Introduction

TickStream.KeyID Server consists of the communication, computation and storage components needed to authenticate users with their typing behavior TickStream.

System Requirements

Installing TickStream software on-premises requires at least one physical or virtual server running:

  • Microsoft Windows Server 2008 R2 (or greater)
  • Internet Information Services (IIS)
  • Microsoft SQL Server 2008 R2 (or greater) with SQL Authentication enabled
  • SYSADMIN SQL Server credentials

It is recommended that your SQL server installation have sufficient memory, CPU performance and disk throughput. It is also recommended that your SQL server installation meet the availability requirements of your application (using technologies such as database mirroring, clustering or availability groups.)

It is recommended that your web service server(s) have sufficient memory and CPU performance. It is also recommended that your web service server(s) meet the availability requirements of your application (using hardware or software load balancing.)

It is recommended that you be able to create an internal DNS record to point to the KeyID web service, i.e. keyidservices.yourdomain.local

Setup Wizard

  1. Download the TickStream.KeyID Server setup package using the link provided to you.
  2. Run the setup package from the intended web service server. Press the ‘Next’ button when the welcome screen appears.
  3. Accept the licensing agreement. Press the ‘Next’ button to continue.
  4. Choose the path to install the TickStream.KeyID files. Press the ‘Next’ button to continue.
  5. Select the components you want to install and configure. Press the ‘Next’ button to continue.
  6. Enter the TCP/IP address of the SQL server where you intend to store the TickStream.KeyID database. By default a SQL login will be created with the username ‘keyid’ and a randomly generated password. This account will be used for communication between the web service and the database. Make a note of the password in a safe place for future installations. Press the ‘Next’ button to continue.
  7. Enter the hostname (FQDN) that will point to the KeyID web service, i.e. keyidservices.yourdomain.local. This address should be added to DNS or resolvable by system hosts file entries. Enter the TCP port that the web services will run on (default 80.) This step will configure the site bindings in IIS. Press the ‘Next’ button to continue.
  8. Provide SQL server credentials that have SYSADMIN rights to the SQL server. If you are logged in as a windows user that has permissions, you may select ‘Windows authentication’. Otherwise, select ‘SQL Server authentication’ and provide a username and password. Press the ‘Next’ button to continue and test connectivity to the server.
  9. You should be presented the following dialog if the SQL server connection is successful. Press the ‘OK’ button.
  10. Press the ‘Install’ button to start installation and wait while installation is completed.
  11. Press the ‘Finish’ button to complete setup.
  12. Test the installation by opening an internet browser and accessing the page http://keyidservices.yourdomain.local/operations.asmx Replace ‘keyidservices.yourdomain.local’ with the hostname (FQDN) entered in step 4. Click the ‘TestConnection’ link near the bottom of the page.
  13. Enter your license key (redacted) into the textbox and press ‘Invoke’.
  14. If installation is successful, you should see the following page returned.

Configuring SSL

The KeyID Server and its clients can communicate with eachother using HTTP or HTTPS (SSL encryption.) By default, the TickStream KeyID Server installation package configures HTTP bindings for each of the webservices in Internet Information Systems (IIS).

To configure SSL encryption:

  • Obtain a valid SSL certificate from a trusted 3rd party or enterprise certificate authority.
  • Install the certificate on the system hosting TickStream KeyID Server webservices.
  • Create HTTPS bindings using TCP port 443 for each TickStream KeyID Server webservice.
  • Ensure HTTPS traffic is allowed through any local or intervening firewall services (i.e. Windows Firewall.)
  • Specify https:// webservice URLs when installing the Winlogon, ADFS or F5 clients.

High Availability

The KeyID web services and database must be available for authentications to complete. Please evaluate your organization's needs carefully to ensure uninterrupted operation.

All KeyID web service operations are atomic, allowing the web services to be deployed across multiple IIS servers to increase availability and throughput. A load balancer is recommended to distribute incoming connections and handle servers that become unavailable. Round robin DNS can be used to distribute incoming connections, but may not provide availability if a balanced server is off line.

The KeyID database may be deployed using any of Microsoft SQL Server's supported availability methods which are detailed here: https://msdn.microsoft.com/en-us/ms190202.aspx.

For simple deployments, we recommend database mirroring with a witness server to provide cost effective high availability. Please note that database mirroring may be unavailable in upcoming releases of SQL server. To implement database mirroring, the database connection string located in the KeyID web.config file must be contain a failover partner address. For example:
<configuration><appSettings><add key="ConnectionString" value="DATA SOURCE=sql1;FAILOVER PARTNER=sql2;....

Backups

The KeyID database should be backed up appropriately. You may use any supported methodology supported by Microsoft SQL Server. We recommend making frequent transaction log backups so that in the event of a recovery scenario, KeyID profiles can be restored with the freshest data possible.