WorkPlace Enterprise Installation/Upgrade Guide€¦ · Removing the installed SQL Databases ... Paramount solutions will streamline your employee management and procurement processes,

WorkPlace Enterprise Installation/Upgrade Guide

Designed for WorkPlace 2016 and Greater (v16.00+)

Paramount Technologies Inc.

1374 East West Maple Road

Walled Lake, MI 48390-3765

Phone 248.960.0909 • Fax 248.960.1919

www.ParamountWorkPlace.com

http://www.paramountworkplace.com/

W O R K P L A C E I N S T A L L A T I O N G U I D E

Copyright Copyright © 2016 Paramount Technologies. All rights reserved.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights

under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval

system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Paramount Technologies.

Notwithstanding the foregoing, the licensee of the software with which this document was provided may

make a reasonable number of copies of this document solely for internal use.

Trademarks WorkPlace is a registered trademark of Paramount Technologies and is registered in the United States

and other countries. Microsoft, Windows, Windows Server and Windows Vista are either registered

trademarks or trademarks of Microsoft Corporation or its affiliates in the United States and/or other

countries.

The names of actual companies and products mentioned herein may be trademarks or registered marks -

in the United States and/or other countries - of their respective owners. Unless otherwise noted, the

example companies, organizations, products, domain names, e-mail addresses, logos, people, places,

and events depicted herein are fictitious. No association with any real company, organization, product,

domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Intellectual property Paramount may have patents, patent applications, trademarks, copyrights, or other intellectual property

rights covering subject matter in this document. Except as expressly provided in any written license

agreement from Paramount, the furnishing of this document does not give you any license to these

patents, trademarks, copyrights, or other intellectual property.

Warranty disclaimer Paramount Technologies disclaims any warranty regarding the sample code contained in this

documentation, including the warranties of merchantability and fitness for a particular purpose.

Limitation of liability The content of this document is furnished for informational use only, is subject to change without notice,

and should not be construed as a commitment by Paramount Technologies. Paramount Technologies

assumes no responsibility or liability for any errors or inaccuracies that may appear in this manual.

Neither Paramount Technologies nor anyone else who has been involved in the creation, production or

delivery of this documentation shall be liable for any indirect, incidental, special, exemplary or

consequential damages, including but not limited to any loss of anticipated profit or benefits, resulting

from the use of this documentation or sample code.

License agreement Use of this product is covered by a license agreement provided with the software product. If you have

any questions, please call the Paramount Technologies Support at 800.725.4408 (in the U.S. or Canada)

or +1.800.725.4408.

Publication date July 2016


Contents

PART 1: INTRODUCTION ...................................................................................................................5

Product Overview .................................................................................................... 5

What’s in this manual ............................................................................................... 6Symbols ................................................................................................................. 6

Before you contact support ....................................................................................... 6

PART 2: PREPARATION......................................................................................................................8

Chapter 1: Three-Tiered Operating Environment ............................................................ 8

Web Client System Requirements ................................................................................ 8

Chapter 2: Web Server Recommendations .................................................................... 8

Chapter 3: Database Server Recommendations ............................................................. 9

Chapter 4: User Logins and Passwords ....................................................................... 10

User Authentication Options .................................................................................... 10

Authentication Planning .......................................................................................... 12

Chapter 5: Requesting a WorkPlace License ................................................................ 14

Step 1: Generate the Info File ................................................................................ 14

Step 2: License Request Form ................................................................................. 16

Step 3: Submit Request ......................................................................................... 18

Step 4: Loading the License Certificate ..................................................................... 18

Chapter 6: Pre-Installation Checklist .......................................................................... 19

PART 3: WORKPLACE ENTERPRISE INSTALLATION ........................................................................ 21

Chapter 7: Create Enterprise SQL Databases ............................................................... 21

Chapter 8: The WorkPlace Installation Wizard ............................................................. 21

Chapter 9: SQL Objects Installation ........................................................................... 24

Chapter 10: Scripting the Database Objects ................................................................ 26

Chapter 11: Web Objects Installation ......................................................................... 32

Chapter 12: Optional Windows Components ................................................................ 34

Chapter 13: Configuring your WorkPlace Website ......................................................... 37

Creating the Application Folder / Virtual Directory – Windows 2008.............................. 37

Creating the Virtual Directory – Windows 2003 .......................................................... 39

PART 4: ADDITIONAL SYSTEM CONFIGURATION ........................................................................... 43

Chapter 14: Session User Setup ................................................................................ 43

Configuring using SQL Account ................................................................................ 43

Configuring using NT Pass-through .......................................................................... 44

Chapter 15: Specifying SQL Server Housing Company Databases .................................. 44

Chapter 16: Configuring User Authentication ............................................................... 44

SSO – Single Sign On Authentication ....................................................................... 44

SQL Authentication ................................................................................................ 48

SQLSHARED Authentication .................................................................................... 49

Active Directory / NT Authentication ........................................................................ 50

Active Directory / NTSHARED Authentication ............................................................. 52

Forms Authentication ............................................................................................. 54


Application Authentication ...................................................................................... 58

Chapter 17: Administrative User ................................................................................ 59

SSO Setup ............................................................................................................ 59

Chapter 18: Crystal Report SQL User Account ............................................................. 60

Chapter 19: RFQ Vendor User ................................................................................... 60

Chapter 20: Date Format .......................................................................................... 61

Chapter 21: Session Timeout .................................................................................... 61

Chapter 22: Language Engine ................................................................................... 61

Chapter 23: Web Server Folder Security ..................................................................... 62

PART 5: LOGGING INTO WORKPLACE ............................................................................................ 62

Chapter 24: Your WorkPlace URL ............................................................................... 62

APPENDIX A: WP AGENT UTILITY .................................................................................................. 64

Uses ....................................................................................................................... 64

Configuration .......................................................................................................... 64

APPENDIX B: NOTES ON UPGRADING........................................................................................... 66

Upgrading from Previous WorkPlace Versions .............................................................. 66

General Notes ......................................................................................................... 66

APPENDIX C: UN-INSTALLING WORKPLACE .................................................................................. 68

Remove the installed Web Objects ............................................................................. 68

Removing the installed SQL Databases ....................................................................... 68

Removing the installed Optional Windows Components ................................................. 68

APPENDIX D: ENCRYPTING THE WEB.CONFIG .............................................................................. 69

Encrypting Web.Config ............................................................................................. 69

Decrypting Web.Config ............................................................................................. 69

Microsoft Documentation for Encrypting and Decrypting Configuration Sections ............... 69

Encrypting a Web Configuration Section ................................................................... 70

Decrypting a Web Configuration Section ................................................................... 70


Page 5 of 71

Part 1: Introduction

Use this manual to install and prepare Paramount Technologies WorkPlace Enterprise for use. Review

the introductory information about the resources available to you, and then use the WorkPlace

Enterprise Checklist as your guide to installing WorkPlace Enterprise.

Product Overview

The Paramount WorkPlace Suite is built from the ground up for interoperability across heterogeneous

environments using open standards and integrates with all major ERP systems. Platform interfaces to Microsoft

Dynamics®, Sage MAS and Accpac, SAP Business One, Epicor and other platforms deliver optimized interoperability

and seamless integration.

Paramount solutions will streamline your employee management and procurement processes, improve your

employee productivity and accelerate your business.

WORKPLACE EPROCUREMENT

Reduce direct and indirect purchasing costs, increase control over business transactions, and streamline the

employee management and procurement processes

WorkPlace eProcurement is a robust web-based eProcurement solution that allows organizations to automate the

complete procure-to-pay cycle – from product selection, requisitioning, approval and ordering to delivery, receipt

and financial settlement. The suite includes applications for requisitioning, PunchOut via cXML, check request,

budget compliance, RFQ, purchase order generation, receiving, invoice matching and vendor contract enforcement

with approval workflow throughout the entire process.

With an eProcurement solution in place, organizations empower their users throughout the enterprise:

Requesters get the convenience and efficiency of easy self-service for requisitions and check requests

Managers are able to manage by exception and accelerate approvals with automated workflow

Buyers can focus on building strategic supplier relationships to reduce costs

Payables maintains control over expenditures

Benefits

Eliminate error-prone paper-based processes

Reduce requisition-to-order costs and cycle time

Control maverick spending

Manage by exception - ensure that your purchases adhere to your policies

Ensure Sarbanes-Oxley compliance with a complete audit trail of transactions

Enable your procurement professionals to focus on strategic tasks

WORKPLACE PROJECT, TIME & EXPENSE

Automate the project lifecycle to improve resource utilization and streamline time & expense processing

Paramount Technologies’ project accounting solutions enable operational and financial management through project initiation, resource utilization, time and expense processing and earned value management. Via the

WorkPlace Project, WorkPlace Time, and WorkPlace Expense solutions, Paramount Technologies delivers web-

based, workflow-driven information for project and resource management.


