How to Configure the MBAM 2.5 Web Applications
Gjelder for: Microsoft BitLocker Administration and Monitoring 2.5
This topic explains how to configure the web applications for the recommended High-Level Architecture for MBAM 2.5 by using one of the following methods:
A Windows PowerShell cmdlet
The MBAM Server Configuration wizard
The web applications comprise the following websites and their corresponding web services:
| Website | Description |
|---|---|
Administration and Monitoring Website |
Website where specified users can view reports and help end users recover their computers when they forget their PIN or password |
Self-Service Portal |
Website that end users can access to independently regain access to their computers if they forget their PIN or password |
Before you start the configuration:
| Step | Where to get instructions |
|---|---|
Review the recommended architecture for MBAM. |
|
Review the supported configurations for MBAM. |
|
Complete the required prerequisites on each server. Obs! Ensure that you configure SQL ServerReporting Services (SSRS) to use the Secure Sockets Layer (SSL) before you configure the Administration and Monitoring Website. Otherwise, the Reports feature will use HTTP instead of HTTPS. |
|
Register service principal names (SPNs) for the application pool account for the websites. You need to do this step only if you do not have administrative domain rights in Active Directory Domain Services (AD DS). If you do have these rights in AD DS, MBAM will create the SPNs for you. |
|
Install the MBAM Server software on each server where you will configure an MBAM Server feature. Obs! If you plan to install the websites on one server and the web services on another, you will be able to configure them only by using the Enable-MbamWebApplication Windows PowerShell cmdlet. The MBAM Server Configuration wizard does not support configuring these items on separate servers. |
|
Review the prerequisites for using Windows PowerShell if you plan to use cmdlets to configure MBAM Server features. |
Configuring MBAM 2.5 Server Features by Using Windows PowerShell |
To configure the web applications by using Windows PowerShell
Before you start the configuration, see Configuring MBAM 2.5 Server Features by Using Windows PowerShell to review the prerequisites for using Windows PowerShell.
Use the Enable-MbamWebApplication cmdlet to configure the databases using Windows PowerShell. To get information about this cmdlet, type Get-Help Enable-MbamWebApplication.
To configure the settings for all web applications using the wizard
On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select MBAM Server Configuration from the Start menu to open the wizard.
Click Add New Features, select Administration and Monitoring Website and Self-Service Portal, and then click Next. The wizard checks that all prerequisites for the databases have been met.
If the prerequisite check is successful, click Next to continue. Otherwise, resolve any missing prerequisites, and then click Check prerequisites again.
Use the following descriptions to enter the field values in the wizard.
Field Description Security certificate
Select a previously created certificate to optionally encrypt the communication between the web services and the server on which you are configuring the Administration and Monitoring Website. If you choose Do not use a certificate, your web communication may not be secure.
Host name
Name of the host computer where you are configuring the Administration and Monitoring Website.
Installation path
Path where you are installing the Administration and Monitoring Website.
Port
Port number to use for website communication.
Obs!
You must set a firewall exception to enable communication through the specified port.
Web service application pool domain account and password
Domain user account and password for the web service application pool.
If you enter a user name in the Read/write access domain user or group field on the Configure Databases page, you must enter that same value in this field.
If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group.
If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used.
Viktig
For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.
Verify that the built-in IIS_IUSRS account or the application pool account has been added to the Impersonate a client after authentication and the Log on as a batch job local security settings.
To check whether it has been added to the local security settings, open the Local Security Policy editor, expand the Local Policies node, click the User Rights Assignment node, and double-click Impersonate a client after authentication and Log on as a batch job policies in the right pane.
To configure connection information for the databases by using the wizard
Use the following field descriptions to configure the connection information in the wizard for the Compliance and Audit Database.
Field Description SQL Server name
Name of the server where the Compliance and Audit Database is configured.
SQL Server database instance
SQL Server instance name (for example, <ServerName>) where the Compliance and Audit Database is configured.
Database name
Name of the Compliance and Audit Database.
Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.
Field Description SQL Server name
Name of the server where the Recovery Database is configured.
SQL Server database instance
SQL Server instance name (for example, <ServerName>) where the Recovery Database is configured.
Database name
Name of the Recovery Database.
To configure the web applications by using the wizard
Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.
Field Description Advanced Helpdesk role domain group
Domain user group whose members have access to all areas of the Administration and Monitoring Website except the Reports area.
Helpdesk role domain group
Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.
Use System Center Configuration Manager Integration
Select this check box if you are configuring MBAM with the Configuration Manager Integration topology. Selecting this check box makes all reports, except the Recovery Audit report, appear in Configuration Manager instead of in the Administration and Monitoring Website.
Reporting role domain group
Domain user group whose members have access to read-only access to the Reports area of the Administration and Monitoring Website.
SQL Server Reporting Services URL
URL for the SSRS server where the MBAM Reports are configured.
Examples of host names:
Type of host name Example Example of a fully qualified domain name
https://MyReportServer.Contoso.com/ReportServer
Example of a custom host name
https://MyReportServer/ReportServer
Virtual directory
Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name, for example:
http(s)://< hostname>:<port>/HelpDesk/
If you do not specify a virtual directory, the value HelpDesk will be used.
Use the following description to enter the field values in the wizard to configure the Self-Service Portal.
Field Description Virtual directory
Virtual directory of the web application. This name corresponds to the website’s physical directory on the server. and is appended to the website’s host name, for example:
http(s)://< hostname>:<port>/SelfService/
If you do not specify a virtual directory, the value SelfService will be used.
When you finish your entries, click Next.
The wizard checks that all prerequisites for the web applications have been met.
Click Next to continue.
On the Summary page, review the features that will be added.
Obs!
To create a Windows PowerShell script for the entries you made, click Export PowerShell Script and save the script.
Click Add to add the web applications to the server, and then click Close.
To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see Customizing the Self-Service Portal for Your Organization.
To configure the Self-Service Portal if client computers cannot access the CDN
Determine if your client computers have access to the Microsoft Ajax Content Delivery Network (CDN).
The CDN gives the Self-Service Portal the access it requires to certain JavaScript files. If you don’t configure the Self-Service Portal when client computers cannot access the CDN, only the company name and the account under which the end user signed in will be displayed. No error message will be shown.
Do one of the following:
If your client computers have access to the CDN, do nothing. Your Self-Service Portal configuration is complete.
If your client computers do not have access to the CDN, complete the steps in How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network.
Got a suggestion for MBAM? Add or vote on suggestions here.
Got a MBAM issue? Use the MBAM TechNet Forum.
Se også
Oppgaver
Server Event Logs
Validating the MBAM 2.5 Server Feature Configuration
Andre ressurser
Configuring the MBAM 2.5 Server Features
Customizing the Self-Service Portal for Your Organization