-validation-failed error
      • KB000002: Users retain their admin rights after their JIT period expires
      • KB000003: Configuring the Access Manager Agent to manage an account other than 'root' on Linux
      • KB000004: Creating a log file to troubleshoot installation issues with the Access Manager Service
      • KB000005: Access Manager stops working after applying the November 2022 Windows update
      • KB000006: Migrating the Access Manager Database
      • KB000007: Adding JIT groups via Group Policy doesn't work with NTLM Disabled
      • KB000008: AMS is unable to JIT into privileged groups such as Domain Admins
    • Advanced help topics
      • Ports and traffic flows
      • Internet access requirements
      • Access evaluation in Access Manager Service (AMS)
      • Recovering from a lost encryption certificate
      • Script-based authorization
      • Customized auditing with PowerShell notification channels
      • Variables available in audit notification channels
      • Setting up audit templates
      • Backup and Restore
      • Event ID reference
    • PowerShell reference
      • Add-AmsDeviceRegistrationKeyGroup
      • Add-AmsGroupMember
      • Export-AmsServerDiagnostics
      • Get-AmsActiveDirectoryJitOptions
      • Get-AmsComputerAuthorizationRule
      • Get-AmsDevice
      • Get-AmsDeviceRegistrationKey
      • Get-AmsGroup
      • Get-AmsGroupMembers
      • Get-AmsHostConfig
      • Get-AmsJitSchedulerJob
      • Get-AmsLocalAdminPassword
      • Get-AmsLocalAdminPasswordHistory
      • Get-AmsRoleAuthorizationRule
      • New-AmsComputerAuthorizationRule
      • New-AmsDeviceRegistrationKey
      • New-AmsGroup
      • New-AmsRoleAuthorizationRule
      • Remove-AmsComputerAuthorizationRule
      • Remove-AmsDevice
      • Remove-AmsDeviceRegistrationKey
      • Remove-AmsDeviceRegistrationKeyGroup
      • Remove-AmsGroup
      • Remove-AmsGroupMember
      • Remove-AmsJitSchedulerJob
      • Remove-AmsRoleAuthorizationRule
      • Set-AmsActiveDirectoryJitOptions
      • Set-AmsComputerAuthorizationRule
      • Set-AmsDevice
      • Set-AmsDeviceRegistrationKey
      • Set-AmsGroup
      • Set-AmsHostConfig
      • Set-AmsRoleAuthorizationRule
    • Application help pages
      • Access Manager Directory configuration page
      • Access Manager Directory Devices page
      • Access Manager Directory Groups page
      • Lithnet LAPS configuration page (Access Manager Directory)
      • Access Manager Directory Registration Keys page
      • Lithnet LAPS configuration page (Active Directory)
      • Microsoft LAPS configuration page
      • Active Directory configuration page
      • Auditing page
      • Authentication configuration page
      • Computer authorization rules page
      • Role authorization rules page
      • Azure Active Directory configuration page
      • BitLocker configuration page
      • Database configuration page
      • Effective access page
      • Email configuration page
      • IP Address detection configuration page
      • Just-in-time access configuration page
      • Licensing configuration page
      • Rate limit configuration page
      • Host configuration page
      • User interface configuration page
      • Security page
    • Getting Support
Powered by GitBook
On this page
  • Using the pre-configured SQL Express instance
  • Using SQL Standard or Enterprise Edition
  • Installation steps
  • Using Azure SQL
  • Installation steps
  • Using Amazon RDS
  • Installation steps
  • Security considerations

Was this helpful?

  1. Installation
  2. Installing the Access Manager Server

SQL installation options

PreviousCreating a service account for the Access Manager ServiceNextInstalling the Access Manager Service

Last updated 2 years ago

Was this helpful?

Access Manager requires a Microsoft SQL Server 2017 or higher database. The setup program can install a pre-configured instance of SQL express, or you can choose to use an existing SQL server, or even an Azure SQL database.

Using the pre-configured SQL Express instance

During installation, you can choose to have a pre-configured instance of SQL Express installed. The installer will create and configure a new SQL express instance (named AMS) on the local machine. Access to the database will be restricted to local administrators and the AMS service account.

