Access Manager Service
Last updated
Was this helpful?
Last updated
Was this helpful?
In order to install the Access Manager Service, the following prerequisites must be met;
Windows Server 2012 R2 or later
3.1.4 or later installed
3.1.4 or later installed
An SSL certificate for the AMS web site
The Access Manger Service needs to run under the context of a domain user account. We strongly recommend using a group-managed service account for this purpose. which includes a script to get you up and running quickly.
Do not grant any specific permissions to this account and most certainly don't add it to super-privileged groups like Domain Administrators. As you go through the setup process, you'll be given scripts to delegate permissions specific to the functionality you want to enable.
Determine the host name you will use to access AMS and request an SSL certificate from your certificate provider. Install the certificate in the 'personal' store of the local computer.
Download the latest version from the page.
Download and install the , or if your server has internet access you can let the installer download and install these for you
Run the AMS installation package. Follow the prompts to install the application and provide the service account created in step 1 when prompted.
Run the Access Manager Service configuration tool. You'll be prompted to set up the web host.
Click the Select from store...
button and select the certificate you installed in step 2.
Validate that the ports are correct, and click File
, then Save
.
AMS supports several different authentication providers. Read the guide on configuring authentication and choose an authentication provider. We strongly recommend using a modern authentication provider that supports strong authentication and can enforce multi-factor authentication. While integrated windows authentication is provided, we recommend you only use this for testing purposes.
The following pages will guide you through the process of configuring the relevant authentication provider for use with Access Manager.
Configure the user interface as per your organization's requirements. You can customize the name of the application, provide your own logo and even provide some custom policy text for the access request page.
You'll need to configure an outbound mail server in order to receive audit alerts via email.
In order to ensure that your service is not used inappropriately, you can place limits of the number of requests a user can make in a given time. You should set these high enough that your users are not going to encounter rate limit issues under normal usage, but low enough to limit the impact of inappropriate or malicious usage of the service.
If you put AMS behind a reverse proxy or load balancer, you'll need to configure IP address detection. This is to ensure that AMS logs the correct IP address in audit logs, and applies rate limiting correctly.
From the Active Directory
tab, check that the AMS service account is a member of the Windows Authorization Access Group
and Access Control Assistance Operators
built-in groups within each domain. This is required for the AMS service account to be able to calculate access permissions for users and computers within these domains.
You will need to restart the service to pick up the new group membership in the local domain.
Don't worry about the schema section at this stage, if you need to deploy any schema changes the appropriate feature guide will direct you to do so.
AMS has a powerful auditing engine that allows you to receive notifications when access is granted or denied to a user. AMS logs audit events to the Windows event log all the time, but you can also send audit events via email, through a custom PowerShell script, or even to Slack or Microsoft Teams using a web hook.
Now that you have the core application set up, you can configure the Access Manager features you are interested in;