# Windows Service

The instructions on this page are created for customers who would like to simply run the Automator service on a Windows server without Docker.

{% hint style="info" %}
Make sure you already have your SSL Certificate! If not, please follow the steps in the [Create SSL Certificate](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/custom-ssl-certificate) page.
{% endhint %}

#### **(1) Install the Automator Service**

On the Automator instance, download, unzip and run the Keeper Automator installer:

<https://keepersecurity.com/automator/keeper-automator-windows.zip>

In the setup screens, check the "Java" box to ensure that the Java runtime is embedded in the installation. Currently it ships with the Java 17 runtime, and this is updated as new versions are released.

<figure><img src="https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2Fp1bLGcVOa5MW3QYAX2i5%2FScreenshot%202023-04-05%20at%201.51.14%20PM.jpg?alt=media&#x26;token=9e4f2d7f-3f03-4580-bb7d-a97ca2431d99" alt=""><figcaption><p>Include Java in Installer</p></figcaption></figure>

This will install Keeper Automator into:

`C:\Program Files\Keeper Security\Keeper Automator\`

The configuration and settings will be set up in:

`C:\ProgramData\Keeper Automator\`

#### (2) Create the "config" folder

In the **C:\ProgramData\Keeper Automator\\** folder please create a folder called "config".

#### (3) Copy the certificate file and password file

Place `ssl-certificate.pfx` file (from the [Custom SSL Certificate](https://docs.keeper.io/en/sso-connect-cloud/device-approvals/automator/custom-ssl-certificate) page) to the Automator Configuration settings folder in **C:\ProgramData\Keeper Automator\Config**

If your `ssl-certificate.pfx` file is protected by a passphrase, you also need to create a file called `ssl-certificate-password.txt` in the folder **C:\ProgramData\Keeper Automator\Config**

![SSL Certificate File and Password File](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FTWCm8INSwocteZw6Nqul%2FScreen%20Shot%202022-08-02%20at%204.39.00%20PM.png?alt=media\&token=874af505-3650-4dea-8ab2-1efd78481b6b)

#### **(4) Restart the Service**

From the Services screen, select Keeper Automator and Restart the the service.

![Start the Keeper Automator Service](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FB4j0smijnupDNC539z5G%2FScreen%20Shot%202022-01-15%20at%203.07.54%20PM.png?alt=media\&token=29c3f993-df6f-4e74-8eaa-0ccd886a239e)

Confirm the service is running through a web browser (note that port 443 must be opened from whatever device you are testing)\
\
In this case, the URL is: **<https://automator.company.com/api/rest/status>**

For automated health checks, you can also use the below URL:

**<https://automator.company.com/health>**

### **Windows Firewall**

If you are deploying on Windows running Defender Firewall, most likely you will need to open port 443 (or whatever port you specified) on Windows Defender Firewall. Follow these steps:

Open the **Start** menu > type **Windows Defender Firewall**, and select it from the list of results. Select **Advanced settings** on the side navigation menu... Select **Inbound Rules**. To open a port, select **New Rule** and complete the instructions.

Here's a couple of screenshots:

![Select "Port"](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2Fzx4AdHWUirngVtSvlvqY%2FScreen%20Shot%202021-10-14%20at%205.28.31%20PM.png?alt=media\&token=234a0b3b-18c5-417c-b6d2-b1f7995f78fe)

<figure><img src="https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MB_i6vKdtG6Z2n6zWgJ%2Fuploads%2FhmCNdLetI2wrfi3zvNGH%2Finbound.jpg?alt=media&#x26;token=c16705cf-6e4f-4351-aced-771498b95586" alt=""><figcaption><p>Enter the Port Number</p></figcaption></figure>

### Final Configuration with Commander

Now that the service is running, you can integrate the Automator into your Keeper environment using Keeper Commander.