This is suitable for small to medium-sized installations of Access Manager, and has a number of benefits such as being completely configured and managed by the AMS service itself. Do note that SQL express has several limitations that you will need to consider;

  • 1 GB maximum memory used by the database engine

  • 10 GB maximum database size

  • 1 MB maximum buffer cache

  • Limited to the lesser of one (1) CPU socket or four (4) cores

For larger installations of Access Manager, you should consider using SQL server Standard or Enterprise edition.

If you are using the high-availability feature of Access Manager, you cannot use SQL Express. The SQL instance will need to be installed on a separate computer. Alternatively, use an Azure SQL or Amazon RDS database configured for high availability.

If you plan to use SQL Express, but the server you are installing on does not have an internet connection, then and copy it to the server. You'll be prompted to provide this file during setup.

Using SQL Standard or Enterprise Edition

If you are running Access Manager in a large environment, or SQL express is otherwise not suitable, you can set up the AMS database on an SQL instance of your choosing. You must manually set up your instance, and create the database, before running the installer. During installation, you will be prompted for the server and instance name.

The database should be called AccessManager and the AMS service account must be added to the db_owner role of the database. Your database administrator can do this for you, or you can use the script below to create a new database with the default settings, and assign the correct permissions.

Installation steps

Use the following steps to manually create the database, allowing you to specify advanced properties like where the database files will be located, how big they should be initially and how much they should grow by, and what recovery mode to use.

  1. Create a new database on the SQL server with the name AccessManager.

  2. Create a login for the service account

  3. Map the service account login to the AccessManager database

  4. Add the service account to the db_owner role for the AccessManager database

  5. Once these steps are complete, you can run the AMS installer, and specify your SQL server name and instance when prompted

Alternatively, you can use the following script to create a basic database with default settings. Note, that the default settings may not result in a database that is suitable for production use. You should ensure that at least the following settings are appropriate for your environment

  1. Database file location

  2. Database initial size and auto growth settings

  3. Ensure the recovery mode matches your backup strategy and recovery point objectives

/*
---------------------------------------------------------------
Access Manager SQL database build script
	Step 1. Modify the @ServiceAccount variable to contain the account name of the service account that is used to run the AMS service
                If the service account is a group-manged service account, don't forget to add the '$' character to the end of the account name
	Step 2. Run this script to set the appropriate permissions on the database
---------------------------------------------------------------
*/
DECLARE @ServiceAccount nvarchar(256) = 'DOMAIN\svc-lithnetams$'

---- Do not modify
DECLARE @ServiceAccountQuoted nvarchar(256) = QUOTENAME(@ServiceAccount);

IF DB_ID('AccessManager') IS NULL 
BEGIN
    -- Get the SQL Server data path.
        DECLARE @data_path nvarchar(256);       
        SET @data_path = (SELECT SUBSTRING(physical_name, 1, CHARINDEX(N'master.mdf', LOWER(physical_name)) - 1)
                FROM master.sys.master_files
                WHERE database_id = 1 AND file_id = 1);

	  EXECUTE ('
CREATE DATABASE [AccessManager]
 CONTAINMENT = NONE
 ON  PRIMARY 
( NAME = N''AccessManager'', FILENAME = "' + @data_path + 'AccessManager.mdf", SIZE = 1048576KB , FILEGROWTH = 131072KB )
 LOG ON 
( NAME = N''AccessManager_log'', FILENAME = "' + @data_path + 'AccessManager.ldf", SIZE = 524288KB , FILEGROWTH = 65536KB )

')
    
    ALTER DATABASE [AccessManager] SET RECOVERY SIMPLE 
    PRINT 'Created database'
END

IF NOT EXISTS 
    (SELECT name  
     FROM [master].sys.server_principals
     WHERE name = @ServiceAccount )
BEGIN
      EXEC ('CREATE LOGIN ' + @ServiceAccountQuoted + ' FROM WINDOWS WITH DEFAULT_DATABASE=[AccessManager]');
	  PRINT 'Created server login'
END

IF NOT EXISTS
    (SELECT (1)
        FROM [master].sys.server_principals sp
        JOIN [AccessManager].sys.database_principals dp on dp.sid = sp.sid
        WHERE sp.name = @ServiceAccount )
BEGIN
    EXEC ('USE [AccessManager]; CREATE USER ' + @ServiceAccountQuoted + ' FOR LOGIN ' + @ServiceAccountQuoted);
	PRINT 'Mapped service account login to database user'
END

