Install in a cluster

Before you install in a cluster, see Multiple management servers (clustering) (explained) and Requirements for clustering.

Descriptions and illustrations might differ from what you see on your screen.

Install the management server:

  1. Install the management server and all its subcomponents on the first server in the cluster.

    The management server must be installed with a specific user and not as a network service. This requires that you use the Custom install option. Also, the specific user must have access to the shared network drive and preferably a non-expiry password.

Configure the Management Server service as a generic service in the failover cluster:

This example applies to Microsoft Windows Server 2012. The process may vary on other Windows versions.

  1. On the last server on which you have installed the management server, go to Start > Administrative Tools, open Windows' Failover Cluster Management. In the Failover Cluster Management window, expand your cluster, right-click Services and Applications, and select Configure a Service or Application.

    Failover Cluster Management window in Microsoft Windows Server 2012.

  2. In the High Availability dialog box click Next.
  3. Select Generic Service and click Next.
  4. Do not specify anything on the third page of the dialog box and click Next.
  5. Select the Milestone XProtect Management Server service, click Next. Specify the name (host name of the cluster) that clients use when accessing the service, click Next.
  6. No storage is required for the service, click Next. No registry settings should be replicated, click Next. Verify that the cluster service is configured according to your needs, click Next. The management server is now configured as a generic service in the failover cluster. Click Finish.
  7. In the cluster setup, the event server and the Data Collector should be set as a dependent service of the management server, so the event server stops when the management server is stopped.
  8. To add the Milestone XProtect Event Server service as a resource to the Milestone XProtect Management Server Cluster service, right-click the cluster service and click Add a resource > 4 - Generic Service and select Milestone XProtect Event Server.

Update the cluster URL:

When doing configuration changes, on the Microsoft Failover Cluster Manager, pause the control and monitoring of the service so the Server Configurator can make the changes and start and/or stop the Management Server service. If you change the failover cluster service startup type to manual, it should not result in any conflicts with the Server Configurator.

On the Management Server computers:

  1. Start the Server Configurator on each of the computers that have a management server installed.
  2. Go to the Registration page.
  3. Click the pencil () symbol to make management server address editable.
  4. Change the management server address to the URL of the cluster, for example http://MyCluster.
  5. Click Register.

On computers that have components that use the Management Server (for example, Recording Server, Mobile Server, Event Server, API Gateway):

  1. Start the Server Configurator on each of the computers.
  2. Go to the Registration page.
  3. Change the management server address to the URL of the cluster, for example http://MyCluster.
  4. Click Register.

Use a certificate for an external IDP in a cluster environment

When you install XProtect in a single-server environment, the external IDP configuration data is protected using Data Protection API (DPAPI). If you set up the management server in a cluster, the external IDP configuration data must be protected with a certificate to ensure fluent node failover.

For more information about how to generate a certificate, see The Milestone guide about certificates.

You must import the certificate to the personal certificate store and make the certificate trusted on the computer.

To set up the data protection you must add the thumbprint of the certificate to the Identity Provider configuration.

  1. Import the certificate to the personal certificate store and ensure that:

    • the certificate is valid

    • the Identity Provider app pool (IDP) account has permissions to the certificate private key.

    For more information about how to verify if the account has permissions to the certificate private key, see The Milestone guide about certificates.

  2. Locate the appsettings.json file in the installation path of the Identity Provider (“[Install path]\Milestone\XProtectManagement Server\IIS\Identity Provider”).

  3. Set the certificate thumbprint in the section:

    4. "DataProtectionSettings": {
    "ProtectKeysWithCertificate": {
    "Thumbprint": ""
    }
    },

  1. Repeat step 3 on all management server nodes.

  2. Enforce a node failover to ensure that the certificate setup is correct.

  3. Log in again using the management client and apply the external provider configuration. If the configuration is already applied, you must re-enter the client secret from the external IDP in the management client.

Troubleshooting errors when an external IDP configuration is protected with a certificate

Invalid certificate/expired certificate

If the configured thumbprint certificate represents a certificate that is not trusted or has expired, the Identity Provider cannot start. The Identity Provider log (C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log) will clearly state if the certificate is invalid.

Solution:

Make sure that the certificate is valid and trusted on the computer.

Missing permissions to certificate private keys

The Identity Provider cannot protect data without permissions to the private keys. If the Identity Provider does not have the permission, the following error message is written to the log file of the Identity Provider (C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log):

ERROR- An exception occurred while processing the key element ‘<key id=”[installation specific]” version=”1” />’. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist

Solution:

Make sure the Identity Provider app pool (IDP) account has permissions to the certificate private keys.

Check permissions to a certificate private key:

  1. Select Start on the Windows task bar and open the Manage computer certificates tool (certlm.msc).

  2. Navigate to the personal certificate store and find the certificate that is used for the encryption.

  3. Right-click on the certificate, and select All Tasks > Manage Private Keys.

  4. Under Permissions for, ensure that the Identity Provider app pool (IDP) account has read permissions.