Page 6 of 71

Our solutions address the wide range of unique project accounting, financial management, billing and

procurement requirements in a multi-company, multicurrency environment. The success of a project-driven

business depends on the planning, managing and closing of projects in a timely, quality-focused and cost-effective

manner. Paramount Technologies’ solutions are designed to automate the project lifecycle, eliminate redundant data entry and provide visibility across the project portfolio and resource pool.

Benefits

Eliminate error-prone paper-based processes

Reduce requisition-to-order costs and cycle time

Control maverick spending

Manage by exception - ensure that your purchases adhere to your policies

Ensure Sarbanes-Oxley compliance with a complete audit trail of transactions

Enable your procurement professionals to focus on strategic tasks

What’s in this manual This manual provides guidelines for installing and setting up your Paramount Technologies WorkPlace

Enterprise system. It lists the latest system requirements, contains a step-by-step guide through the

installation process, gives tips on troubleshooting, and describes initial setup procedures. The manual is

divided into the following parts:

Part 2, Preparation, contains information about preparing your computers, network, and

database

Part 3, WorkPlace Enterprise Installation, describes how to install WorkPlace Enterprise on your

server and set up an account framework.

Part 4, Additional System Configuration, describes how to configure WorkPlace Enterprise.

Part 5, Logging into WorkPlace, describes how to log on to your new installation of WorkPlace

Enterprise.

Symbols

The note symbol indicates helpful tips, shortcuts and suggestions.

The “i” symbol indicates situations you should be especially aware of when

completing tasks.

Before you contact support

If you are experiencing a problem when installing WorkPlace Enterprise, have the answers ready to the

following questions to help your support specialist narrow down the source of the problem you’ve experiencing.


Page 7 of 71

What is the exact error message?

When did the error first occur?

What task were you attempting to perform at the time the error message was displayed?

Has the task been completed successfully in the past?

What is the name of the window you are you working in?

What have you done so far to attempt to fix the problem?

Does the problem occur on another workstation?

What versions of software are you using?

Verify the version numbers for WorkPlace Enterprise, your Microsoft SQL Server, and Microsoft

Windows®. Also note service packs for each product.

Does the problem occur for the sa or system administrator user?

Does the problem occur at the database server?


Page 8 of 71

Part 2: Preparation

Chapter 1: Three-Tiered Operating Environment

WorkPlace is recommended for use with the three-tiered architecture model shown below. The

WorkPlace application resides on the Web Server (Front End), the Database resides on the SQL Server

(Back End) and the application is accessed from the Web Client.

Web Client System Requirements

Paramount supports the following minimum client hardware requirements and server

recommendations for WorkPlace Enterprise. (Note that the server recommendations are not the

minimum server requirements.) The specific hardware that you will need for your configurations

depends on environmental factors. To achieve individual performance expectations, you may need to

increase these recommendations.

Component Requirements Notes

Browser Firefox version 3 or greater

Chrome version 16 or greater

Safari version 4 or greater

Internet Explorer 7 or greater

(IE 9 or greater recommended)

PDF Reader

For viewing WorkPlace

reports

Browser based plug-in

Adobe Acrobat

Reader(recommended if using

Internet Explorer)

Chapter 2: Web Server Recommendations

Actual requirements may vary depending on transaction volume, modules used and number of users.


Operating System Microsoft Windows 7 SP1

Microsoft Windows 8, 8.1

Microsoft Windows 10

It is recommended that the

Web Server is not the same

machine as the SQL Server.

WEB CLIENT

Setup Shortcut or IE Favorite

to launch WorkPlace

WEB SERVER

Houses WorkPlace Website and (if

required) EAIC Website

Installation Folder

SQL SERVER

Houses WorkPlace Control Database

and Financial Application Company

Databases where SQL Objects are

installed


Page 9 of 71


Microsoft Windows Server 2008 SP2

Microsoft Windows Server 2008 R2

SP1

Microsoft Windows Server 2012

Microsoft Windows Server 2012 R2

Microsoft Windows Vista SP2

32 and 64 bit is supported

Processor Dual Core or Multi-Processer, 2 Gigahertz

(GHz) or greater recommended

Storage 500 GB Hard Drive Depending on number of

users and sizes of

attachments, user can store

attachments on SAN or

other network drive to

reduce storage

requirements.

RAM 2 GB Minimum (8 GB recommended)

Browser Firefox version 3 or greater

Chrome version 16 or greater

Safari version 4 or greater

Internet Explorer 7 or greater

(IE 9 or greater recommended)

Windows Internet

Information Services (IIS)

IIS 6.0 or greater

.NET Runtime Version 4.5.2 .NET Runtime version is

included with WorkPlace.

Chapter 3: Database Server Recommendations

Actual requirements may vary depending on transaction volume, modules used and number of users.


Database SQL Server 2016

SQL Server 2014

SQL Server 2012

SQL Server 2008 R2

SQL Server 2008

Enterprise, Standard, Web Editions

It is recommended that the

Web Server is not the same

machine as the SQL Server.

32 and 64 bit is supported


Page 10 of 71


Processor Dual Core

Multi-Processer recommended

Storage 100 GB Hard Drive Actual storage may vary due

to volume of transactions

and server configurations.

RAM 8 GB Minimum (16 - 32 GB

recommended)

Provided as part of the WorkPlace installation Wizard:

Microsoft .NET framework

Crystal Reports 32bit and 64bit runtime engine

Chapter 4: User Logins and Passwords

WorkPlace can be configured with any one of five modes of user authentication. See the chart below to

select the proper user authentication for your environment.

User Authentication Options

Option Details

SSO Single Sign On. This option allows for usage of 3rd party authentication services

such as Windows Live, Google and custom providers. When hosting WorkPlace in

the cloud or in a DMZ outside of the internal network this option can provide

access to the local Active Directory via Active Directory Federation Services

(AFDS).

All SQL backend operations are performed using a shared user account. Under

this option the user names are the email addresses of the user.

SQL SQL Name and Password are used and passed directly through to the SQL Server.

This requires the user to be setup on the SQL server as a physical user and the

user must have access to all databases that WorkPlace requires access. It is

recommended that the SQL password encryption option is enabled in WorkPlace

when using this method. Since the users have access to the databases a user

could use excel or other connectable applications to access WorkPlace data if

non-encrypted passwords are allowed.


Page 11 of 71

Option Details

SQLSHARED SQL Name and Password for authentication only. All backend SQL operations are

performed using a shared SQL user account. This method secures access to the

physical database as the user account does not have access to any of the physical

databases. This method is ideal in environments where other SQL applications

are used and a shared SQL name and password are desired.

NT The Active Directory user name that the user logged into Windows with

(Integrated Authentication) or the Active Directory user that was entered on the

Basic Authentication window (Non-Integrated Authentication) is simply passed

through to the SQL Server. This method as well as the SQL option both have the

same drawbacks in that the user could use an external application to get access to

the SQL databases unless a firewall is enabled. This method also suffers from the

Double-Hop syndrome whereas the SQL Server, Web Server and Client machines

must all be enabled for delegation at the Active Directory level as standard

Kerberos authentication does not allow the client browser to authenticate to the

web server and then allow the web server to impersonate the credentials to the

SQL server.

NTSHARED The Active Directory user name that the user logged into Windows with

(Integrated Authentication) or the Active Directory user that was entered on the

Basic Authentication window (Non-Integrated Authentication) is used to identify

the user to WorkPlace. The SQL backend operations are all performed using a

shared SQL account. This method is the preferred model in larger organizations

as the user cannot access the databases via external applications and all password

and account management is at the Active Directory level. This option also

eliminates the double-hop issue with Active Directory.

FORMS The Active Directory user name that the user logged into Windows with is used to

authenticate against the WorkPlace Web Server using IIS Forms Authentication.

Once authenticated against the web site, the user’s credentials are passed to the WorkPlace solution which will authenticate against the application level security.

All SQL backend operations are all performed using a shared SQL account. This

method is a preferred model in larger organizations as the user cannot access the

databases via external applications and all password and account management is

at the Active Directory level. This option also eliminates the double-hop issue with

Active Directory.

