Use a certificate for an external IDP in a cluster environment

When you install XProtect in a single-server environment, the Identity Provider configuration data is protected using the Data Protection API (DPAPI). If you set up the management server in a cluster, you must update the Identity Provider configuration data to make it identical on both nodes.

Before you start, you must complete the following configuration:

  • Import your server certificate to the Personal store for the user running the Management Server service.

  • Give the server certificate Read permissions.

  • Ensure that the root certificate that you used to create the server certificate is imported to the User certificatesTrusted Root Certification Authorities store.

  • If you use a self-signed certificate, you must add it to the Trusted Root Certificates Authorities store on your local computer.

To set up data protection for the certificate that runs the VMS services on the nodes, go to a node and complete the following steps:

  1. Retrieve the thumbprint of the certificate that the IDP application pools and the Management Server service use. See How to: Retrieve the Thumbprint of a Certificate.

  2. Locate the appsettings.json file in the installation path of the Identity Provider ([Install path]\Milestone\XProtectManagement Server\IIS\IDP).

  3. In the DataProtectionSettings section, set the thumbprint of the certificate that the IDP application pools and the Management Server service use. 

    4. "DataProtectionSettings": {
  "ProtectKeysWithCertificate": {
    "Thumbprint": "[thumbprint]" 
  }
},

  4. Repeat step 2 on the remaining management server nodes.

  5. Trigger a node failover to ensure that the certificate setup is correct.

  6. Log in again to XProtect Management Client and apply the external provider configuration. If the configuration has already been applied, you must re-enter the client secret from the external IDP in XProtect Management Client.

If you encounter any issues, check the Identity Provider log file for more information. The system stores the file at C:\ProgramData\Milestone\Identity Provider\Logs\Idp.log.