DECLARE @name nvarchar(250) = (SELECT dp.name FROM [master].sys.server_principals sp
        JOIN [AccessManager].sys.database_principals dp on dp.sid = sp.sid
        WHERE sp.name = @ServiceAccount)

IF (@name <> 'dbo')
BEGIN
    EXEC ('USE [AccessManager]; ALTER ROLE [db_owner] ADD MEMBER ' + @ServiceAccountQuoted)
	PRINT 'Granted db_owner role to service account'
END

Using Azure SQL

Using an Azure SQL database is fully supported by Access Manager. You'll need to create an empty database before running the installer, and create a login for the AMS service to use.

Installation steps

  1. From the Azure Portal, create a new SQL Database resource

  2. Follow the wizard prompts, specifying the database name, and instance type as appropriate. We recommend you use the name AccessManager

  3. Once the database has been provisioned, open the new resource

  4. Select the Query editor option from the left menu, and authenticate to the instance

  5. In the query editor window, paste the following code after modifying the password field to contain your own strong password

CREATE USER [svc-lithnetams] WITH password='your-password-here';
EXEC sp_addrolemember 'db_owner', 'svc-lithnetams';
  1. Run the code to create a user in the database for the service account to use

  2. From the menu on the left-hand side, select Connection Strings, and copy the ADO.NET connection string

  3. Modify the username and password in the connection string to contain the username and password you created earlier. Your connection string should look similar to below

Server=tcp:ams.database.windows.net,1433;Initial Catalog=AccessManager;Persist Security Info=False;User ID=svc-lithnetams;Password=your-password-here;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
  1. Once these steps are complete, you can run the AMS installer, and provide the connection string when prompted.

Using Amazon RDS

Using an AWS RDS Microsoft SQL database is fully supported by Access Manager. You'll need to create an empty database before running the installer, and create a login for the AMS service to use.

Installation steps

  1. From the AWS Console, create a new Microsoft SQL Server RDS resource

  2. Select the appropriate options and instance configuration for your environment

  3. Once the server has been provisioned, ensure you allow the AMS server access to the RDS instance via the appropriate security groups

  4. Using Microsoft SQL Management Studio, connect to the RDS instance using the admin credentials created during the setup process

  5. In the query editor window, paste the following code after modifying the password field to contain your own strong password

CREATE LOGIN [svc-lithnetams] WITH password='your-password-here';
GO

-- Get the SQL Server data path.
DECLARE @data_path nvarchar(256);       
SET @data_path = (SELECT SUBSTRING(physical_name, 1, CHARINDEX(N'master.mdf', LOWER(physical_name)) - 1)
        FROM master.sys.master_files
        WHERE database_id = 1 AND file_id = 1);

EXECUTE ('
CREATE DATABASE [AccessManager]
 CONTAINMENT = NONE
 ON  PRIMARY 
( NAME = N''AccessManager'', FILENAME = "' + @data_path + 'AccessManager.mdf", SIZE = 1048576KB , FILEGROWTH = 131072KB )
 LOG ON 
( NAME = N''AccessManager_log'', FILENAME = "' + @data_path + 'AccessManager.ldf", SIZE = 524288KB , FILEGROWTH = 65536KB )
')

GO
USE [AccessManager]

CREATE USER [svc-lithnetams] FOR LOGIN [svc-lithnetams]
EXEC sp_addrolemember 'db_owner', 'svc-lithnetams';
  1. Using the connecting string template below, modify the Server, User ID and Password variables to match the RDS endpoint and service credentials you created

Server=tcp:amsdb.xxxxx.us-east-1.rds.amazonaws.com,1433;Initial Catalog=AccessManager;Persist Security Info=False;User ID=svc-lithnetams;Password=your-password-here;MultipleActiveResultSets=False;Connection Timeout=30;
  1. Once these steps are complete, you can run the AMS installer, and provide the connection string when prompted.

Security considerations

It is important to secure access to your database. It contains information used by computers to authenticate to the AMS directory, as well as their group membership.

We recommend that if possible, the database server is kept dedicated for Access Manager, and not shared with other applications. Administrators of the database server should be restricted to AMS admins only.

download the SQL Express installer