APP User accounts and passwords are managed by WorkPlace exclusively and all SQL

backend operations are performed using a shared user account. Under this

option the user names are the email addresses of the user. The key benefit with

this method is that if users forget their passwords they can simply click a “forgot password” button on the logon page and reset their own passwords. This method

is ideal for environments where account management at the SQL or NT level is not

ideal or empowering the user to manage their own password cuts administrative


Page 12 of 71

Option Details

overhead.

Authentication Planning

Before beginning installation of the WorkPlace application, you must determine which method of

authentication will be used. After making this choice, follow the steps in the appropriate section below:

SQL / SQL Shared Requirements

1. Create SQL Server logins and passwords in WorkPlace Security.

WorkPlace supports ENCRYPTED passwords when SQL User logins are created

directly from WorkPlace Security (for Help (F1) and activation, go to Maintenance

Central System Settings General tab)

For additional Sarbanes-Oxley compliance, WorkPlace has advanced password

controls available for SQL Server User Logins (for Help (F1) and activation, go to

Maintenance Central Global Settings)

2. Create or use existing SQL User logins and passwords created in your Financial

Application. Register these users in WorkPlace Security.

3. Create or use existing SQL Server logins and passwords in MS SQL Server. Register

these users in WorkPlace Security.

4. If using SQL Shared then a special shared user account will need to be created that

has access to all the appropriate databases. This account will be referenced when

you configure the WorkPlace web.config.

Until users are set up in WorkPlace Security, ONLY user ‘sa’ or the administrative

user setup in the WorkPlace web.config file will be able to log into the application.

WorkPlace supports Dynamics GP 9+ password encryption. Refer to

Appendix ‘F’ of this guide for setup details.

NT / NT Shared Authentication Requirements

1. Create an NT WorkPlace User Group and make all WorkPlace users a member of this group.

2. NT User names registered in WorkPlace Security must be preceded by the network domain

name and a back slash. For example: OURDOMAIN\jsmith.

3. If using NT Shared then a special shared user account will need to be created that

has access to all the appropriate databases. This account will be referenced when

you configure the WorkPlace web.config.

APP & SSO Authentication Requirements

1. Gather all the user email accounts that will be setup as WorkPlace users.


Page 13 of 71

2. If using SSO then a special shared user account will need to be created that has

access to all the appropriate databases. This account will be referenced when you

configure the WorkPlace web.config.

FORMS Authentication Requirements

1. Confirm the client specific Active Directory Connection String that will be used to update the

web.config file.

2. Gather all the AD user names and email accounts that will be setup as WorkPlace users.

3. A special shared user account will need to be created that has access to all the

appropriate databases. This account will be referenced when you configure the

WorkPlace web.config.


Page 14 of 71

Chapter 5: Requesting a WorkPlace License

To gain access to your WorkPlace application, you must first load a valid license certificate issued by

Paramount into the software. A valid license file can be obtained and loaded in four steps:

1. Generate and Save License Info file

2. Fill out License Request Form

3. Submit your License Info file and License Request Form to Paramount

4. Load your new License Certificate

All License Certificates have a predefined activation deadline. After the

deadline date, the certificate will no longer load into the application and a

new license will need to be requested.

Step 1: Generate the Info File

There are two methods of generating the License Info File:

Option A) Generate request from within WorkPlace. The License Info File can be generated and saved

from within

WorkPlace: Maintenance Central System Settings General Tab Change License Certificate

button


Page 15 of 71

CLICK “Retrieve License Request Information” hyperlink

Select Save and make note of the folder where you save your new License Info file.

Option B) Generate Info File from external utility

Locating the License Information Collector

Download this utility program from the Paramount Technologies Customer Area website.

1. Click ‘Request a License Certificate’

2. Download the ‘License Information Collector’ to the machine you will use as the

WorkPlace web server

Before Running the License Information Collector

Make sure the SQL Server where the company data will resides is running.

IMPORTANT: The .NET Framework Run-Time v2 or greater must be installed on the web

server PRIOR to running the License Information Collector. If needed, a copy of the


Page 16 of 71

appropriate .NET Framework can be installed using the WorkPlace Installation Wizard

(‘Optional Windows Components’ button).

IMPORTANT: The License Collector program MUST be physically located on the WorkPlace

web server and you MUST run it on the WorkPlace web server ONLY!!

If either of the two conditions above are not met, the License Information Collector

or any license you receive from Paramount will not operate properly.

Running the License Information Collector

The License Information Collector program is a single screen (as shown below). Enter all required

information into the form:

Select ‘Save License Request to Disk’ and note the folder where you save your License Info File.

Note: If you do not select ‘Save License Request to Disk’, you will not be

able to complete the license request process as outlined below.

Step 2: License Request Form

a) Go to the WorkPlace Customer Area website http://www.paramounttechnologies.com

b) Click ‘Request a License Certificate’

c) Fill out License Request Form (Example below, settings may vary)

http://www.paramounttechnologies.com/


Page 17 of 71


Page 18 of 71

Step 3: Submit Request

a) Verify you have attached the License Info File

b) Click ‘Submit Request’

Step 4: Loading the License Certificate

Once you receive your license certificate log into WorkPlace as the System Administrator. Upon the initial login

to the application after installing or upgrading, you will be required to load a new license certificate:

License Certificate Maintenance Form (your WorkPlace version number may differ):

The page above can also be located within the WorkPlace menu system:

Maintenance Central System Settings General Tab Change License Certificate button

1. Type in or Browse to the location that the License Certificate was saved to

2. Click “Load License Certificate”

3. A confirmation window will appear

4. Press the ‘Continue to Re-Log On’ button and login to WorkPlace

After reading this chapter, if you are still having difficulties, please phone your

VAR or contact Paramount at: [email protected] or

248.960.0909

mailto:[email protected]


Page 19 of 71

Chapter 6: Pre-Installation Checklist

□ Microsoft SQL Server - Installed and configured

□ Databases - WorkPlace Enterprise requires at a minimum a Control database and a Company

database to be created on the SQL Server for Enterprises exclusive use before the SQL

portion of the install is performed.

□ Authentication mode chosen: Active Directory/NT, Application, or SQL Server

□ Web server Machine/operating environment – Installed and configured, including:

1. Internet Information Services (IIS)

2. .Net Framework v4

3. All other components listed previously under “Web Server MachineSpecifications.”

4. Windows Active Directory NT/NT Shared Authentication ONLY – complete steps in

the ‘Network/Domain Configuration’ section of this guide

□ WorkPlace License Certificate file in-hand (.lic extension)

□ Paramount’s WorkPlace Installation Wizard software

Download files from the Paramount Technologies Customer Area website.

□ Read the Release Notes for the current version of WorkPlace (available on the Paramount

Technologies Customer Area website). Make note of any additional instructions.

□ CREATE BACKUPS:

1. Control Database and ALL Company Databases

2. Upgrade ONLY: Backup the WorkPlace web.config file and any modified Crystal

Reports.

□ Determine the location for your ‘WorkPlace Web Server Installation Folder’

In a live/production environment, running the WorkPlace web server and MS SQL

Server services on the same machine is NOT recommended. These servers should be set up

on separate machines for optimum performance.

ALSO, this document does not include detailed installation or configuration instructions for

Microsoft IIS Web Server and SQL Server. For this type of information, please refer to the

reference manuals and online resources provided by Microsoft.


Page 20 of 71

IMPORTANT: The instructions in Chapter 3 will guide you step by step through the process of installing

the WorkPlace Application in a demonstration, test, or production environment. Please follow all

instructions in the order listed unless otherwise noted. If UPGRADING, Please read Appendix B next.

PLEASE READ ALL INSTRUCTIONS BEFORE PROCEEDING.


Page 21 of 71

Part 3: WorkPlace Enterprise Installation

All steps must be completed for a first-time installation; steps that can be omitted

in an upgrade are noted throughout this document and in Appendix B.

Chapter 7: Create Enterprise SQL Databases

The first step in the WorkPlace installation is to create at a minimum two physical databases on the SQL

server. One database is a shared control database that is used for common information across a group

of company databases. The other database is for the company information; if you are installing multiple

companies then make sure to add the appropriate number of company databases. If you have logical

groupings of companies or desire to the have the companies exclusively independent of each other than

configure each group of company databases to have their own control database. Data shared in the

control database are things such as Currency, Exchange Rates, and Inter-Company settings. In the

examples that follow you will see that “WPEControl” is the control database used and “WPECompany” is the company database. Feel free to call your databases whatever you like, a common naming

convention for the company is a brief description of what the company entity is referred to.