**(5)** Install Keeper Commander

On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:\
[https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup](https://docs.keeper.io/keeperpam/commander-cli/commander-installation-setup)\
\
\&#xNAN;**(6)** Login to Keeper Commander and activate the Automator using a series of commands, starting with `automator create` and name the automator whatever you want.

```
automator create --name="My Automator" --node="Azure Cloud"
```

The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

![Automator Create](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MB_i6vKdtG6Z2n6zWgJ%2F-MjGtCqu00Eduh1ZVB0V%2F-MjGwSk57QheWM55KqUd%2FScreen%20Shot%202021-09-10%20at%203.59.58%20PM.png?alt=media\&token=732b0e49-b10f-4718-a78e-f48af15ef50c)

The output of the command will display the Automator settings, including metadata from the identity provider.

```
                    Automator ID: 1477468749950
                            Name: My Automator
                             URL: 
                         Enabled: No
                     Initialized: No
                          Skills: Device Approval
```

Note that the "URL" is not populated yet. So let's do that next.

Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (`team`, `team_for_user` and `device`).

{% code overflow="wrap" %}

```
automator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"
```

{% endcode %}

Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:

```
automator setup "My Automator"
```

{% hint style="info" %}
If an error is generated on this step, please stop and start the Windows service, and ensure that the port is available.
{% endhint %}

Next, initialize the Automator with the new configuration with the command below:

```
automator init "My Automator"
```

Lastly, enable the Automator service with the following command:

```
automator enable "My Automator"
```

At this point, the configuration is complete.

#### For environments using AD FS ...

When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:

* Login to the Keeper Admin Console
* Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
* Click on "Export SP Cert".
* In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
* On the "Encryption" tab, replace the old certificate with this new cert.
* On the "Signature" tab, Add/Replace the new SP certificate with this new cert.

## Testing the User Experience

Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.

The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.

![Login Screen](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MB_i6vKdtG6Z2n6zWgJ%2F-MjHF255ECP0j30Bea03%2F-MjHFJmk7eb90I9bzgTh%2FScreen%20Shot%202021-09-10%20at%205.17.42%20PM.png?alt=media\&token=3cd0160f-945f-4c99-9e54-1dab79e76365)

![SSO Login](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MB_i6vKdtG6Z2n6zWgJ%2F-MjHF255ECP0j30Bea03%2F-MjHFOMTOlVXIBtHQPI-%2FScreen%20Shot%202021-09-10%20at%205.18.15%20PM.png?alt=media\&token=f2080eaa-5aa3-443d-a315-8dc4ae03cccc)

![Device Approval](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MB_i6vKdtG6Z2n6zWgJ%2F-MjHF255ECP0j30Bea03%2F-MjHFuUwqi7o2N3UeIaw%2FScreen%20Shot%202021-09-10%20at%205.30.15%20PM.png?alt=media\&token=2ab8c7db-fcf4-40b7-8fce-5a5e278c44f9)

![Vault Decryption](https://2503956294-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MB_i6vKdtG6Z2n6zWgJ%2F-MjHF255ECP0j30Bea03%2F-MjHGEmuzfD60LH3rUvO%2FScreen%20Shot%202021-09-10%20at%205.32.12%20PM.png?alt=media\&token=0c268937-ae82-49e4-b198-851ddf89e477)

## Service Updates

When you reconfigure the Keeper Automator service, you'll need to use Keeper Commander to re-initialize the service endpoint.

```
automator setup "My Automator"
automator init "My Automator"
automator enable "My Automator"
```

## Troubleshooting

#### Service not starting

Please check the Keeper Automator logs. This usually describes the issue. On Windows, they can be found in **C:\ProgramData\Keeper Automator\logs\\**

#### Users always getting prompted for approval

When you reinstall the Keeper Automator service, you'll need to use Keeper Commander to re-initialize the service endpoint. (Keeper Commander documentation is [linked here](https://docs.keeper.io/keeperpam/commander-cli/overview)).

The commands required on Keeper Commander to re-initialize your Automator instance:

```
$ keeper shell

My Vault> automator list
288797895952179 My Automator True https://something.company.com 

(find the Name corresponding to your Automator)

My Vault> automator setup "My Automator"
My Vault> automator init "My Automator"
My Vault> automator enable "My Automator"
```