If you face the necessity of upgrading the operating system of a server where Mi-Token is installed, follow the guide below.
Preparing for the upgrade
Warnings
In-place will not work
Unfortunately, an in-place upgrade of the operating system will not work. This kind of upgrade will overwrite files needed by Mi-Token and will render the software useless.
Pre-built images will not work
While we cannot make sure that all of the pre-built operating system images fail, the ones we have tested do. The recommended procedure is to start with a clean install of the Windows Server the traditional way.
Make an inventory of your current software
It is important to identify what Mi-Token components your server is currently running. To make sure nothing is left behind, query the Programs and Features Window. The Mi-Token components are listed as "Mi-Token ***", so, you will always find them in the M group, for instance:
This is the list of components that you will reinstall when the new server is ready.
Back-up customization parameters and configurations
The Mi-Token Provisioning Website and the Mi-Token Reporting website may have customizations performed to accommodate marketing policies or to show specific colors or branding.
Navigate to the installation directory C:\Program Files\Mi-Token and make a copy of the Mi-token provisioning website and reporting website folders.
If you are using the Windows NPS Server along with the Mi-Token RADIUS Plug-in, you need to export the NPS configuration, this will be needed to reconfigure the same settings for the NPS in the new server. To do so, open the NPS console (from the Mi-Token snap-in):
In the screenshot above, we have expanded the nodes of the NPS. Notice the two initial folders: RADIUS Clients and Servers, and Policies.
The first folder contains the group of clients that will be allowed to send authentication requests via the RADIUS protocol to the server, and optionally, other RADIUS servers that this server may forward messages to if needed.
Typically the VPN gateways are listed in this group.
Within the policies folder, you find Connection Requests Policies and Network Policies. There are needed by the NPS Server to evaluate where a request comes from and how to evaluate if access will be granted or not. While all the information from this block is important, the most important to consider is the Connection policies, since Mi-Token is associated with them.
For instance, the server we are looking at has one connection policy:
When we explore the Mi-Token node, we can see if Mi-Token is enabled for that policy:
Mi-Token is enabled for the policy, i.e., users trying to get access through the NPS will be required to provide a One-time password to be evaluated by Mi-Token before getting access.
Make sure to keep track of what policies have Mi-Token enabled. These settings cannot be exported.
To export the NPS configuration and settings, select the NPS node and right-click it:
Select "Export Configuration":
Exporting the configuration will create an XML file to be used later on the new server. You will be prompted to confirm the extraction, as the resulting XML file will contain plain text exposing shared secrets and other data.
Accept the warning and click OK. An auxiliary dialog will appear for you to select where to write the output file. Select the desired destination directory. name the file and click save:
By the time you are finished with this section, you must have:
- The list of Mi-Token components to reinstall
- A copy of the Provisioning and reporting web sites installation directories (if present)
- An XML file containing the RADIUS NPS configuration
About the Provisioning and Reporting websites
The Mi-Token installer of these components extracts and configures a basic installation in the IIS server. Usually, this is configuration is enough. However, in certain installations, deployment customizations are performed by the IT department. If this is your case, please ask your IT team to review the configuration and prepare the necessary backups to apply the same settings in the new server.
Preparing the new server
Install the operating system of your choice the traditional way. Assuming the server will not be a Domain Controller, you need to install also the following roles and features:
Roles:
Active Directory Lightweight Directory Services
Network Policy and Access Services
Web Server (IIS needed for the provisioning an reporting websites. Omit this one if you are not installing them)
Features:
.Net Framework 3.5
.Net Framework 4.6
Remorte Server Administration Tools/Role Administration Tools/AD DS and AD LDS Tools
Add Security/Windows Authentication to the Web Server roles (extra to any other requirements yoy may have):
This new server must be part of the same domain and must have a direct connection to the existing server.
Warning
Make sure to name the new server as needed before installing Mi-Token. You may change IP Addresses but the server name cannot change once Mi-Token is installed.
Install the Mi-Token components
Once you have the necessary roles and features installed, proceed to install Mi-Token as a replica of your current master server. See section "8.1 Installing a replica authentication server" from the user manual attached to this article.
Retrieve the list of installed components in the older server and make sure you install the same components (or more if required).
Note: You must install the Mi-Token components using a user account with Enterprise Domain Administration Privileges.
Applying configuration to the new server
When you are done installing the software proceed to apply the customization and settings from your old server.
Copy the contents of your provisioning and reporting websites to the new installation directories.
Open the NPS console and import the configuration from the configuration file you created on the old server:
Click "Import Configuration" and locate the exported file:
The configuration will be imported and applied to the new server.
IIS Extra configurations
If your former server has any particular deployment configurations for the Provisioning and Reporting websites, apply them after installing the software and applying the backups.
Since every deployment is different in each installation, this task must be performed by a qualified member of your IT department.
Testing the server
The new server must be fully functional. You may send a test authentication request from any valid RADIUS client, check if a user gets access granted, etc.
Set the new server to be the primary one (only if the old server was the primary). Right-click the tokens node in the AD Users and Computers window and select properties.
Click the Domain Settings tab
Right-click the Domain-server line from the table you will reconfigure (you may have more than one if you have more servers and domains). Select "Configure Mi-Token..."
In the auxiliary window, select the new server as the Primary Server from the list shown:
Once you have selected it, Click Apply and close each window.
Removing the old server
Once you have validated the new server is functional as expected, you may remove the old server from your network.
Uninstall the Mi-Token software in any order you see fit, except for the following ones that must be uninstalled in the order shown:
API Service
AD UI tools
RADIUS Plugin
AD LDS instance Mi-Token (usually at the top of the installed software list)
During the uninstallation process, the old and the new server must be in direct connection at all times. Removing the AD LDS instance to the end will make sure the server and its instance are removed from the replication scheme.
Note: You must uninstall the Mi-Token components using a user account with Enterprise Domain Administration Privileges.
Once the old server is free of the Mi-Token components, you may proceed to remove it according to your organization's policies.