Chapter 8: The WorkPlace Installation Wizard

This Wizard is a graphical software interface that automatically guides you step by step through the

WorkPlace installation process.

Before starting the Installation Wizard

Close all currently running applications. Be certain that the MS SQL Server Database instance for your

Control and Company Database is running before you proceed. The Install Wizard needs to read and write

to these databases in order to install properly.

Launching the Wizard from a CD

Insert the WorkPlace Product CD into the drive located on the web server. If the CD drive is configured for

autoplay/autorun, the CD will start the Installation Wizard automatically. If the CD does not start

automatically, select StartRun and browse to the CD drive where the WorkPlace Installation CD has been

inserted. Select the Setup.exe, then OK from the Run menu and installation will begin.

Launching the Wizard from a ZIP archive

Extract the ZIP archive to your web server with the setting “include folder names.” A folder named after the

WorkPlace version number will be created with all necessary installation files. Inside that folder, double

click Setup.exe to launch the installation wizard.


Page 22 of 71

The install code ZIP archive must be saved and extracted onto the web server. ALL

installation executables must be saved on launched on the web server ONLY!

In the Paramount Installation Wizard Window, click Next to proceed with the installation process.

In the License Agreement Window, carefully read the Paramount License Agreement. Select YES if you

agree to the terms of the Agreement and proceed with the installation process.

If you do not agree, select CANCEL and contact Paramount either by phone

248.960-0909 or by email at [email protected].

mailto:[email protected]


Page 23 of 71

If you selected YES to the License Agreement the following screen appears, this is the Main Installation

Window. The steps appear in necessary completion order. As steps in the process are completed, you

will automatically be returned to this main window to begin the next step.


Page 24 of 71

Chapter 9: SQL Objects Installation

Before proceeding with SQL Object installation or Upgrade, be certain that

a recoverable backup has been made of your control and company databases.

1. In the Main Installation Window, select the SQL Objects button. This step is required for both initial

set up and upgrades.

The SQL Server must already be installed, configured and have all Control

and Company Databases installed. Close all currently running applications (not

including services).


Page 25 of 71

2. Select the components to be installed by clicking the checkbox next to the desired components. If

the .NET Framework is already installed, it is recommended that you un-check that box and do not

reinstall it.

3. Destination folder: By default, the components will be installed to the C:\ drive of the local machine

under C:\ProgramFiles\WorkPlace\SQL or C:\Program Files (x86)\WorkPlace\SQL on a 64 bit OS. To

change the default installation folder, use the BROWSE button to navigate to the desired destination

folder on the SQL Server.

4. Select NEXT to proceed.

If the Default location of the web server installation folder is changed, be

certain to make a note of the path to your installation folder location.

5. Review the settings and Select NEXT to continue if you are satisfied with the settings.


Page 26 of 71

6. The SQL Objects and the PTI SQL Objects installer are copied to the destination folder.

7. Select FINISH to begin the next phase of the installation process. Leave Launch PTI Installer checked

to continue on to next step.

Chapter 10: Scripting the Database Objects

Once the WorkPlace SQL Objects are unpacked and copied to the destination folder, they must be

scripted into the Company database(s) by our SQL Installer .NET utility program. To continue the

installation process directly from the Installation Wizard, page above, leave the ‘Launch PTI Installer’ box checked and click FINISH. The main installation window will reappear briefly, and then the .NET Installer

will be launched automatically.

Database scripting must be performed for ALL installation types (Demonstration,

Test or Production (fresh Install) or Upgrade from prior version).


Page 27 of 71

If you have closed out of the Installation Wizard and need to resume the installation process at this

point, go to the Windows Start Menu on your web server and select “SQL Installer .NET” under “All Programs.”

1. On the Connect to SQL screen, type in the correct path to the appropriate SQL Server database

instance or select it from the drop down menu or browse button. Choose the authentication

method for the installer program. NOTE that this choice is totally unrelated to how users will be

authenticated when logging into WorkPlace. ‘sa’ will default as the Login name for SQLauthentication. If your DBO user login is not ‘sa’, enter the appropriate login, password, then selectNEXT to continue

2. In the Select Company Database(s) window, select the proper choice for your Control Database in

this example it is called ‘WPEControl’. It is possible to select any database that appears on thescreen below. The most common approach is to manually create specific databases for WorkPlace

to connect with. For example, the databases ‘WPEControl’ and ‘WPECompany’ in the screenshotabove were manually created in advance using SQL Server. After selected the control database then

select the company database(s) that you wish to script at this time. The WorkPlace application will

be connected to these companies after installation is complete (Do not select your Control

database). Select NEXT to continue.


Page 28 of 71

3. The installer command file ‘WorkPlace.xml’ determines which ‘module specific’ pages follow asthe installer continues to run. The default path is usually correct and should point to the folder

where you initially unpacked the WorkPlace SQL Objects. Select NEXT to continue.

4. Specify the ‘Installation Type’ by clicking the circle to the left of the desired option.

Each of these options upgrades the WorkPlace SQL Objects to the version that came with

the Installation Wizard. The difference between these options is the effect on data held in

the tables created by WorkPlace:

UPGRADE – leaves WorkPlace data UN-changed and scripts all objects and permissions.

PRODUCTION – empties all WorkPlace data tables. The first time WorkPlace is installed to a

company database, this option must be chosen.


Page 29 of 71

DEMONSTRATION - empties all WorkPlace data tables AND loads in sample data that may

be helpful for sales demonstrations.

None of the Installation types will affect data in Control database tables.

Select NEXT to continue.

5. Indicate the WorkPlace modules you have purchased by checking the boxes to the left of each

appropriate option. You may select multiple options. Select NEXT to continue.

6. The default options should be used for this page, Select NEXT to continue.


Page 30 of 71

7. Select Start to begin scripting; this process may take a few minutes.

The installation of each script is listed (shown below) as they are installed to the database. Each

time the installer is run, a log file is created and saved in the /Log subdirectory of the folder to

which the SQL Objects were unpacked.


Page 31 of 71

8. SQL Objects are now installed.

A log file is generated in the installation folder while the SQL

Installer is scripting the database objects.


Page 32 of 71

Chapter 11: Web Objects Installation

The web server machine’s operating environment must already be prepared and configured prior to installing the

WorkPlace application’s Web Objects.

The installation of Web Objects is performed for BOTH fresh installs and Upgrades.

If you are UPGRADING – navigate to the Web Folder where WorkPlace was initially

installed. You must rename or print the web.config file for reference in configuring the

new web.config that will replace it during the upgrade. You should also backup any

reports that you have customized as you will have to re-copy those back in after the

upgrade.

1. Select the WEB OBJECTS button to begin installation of the WorkPlace Web Components

2. Accept the default location C:\Program Files (86)\WorkPlace, or replace the default location by

typing over it or using the BROWSE button to choose a destination folder location. Select NEXT to

continue the installation of the Web Objects

If the default installation location is changed, be sure to make note of the new

installation folder’s location. If UPGRADING, be certain that your original installation

folder is selected AND that you copy, rename, or print your existing web.config file before

proceeding.


Page 33 of 71

Verify the settings before the files are copied to the local drive. Select NEXT to start copying files.

Select the FINISH button to return to the main installation window


Page 34 of 71

Chapter 12: Optional Windows Components

All of the Optional Windows Components must be installed on the web server in order for WorkPlace to run

properly. Do not reinstall these programs if the same or a newer version already exists on your web server. To

install any of these components, select the OPTIONAL WINDOWS COMPONENTS Button on the main Installation

Wizard screen.

If any components have been installed previously, they need not be selected when running the

WorkPlace installation wizard.

Periodically these components are updated in future versions of WorkPlace so it is important to make sure that these

exact versions of the components are installed. If you are in question simply install the components and they will tell you if

they are installed or not.

1. Select the components you wish to install and select NEXT to continue.


Page 35 of 71

2. Verify the components to be installed and Select NEXT to continue. The installation wizard will run

the setup programs for any components you have selected.

3. You have now completed all set up processes performed by the Installation Wizard! Click

Finish to go back to the main installation area.


Page 36 of 71


Page 37 of 71

Chapter 13: Configuring your WorkPlace Website

This step is required for a first time installation; it may be skipped when upgrading. A WorkPlace web site must

be configured for each SQL Server where your Financial Application is installed i.e. TEST SQL Server instance vs.

Live SQL Server Instance. The previous Sections in this manual must be completed prior to configuring your

WorkPlace website.

Creating the Application Folder / Virtual Directory – Windows 2008

1. Open the Internet Information Services (IIS) by navigating to Start Settings Control Panel Administrative Tools Internet Information Services (IIS) Manager. Once open right mouse click on

Applications Pools and select Add Application Pool…

On the Add Application Pool screen enter a name for the pool such as “WorkPlace”, then select “.NET Framework v4.0.30319” and finally select “Classic” as the Managed pipeline mode. Leave the “Start application pool immediately” checked and click OK.

Now that the Application Pool is created we need to create the Application folder for WorkPlace and tie

it to this newly created Application Pool. To create the Application folder right mouse click on the Web

Site that is to contain the Application folder, in this example we are putting it on the Default Web Site.

Click Add Application…


Page 38 of 71

From the Add Application screen enter the Alias that will be used from the web browser to access

WorkPlace, in this example we are using “WorkPlace”. Next select the Application pool “WorkPlace” that was created in step 2. Finally enter the folder where the WorkPlace web objects were installed, the

default installation folder “C:\Program Files (x86)\WorkPlace”. After this information is entered click OK.

WorkPlace is now configured for access. To test out access simply open a web browser and type in the

url for the web browser machine name along with the Application folder that we just configured, i.e.,

http://mywebserver/WorkPlace.


Page 39 of 71

Creating the Virtual Directory – Windows 2003

1. Open the Internet Information Services (IIS) by navigating to Start Settings Control Panel Administrative Tools Internet Information Services (IIS) Manager. Once open right mouse click on

Applications Pools and select New and then Application Pool…

On the Add New Application Pool screen enter a name for the pool such as “WorkPlace”. Leave the “Use default settings for new application pool” checked and click OK

Now that the Application Pool is created we need to create the Virtual Directory for WorkPlace and tie it

to this newly created Application Pool. To create the Virtual Directory right mouse click on the Web Site

that is to contain the Virtual Directory, in this example we are putting it on the Default Web Site. Select

New and then Virtual Directory…


Page 40 of 71

The Virtual Directory Creation Wizard will now appear, click Next to configure the Virtual Directory.

Now enter the Alias for WorkPlace, in our example we defined this as WorkPlace (this alias is how

WorkPlace will be accessed from the web browser). Click Next to continue.


Page 41 of 71

Now enter the folder where the WorkPlace web objects were installed, the default installation folder

“C:\Program Files (x86)\WorkPlace”. After this information is entered click Next.

From the Virtual Directory Creation Wizard select “Read” and “Run scripts (such as ASP)” and click Next.


Page 42 of 71

The Virtual Directory is now created, click Finish.

Now we need to tie the Application Pool to the Virtual Directory. Right mouse click on the WorkPlace

Virtual Directory and select Properties.

From the Properties window select the Application pool that we created in step 2.


Page 43 of 71

WorkPlace is now configured for access. To test out access simply open a web browser and type in the

url for the web browser machine name along with the Application folder that we just configured, i.e.,

http://mywebserver/WorkPlace.

Part 4: Additional System Configuration

Chapter 14: Session User Setup

In order for WorkPlace to maintain state between web pages a user defined connection string is

available in the web.config to direct WorkPlace to the proper SQL Server along with account information

to access to the state database tables. It is recommended to use a special SQL user account for session

management, if using the NT authentication model you have the option of using pass-through for this

setting. Even under the NT authentication model It is still recommended to use a SQL account for access.

Configuring using SQL Account

1. Create the SQL session user account in SQL Server and set the default database to “PTIMaster” andfrom within “PTIMaster” give this SQL user account full control on the “PTINETSessionHdr” and“PTINETSessionDtl” tables.

2. Open the web.config and specify this user account and the SQL Server name that holds the

“PTIMaster” database. The section that holds this information is the “SessionSQLConnectionString”.

<add key="SessionSQLConnectionString" value="Password=J*&%$@12;Persist Security

Info=false;User ID=PTINETSessionUser;Initial Catalog=PTIMaster;Max Pool Size=500;Data

Source=sqlserver\instance1"/>


Page 44 of 71

Configuring using NT Pass-through

Configure an Active Directory group for use with WorkPlace and then add all users that will access

WorkPlace to this group. Now on the SQL Server add this group and set the default database to

“PTIMaster” and from within “PTIMaster” give the group full control on the “PTINETSessionHdr” and “PTINETSessionDtl” tables.

Open the web.config and use the connection string specified below and specify the SQL Server name

that holds the “PTIMaster” database. The section that holds this information is the “SessionSQLConnectionString”.

<add key="SessionSQLConnectionString" value=" Integrated Security=SSPI;Persist Security

Info=False;Initial Catalog=PTIMaster;Max Pool Size=500;Data Source=sqlserver\instance1"/>

Chapter 15: Specifying SQL Server Housing Company Databases

The SQL Server housing the company databases for WorkPlace must be specified in the web.config.

Simply open the web.config and find the section “ServerName” and set the value to your SQL Server’s name and instance.

<add key="ServerName" value="sqlserver\instance1”/>

Chapter 16: Configuring User Authentication

There are seven user authentication options available; following will list each option and the required

setup for each.

SSO – Single Sign On Authentication

Third party authentication (Windows Live, Google, ADFS and custom providers) is used to access the

WorkPlace web site and is subsequently linked to a valid WorkPlace User account based on the users

email address. Under this security model all WorkPlace User Names must be the users valid email

account. Since the SSO only authenticates the user to WorkPlace, WorkPlace requires the Shared SQL

account to be setup and configured – this account is used for all database access.

Specify SSO in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="SSO"/>

Uncomment the 3 sections in the web.config within the blocks: SSO Config Section 1, SSO Config Section

2 and SSO Config Section 3.

In the SSO Config Section 1 there are a few settings that need to be filled in based on your SSO setup –

see them highlighted below. Replace the value http://localhost/workplace/ with a valid external URL for

access to WorkPlace, this value will also be specified as the Relying Party Application in the SSO Access

Control Service (this is outside of WorkPlace and in some instances will be obtained from Azure Access

Control Services). The next value we need to specify is the certificate information for the Token Signing

Certificate, this will be specified in the trusedIssuers section and in our example is obtained from the

Azure Access Control Service -> Service Settings -> Certificate and Keys meu option. Finally we need to

set the issuer and the realm, the ream will be already be set from a prior setup, the issuer comes

PassiveRequestorEndpoint->Address element from the WS-Federation Metadata file (see screen shots

http://localhost/workplace/


Page 45 of 71

below for examples). … <system.identityModel>

<identityConfiguration>

<audienceUris>

<add value="http://localhost/workplace/"/>

</audienceUris>

<issuerNameRegistry

type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry,

System.IdentityModel, Version=4.0.0.0, Culture=neutral,

PublicKeyToken=b77a5c561934e089">

<trustedIssuers>

<add thumbprint="A39AE26FADEEB1C9F0E618727570D776DB97DF15"

name="pticorp.accesscontrol.windows.net" />

</trustedIssuers>

</issuerNameRegistry>

<certificateValidation certificateValidationMode="None"/>

</identityConfiguration>

</system.identityModel>

<system.identityModel.services>

<federationConfiguration>

<cookieHandler requireSsl="false"/>

<wsFederation passiveRedirectEnabled="true"

issuer="https://pticorp.accesscontrol.windows.net/v2/wsfederation"

realm="http://localhost/workplace/" requireHttps="false"/>

</federationConfiguration>

</system.identityModel.services>

…

WINDOWS AZURE RELYING PARTY APPLICATION SETUP


Page 46 of 71

AZURE ACCESS CONTROL SERVICE TOKEN SIGNING CERTIFICATE AND KEY

AZURE WS-FEDERATION METADATA URL DOWNLOAD LINK


Page 47 of 71

AZURE FEDERATIONMETADATA.XML

If using a SSO Identity Provider other than Windows Live or ADFS you will need to specify the claim type

used to define the unique attribute for the authenticated user. This value goes into the

SSOClaimType4UniqueID section in the web.config. For multiple Identify Providers simply specify the

additional claim types with semi-colon delimeter.

DEFAULT ENTRY IN WEB.CONFIG FOR WINDOW LIVE AND ADFS <add key="SSOClaimType4UniqueID"

value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier;http://schemas.m

icrosoft.com/ws/2008/06/identity/claims/windowsaccountname"/>

When using the WorkPlace Agent or the WorkPlace OTG Server it is recommended (not required) to

restrict the IP access as these two pages fall outside of the SSO authentication process. The IP address

for the WorkPlace Agent should be the IP Address where the WP Agent Service or .EXE is being run. The

IP address for the WP OTG Server should be the IP address that is hosting the WP OTG Server web site.

Since all Database Access is being done by the shared user account we need to configure that now by

setting up a SQL user account for ALL backend queries to run under.

Give the SQL user account permission to the PTIMaster, all Control databases (example: DYNAMICS),

and to ALL Company databases that WorkPlace is installed to. Within each of these databases give the

user access to the PTIWorkPlaceAdmin role.

Specify the SQL user account in the web.config in the “SharedUserName” section.

<add key="SharedUserName" value="WPSharedUser"/>

Specify the Shared SQL user account’s password. There are two options at this point. The simplest is to specify the password in a clear form and type it into the “SharedPasswordClear” section. If you prefer to

encrypt the password go to step 8, otherwise the setup is complete at this point.

<add key="SharedPasswordClear" value="shareduserpassword"/>

To encrypt the password you can encrypt it using the WPEncrypt.exe utility which is in your web folder

in the WPEncrypt folder. To use this utility simply go to a command line and type the following, replace

the value with the SQL user accounts password and type anything you wish into the key value. Once run

you get the encrypted password outputted to the screen and there is also a Encrypted.txt file that is

generated with the encrypted password.


Page 48 of 71

WPEncrypt.exe value=" shareduserpassword" key="cookiejar"

Copy the value outputted from previous step into the “SharedPasswordEncrypted” section, also specify

the key used in the “SharedPasswordEncryptedKey” section.

<add key="SharedPasswordEncrypted"

value="eynIXqZGgFjiEibiHg5aA/x/gYfu3fvu9K/xGDMl+QJfKJh2rCTHLYhQjxGSIjsm"/>

<add key="SharedPasswordEncryptKey" value="cookiejar"/>

SQL Authentication

SQL Name and Password are used and are passed directly through to the SQL Server. This requires the

user to be setup on the SQL server as a physical user and the user must have access to all databases that

WorkPlace requires access. It is recommended that the SQL password encryption option is enabled in

WorkPlace when using this method. Since the users have access to the databases a user could use excel

or other connectable applications to access WorkPlace data if non-encrypted passwords are allowed.

Specify SQL in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="SQL"/>

When using SQL 2005 or greater WorkPlace can honor the SQL Server Password policies by enabled the

“EnforceSQLPasswordPolicyAndExpiration” section in the web.config.

<add key="EnforceSQLPasswordPolicyAndExpiration" value="ON"/>

In order to encrypt the SQL passwords when “EnforceSQLPasswordPolicyAndExpiration” is on the setting “EnforceSQLPasswordEncryption” must also be set to “ON”

<add key="EnforceSQLPasswordEncryption" value="ON"/>

To enable users to change their SQL passwords from within WorkPlace set the “ChangePassword” setting in the web.config to “ON”

<add key="ChangePassword" value="ON"/>


Page 49 of 71

SQLSHARED Authentication

SQL Name and Password for authentication only. All backend SQL operations are performed using a

shared SQL user account. This method secures access to the physical database as the user account does

not have access to any of the physical databases. This method is ideal in environments where other SQL

applications are used and a shared SQL name and password are desired.

Specify SQLSHARED in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="SQLSHARED"/>

Configure a SQL user account as the account that ALL backend queries will be run under.






Specify the Shared SQL user account’s password. There are two options at this point. The simplest is to

specify the password in a clear form and type it into the “SharedPasswordClear” section. If you prefer to encrypt the password go to step 6, otherwise the setup is complete at this point.








Copy the value outputted from Step 6 into the “SharedPasswordEncrypted” section, also specify the key used in the “SharedPasswordEncryptedKey” section.


Page 50 of 71




When using SQL 2005 or greater WorkPlace can honor the SQL Server Password policies by enabled the

“EnforceSQLPasswordPolicyAndExpiration” section in the web.config.

<add key="EnforceSQLPasswordPolicyAndExpiration" value="ON"/>

In order to encrypt the SQL passwords when “EnforceSQLPasswordPolicyAndExpiration” is on the setting “EnforceSQLPasswordEncryption” must also be set to “ON”

<add key="EnforceSQLPasswordEncryption" value="ON"/>

To enable users to change their SQL passwords from within WorkPlace set the “ChangePassword” setting in the web.config to “ON”

<add key="ChangePassword" value="ON"/>

Active Directory / NT Authentication

The Active Directory user name that the user logged into Windows with (Integrated Authentication) or

the Active Directory user that was entered on the Basic Authentication window (Non-Integrated

Authentication) is simply passed through to the SQL Server. This method as well as the SQL option both

have the same drawbacks in that the user could use an external application to get access to the SQL

databases unless a firewall is enabled. This method also suffers from the Double-Hop syndrome whereas

the SQL Server, Web Server and Client machines must all be enabled for delegation at the Active

Directory level as standard Kerberos authentication does not allow the client browser to authenticate to

the web server and then allow the web server to impersonate the credentials to the SQL server.

Specify NT in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="NT"/>

Set the “authentication” mode to “Windows” in the web.config

<authentication mode="Windows"/>

Set the “identity” impersonate to “true” in the web.config

<identity impersonate="true"/>

Remove the Anonymous access from the Application Folder / Virtual Directory and check the Basic or

Windows/Integrated authentication checkboxes.


Page 51 of 71

Windows 2008 Screen Shot


WorkPlace to this group. Now on the SQL Server add this group and give this group permission to the

PTIMaster, all Control databases (example: DYNAMICS), and to ALL Company databases that WorkPlace

is installed to. Within each of these databases give the group access to the PTIWorkPlaceAdmin role.

Configure the Windows Management Instrumentation (WMI) Control. From the Web Server go to Start

Control Panel Administrative Tools Computer Management. Open the Service and Applications

group. Right-click on the WMI Control and select Properties.

Go to the Security tab and open the Root group and then highlight the CIMV2 folder and click the

Security button.


Page 52 of 71

Add your Active Directory group. Check both the ‘Enable Account’ and ‘Remote Enable’ in the lower ‘Permissions’ pane. Click Advanced and highlight the group you just added. Click Edit. In the ‘Apply onto’ drop-down, change the setting to "This namespace and subnamespaces". Click ‘OK’ on all the open dialogs to complete.

Reboot the Web Server to invoke changes.

Active Directory / NTSHARED Authentication

The Active Directory user name that the user logged into Windows with (Integrated Authentication) or

the Active Directory user that was entered on the Basic Authentication window (Non-Integrated

Authentication) is used to identify the user to WorkPlace. The SQL backend operations are all

performed using a shared SQL account. This method is the preferred model in larger organizations as

the user cannot access the databases via external applications and all password and account

management is at the Active Directory level. This option also eliminates the double-hop issue with

Active Directory.

Specify NTSHARED in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="NTSHARED"/>

Set the “authentication” mode to “Windows” in the web.config

<authentication mode="Windows"/>

Set the “identity” impersonate to “true” in the web.config

<identity impersonate="true"/>







Page 53 of 71


Specify the Shared SQL user account’s password. There are two options at this point. The simplest is to specify the password in a clear form and type it into the “SharedPasswordClear” section. If you prefer to encrypt the password go to step 8, otherwise the setup is complete at this point.








Copy the value outputted from previous step into the “SharedPasswordEncrypted” section, also specify the key used in the “SharedPasswordEncryptedKey” section.




Remove the Anonymous access from the Application Folder / Virtual Directory and check the Basic or

Windows/Integrated authentication checkboxes.

Windows 2008 Screen Shot


Page 54 of 71


WorkPlace to this group.

Configure the Windows Management Instrumentation (WMI) Control. From the Web Server go to Start

Control Panel Administrative Tools Computer Management. Open the Service and Applications

group. Right-click on the WMI Control and select Properties.

Go to the Security tab and open the Root group and then highlight the CIMV2 folder and click the

Security button.

Add your Active Directory group. Check both the ‘Enable Account’ and ‘Remote Enable’ in the lower ‘Permissions’ pane. Click Advanced and highlight the group you just added. Click Edit. In the ‘Apply onto’ drop-down, change the setting to "This namespace and subnamespaces". Click ‘OK’ on all the open dialogs to complete.

Reboot the Web Server to invoke changes.

Forms Authentication

The Active Directory user name that the user logged into Windows with is used to authenticate against

the WorkPlace Web Server using IIS Forms Authentication. Once authenticated against the web site, the

user’s credentials are passed to the WorkPlace solution which will authenticate against the application


Page 55 of 71

level security. All SQL backend operations are all performed using a shared SQL account. This method is

a preferred model in larger organizations as the user cannot access the databases via external

applications and all password and account management is at the Active Directory level. This option also

eliminates the double-hop issue with Active Directory.

Specify FORMS in the web.config section “ServerAuthenticationType”.

<add key="ServerAuthenticationType" value="FORMS"/>

Set the “authentication” mode to “Forms” in the web.config

<authentication mode="Forms"/>

Set the "SessionSQLConnectionString" using SQL Account. See Chapter 13: Session User Setup -

Configuring using SQL Account.

















Page 56 of 71

Copy the value outputted from previous step into the “SharedPasswordEncrypted” section, also specify the key used in the “SharedPasswordEncryptedKey” section.




There are 3 additional sections in the web.config file specific to FORM Configuration. Each begins with

“START: FORM” and will need to be uncommenting and updated as outlined below.

Update FORM Config Section 1 with the customer specific Active Director Connection String.





<location path="Central/LoginAction.aspx">

<system.web>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

</location>

<location path="Central/WPAgent.aspx">

<system.web>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

</location>

<location path="OTG/OTGMain.asmx">

<system.web>

<authorization>

<allow users="*"/>

</authorization>

</system.web>

</location>


Page 57 of 71

<connectionStrings>

<add name="ADConnectionString"

connectionString="LDAP://domain.mycompany.com/CN=Users,DC=domain,DC=mycompany,DC=com"/

>

</connectionStrings>



Update FORM Config Section 2 with the AttributeMapUIsername which will be one of 2 options;

sAMAccountName: The active Directory ‘User Logon Name’ (pre-Windows 2000) with no

domain which would be used as the Login Name in WorkPlace Security (i.e. aduser).

userPrincipalName: The active directory ‘User Logon Name’ with the domain email which

would be used as the Login Name in WorkPlace Security (i.e. [email protected]).


<authorization>

<deny users="?"/>

<allow users="*"/>

</authorization>

<membership defaultProvider="MyADMembershipProvider">

<providers>





The default language used by WorkPlace can be specified in the “Language” section of the web.config.



Chapter 23: Web Server Folder Security

Within the web objects folder on the web server there are a three folders that WorkPlace needs full privileges on.

Those folders are the Attachments, ReportExports, and DynamicFiles.

1. Using Explorer, Navigate to the WorkPlace web server folder created during installation (Unless

changed during install, default location is C:\Program Files (86)\WorkPlace).

2. Navigate to the WorkPlace\Central\Attachments folder

3. Right-mouse click on the Attachments Folder Sharing and Security

4. Select the SECURITY Tab

5. Select the appropriate user account/group

a. If using SQL, SQLSHARED, or APP Authentication: Select the User Account that the

Application Pool is running under.

b. If using NT or NTSHARED: Select the WorkPlace users Active Directory Group

6. Allow READ, WRITE and MODIFY Permissions for this account

7. Select OK to save your changes and close the Security Properties Window

8. Repeat Step 1 through 7 for the Central\ReportExports folder

9. Repeat Step 1 through 7 for the Central\DynamicFiles folder

10. Repeat Step 1 through 7 for the C:\Windows\Temp folder

Part 5: Logging into WorkPlace

Chapter 24: Your WorkPlace URL

Open Internet Explorer and enter the address of your WorkPlace Application

Your URL will look like this:

http://<Web server machine name>/<IIS virtual directory name>

For Example:

Web Server Name = Neptune; Virtual Directory Name = WorkPlace

You would type in: Http://NEPTUNE/WORKPLACE

http://neptune/WORKPLACE


Page 63 of 71

- OR -

Example: Web Server IP address = 120.120.120.118; Virtual Directory = WorkPlace

You would type in: Http://120.120.120.118/WORKPLACE

When you successfully launch WorkPlace from your browser, you will reach a login screen where you will need to

enter some or all of the following information:

Username

Password

Company Name

Option to change Password

The information required/available on the login screen is primarily determined by the Authentication mode that

you have configured to validate users and passwords.

The option to allow users to change their own passwords is available only in SQL

Authentication mode. This feature can be activated by modifying the Web.config file.

http://120.120.120.118/WORKPLACE


Page 64 of 71

Appendix A: WP Agent Utility

The Agent program (typically c:\program files\WorkPlace\wpagent\WPAgent.exe) is a stand alone

executable program that calls a special web page (WPAgent.aspx) on a regular schedule. When called,

the web page checks for two types of situations as explained in the “uses” section below, and if found and launches the appropriate routines. The frequency the agent program calls the web page is

scheduled on the web server using a command line ‘AT’ command or by using ‘Scheduled Tasks’ in Control Panel.

Uses

1) When WorkPlace is installed with an EAIC, the WP Agent can be used to automatically update

WorkPlace application tables based on any modifications that have been made by by the application

connected via the EAIC.

2) Also, this utility can be used to automatically send out an “Approval Tickler” email from the standardWorkPlace email engine. Reminder emails can be sent by the agent program when transactions (i.e.:

Requisitions, Invoices, Timesheets, Expense Sheets) have been submitted for approval, but have not yet

been loaded into an approval session.

Configuration

ACTIVATE

The WP Agent Program must be activated within the WorkPlace application System Settings page. To do

so, simply fill in a value for “Elapsed Hours” setting on the General Tab. The minimum number of hours is one, and fractional hours are not valid. The WP Agent Program is activated and configured per

individual company. Each company can have a different number of ‘elapsed hours’ specified in its WorkPlace System Settings.

ASSIGN A USER

SQL Authentication: select or create a user in SQL Server that is a member of the PTIWorkPlaceUser

Role in all Company DB(s), PTIMaster, and the Financial Application Control Database.

NT Authentication: select or create a user that is also a member of the NT Group for WorkPlace users.

CREATE COMMAND

Configure a command to launch the Agent program using ‘Scheduled Tasks’ in Control Panel or a command line ‘AT’ command. For example:

WPAgent.exe url="http://127.0.0.1/WorkPlace/Central/WPAgent.aspx" user="wpagent" password="wppass"


Page 65 of 71

NOTE: The user information entered on the ‘Scheduled Task” Windows form can be any valid windows user on the web server. This user is separate and can be different from the

user information listed in your WPAgent command line.

Required Command Parameters (parameter names must be in lower case)

[url] This must point to the location of WPAgent.aspx within your virtual

folder you have configured for WorkPlace.

[user] The SQL Server/NT User Name.

[password] The password for the User above.

[domain] NT Authentication ONLY: the User account’s network domain name.

Optional Command Parameters (parameters in lower case, ON/SCREEN in upper case)

[debug] ON: Output will be written to a file called WPAgentLog.txt in the

path specified in [path], if no path is specified, C:\ will be used.

SCREEN: Output will be written to the console screen exclusively.

[path] This is the path where the WPAgentLog.txt will be created.


Page 66 of 71

Appendix B: Notes on upgrading

Upgrading from Previous WorkPlace Versions

Previous versions of WorkPlace ran on the .NET 2.0 (before version 11) and .NET 4 (after version 11)

framework as was limited to 32 bit mode only. WorkPlace 2015 is built on the .NET 4.5.2 framework and

the System Requirements within this document should be consulted prior to upgrading.

Install the Microsoft Framework 4.5.2 version.

Install the new Crystal Reports.NET v13.0.5.891, either the 32bit or 64bit depending on OS.

SQL password encryption was changed with WorkPlace version 11 to a new encryption engine as the old

engine only supported 32 bit operation. If you wish to continue to use the old password encryption you

can enable the old encryption library by setting the web.config setting “SQLClassicEncryptionEnabled” to “ON”

<add key="SQLClassicEncryptionEnabled" value="ON"/>

If you want to run in native 64 bit mode then the “SQLClassicEncryptionEnabled" cannot be set to “ON” and all the WorkPlace SQL user accounts will have to have their SQL passwords reset. This can be done

manually by the WorkPlace admin or there is a built in stored procedure than can be run in the

WorkPlace company database to set all the SQL accounts to a common password along with forcing the

users to change their password on logon. The stored procedure to execute is

spPTISQLResetPasswordAll, it takes one parameter which is the default password that all users will be

set to. The default password is “wppass”

EXEC spPTISQLResetPasswordAll

General Notes

Upgrading WorkPlace generally has fewer steps than a fresh “production” installation because most of the work was already done during your original install. For all upgrades:

When preparing to request your new license, you can generate the License Information File

from within WorkPlace on the System Settings General tab.

Unless you have a specific reason (i.e. instructed to by the release notes) you need not re-

install the Optional Window components.

Select “Upgrade” instead of production when installing SQL Objects.

After installing Web Objects you can simply copy your backup web.config file into the Web-

server main installation folder to restore your custom settings.

Also, copy any modified reports from the web server as you will need to copy these back in

after the upgrade.

Most likely, you will be able to launch WorkPlace without modifying settings in your

operating environment (i.e. IIS Manager, SQL Server, and Security Settings on the Web-

server installation folder.)


Page 67 of 71

There are two main types of upgrades, and the process varies between the two:

Upgrading to a new version of WorkPlace

Download the new version of WorkPlace from the Customer Area website. Unzip on your

Web-server and double-click Setup.exe to launch.

Using the WorkPlace Installation Wizard, Install both Web Objects and SQL Objects.

When Installing SQL Objects, on the page where you identify your Financial Application

version, check to make sure the version of WorkPlace listed in the header of the popup

window is the version number you expect.

Select all of the same settings from your last install when installing your new objects

EXCEPT:

Select “Upgrade” instead of production when installing SQL Objects

Adding a new Interface to your current WorkPlace version

Don’t run the WorkPlace installation Wizard! Instead, go to the Windows Start Menu onyour Web-server and run SQL Installer .NET to install your WorkPlace SQL Objects (this is

more efficient and saves time.)

When Installing SQL Objects, on the page where you identify your Financial Application

version, check to make sure the version of WorkPlace listed in the header of the popup

window is the version number you expect.

Select all of the same settings from your last install when installing your new objects

EXCEPT:

Select “Upgrade” instead of production when installing SQL Objects, and

Select the checkbox to install the NEW INTERFACE that has caused you to upgrade.


Page 68 of 71

Appendix C: Un-Installing WorkPlace

Remove the installed Web Objects

Delete the folder from where you originally installed the WorkPlace web objects. Once removed open

Internet Information Services and remove the application/virtual folder that was created for WorkPlace.

Also, remove the Application Pool.

Removing the installed SQL Databases

During the SQL objects installation process, tables, triggers, stored procedures and views were installed

to the Control database and Company database(s). To remove these objects email

[email protected] for additional information. Also, there is another shared

database called PTIMaster that should be removed only if WorkPlace is being removed from ALL

Companies on the associated SQL Server.

Removing the installed Optional Windows Components

These optional Windows Components can be removed using the standard Add/Remove programs

feature included with Windows.


Page 69 of 71

Appendix D: Encrypting the Web.Config

The web.config can hold some sensitive information such as special user names and password for

session management, report execution and language management to name a few. In order to secure

this information .NET provides a build in encryption routine for the web.config. Following are excerpts

from the Microsoft .NET documentation on performing this activity.

Encrypting Web.Config

To encrypt the WorkPlace appSettings inside the web.config simply run this command. Make sure when

you run this command that is from the Administrators level command prompt. Also make sure you are

using the proper .NET framework folder for your version that WorkPlace is running under and that you

specify the proper virtual folder that WorkPlace is using.

Example:

C:\>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe "appSettings" -app

"/WorkPlace"

Decrypting Web.Config

To decrypt the WorkPlace appSettings inside the web.config simply run the same command as we did to

encrypt but we will use the –pd command versus the –pe. Make sure when you run this command that

is from the Administrators level command prompt. Also make sure you are using the proper .NET

framework folder for your version that WorkPlace is running under and that you specify the proper

virtual folder that WorkPlace is using.

Example:

C:\>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pd "appSettings" -app

"/WorkPlace"

Microsoft Documentation for Encrypting and Decrypting Configuration Sections

Information Obtained from Microsoft Article: https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

You can use the ASP.NET IIS Registration Tool (Aspnet_regiis.exe) to encrypt or decrypt sections of a

Web configuration file. ASP.NET will automatically decrypt encrypted configuration elements when the

Web.config file is processed.

NOTE: The Aspnet_regiis.exe tool is located in the

%windows%\Microsoft.NET\Framework\versionNumber folder.

You can also use the protected configuration classes in the System.Configuration namespace to encrypt

and decrypt sections of a Web configuration file, sections of a configuration file for an executable (.exe),

or sections in the machine-level and application-level configuration files. For more information, see

the ProtectSection method of the SectionInformation class. For information on referencing a section of a

Web.config file, see the WebConfigurationManager class. For information on referencing configuration

sections of files other than the Web.config file, see the ConfigurationManager class.

https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.aspx

https://msdn.microsoft.com/en-us/library/system.web.configuration.webconfigurationmanager.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.configurationmanager.aspx


Page 70 of 71

Encrypting a Web Configuration Section

To encrypt configuration file contents, use the Aspnet_regiis.exe tool with the –pe option and the name

of the configuration element to be encrypted.

Use the –app option to identify the application for which the Web.config file will be encrypted and the -

site option to identify which Web site the application is a part of. The Web site is identified using the site

number from the Internet Information Services (IIS) metabase. You can retrieve the site number from

the INSTANCE_META_PATH server variable in the ServerVariables collection. For example, when IIS is

installed, a Web site named "Default Web Site" is created as site 1. In pages served from that site, the

INSTANCE_META_PATH server variable returns "/LM/W3SVC/1". If you do not specify a -site option, site

1 is used.

Use the –prov option to identify the name of the ProtectedConfigurationProvider that will perform the

encryption and decryption. If you do not specify a provider using the -prov option, the provider

configured as the defaultProvider is used.

NOTE: If you are using an RsaProtectedConfigurationProvider instance that specifies a custom key

container, you must create the key container before running the Aspnet_regiis.exe tool. For more

information, see Importing and Exporting Protected Configuration RSA Key Containers.

The following command encrypts the connectionStrings element in the Web.config file for the

application SampleApplication. Because no -site option is included, the application is assumed to be

from Web site 1 (most commonly Default Web Site in IIS). The encryption is performed using

the RsaProtectedConfigurationProvider specified in the machine configuration.

aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov

"RsaProtectedConfigurationProvider"

When a page or other ASP.NET resource in the application is requested, ASP.NET calls the provider for

the protected configuration section to decrypt the information for use by ASP.NET and your application

code.

NOTE: To decrypt and encrypt a section of the Web.config file, the ASP.NET process must have

permission to read the appropriate encryption key information. For more information, see Importing and

Exporting Protected Configuration RSA Key Containers.

Decrypting a Web Configuration Section

To decrypt encrypted configuration file contents, you use the Aspnet_regiis.exe tool with the -pd switch

and the name of the configuration element to be decrypted. Use the –app and -site switches to identify

the application for which the Web.config file will be decrypted. You do not need to specify the –prov switch to identify the name of the ProtectedConfigurationProvider, because that information is

read from the configProtectionProvider attribute of the protected configuration section.

The following command decrypts the connectionStrings element in the Web.config file for the ASP.NET

application SampleApplication:

aspnet_regiis -pd "connectionStrings" -app "/SampleApplication"

https://msdn.microsoft.com/en-us/library/system.web.httprequest.servervariables.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.protectedconfigurationprovider.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider.aspx

https://msdn.microsoft.com/en-us/library/yxw286t2.aspx

https://msdn.microsoft.com/en-us/library/system.configuration.rsaprotectedconfigurationprovider.aspx



https://msdn.microsoft.com/en-us/library/system.configuration.protectedconfigurationprovider.aspx


Page 71 of 71

Index

Access the WorkPlace Application(s) ............... 62

Db Installation Log ........................................... 30

Default Web Objects Location ......................... 32

IIS ................................................................ 37, 39

Installation Wizard ........................................... 21

Installing Workplace ......................................... 20

Main Installation Window ................................ 22

SQL Object Installation ..................................... 24

SQL Server Services .......................................... 19

Virtual Directory ......................................... 62, 63

Web Objects Installation .................................. 32

Web Server Services......................................... 19

Web Site Configuration .................................... 37

Windows Components ..................................... 34

WorkPlace license ...................................... 15, 19

Documents

WorkPlace Enterprise Installation/Upgrade Guide€¦ · Removing the installed SQL Databases ... Paramount solutions will streamline your employee management and procurement processes,