Data Classification Suite

for Windows (On-premises)

5.1
Administration Console
Deployment Guide
Copyright Terms and Conditions

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective
owners.
The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide.
The unauthorized use and/or duplication of this material without express and written permission from Fortra is strictly prohibited.
Excerpts and links may be used, provided that full and clear credit is given to Fortra with appropriate and specific direction to the
original content.
202409181056 - 5.1
Table of Contents

About this guide 5

Audience 5

Purpose 5

Prerequisites for Fortra's Data Classification Suite (DCS) Administration Console

(On-premises) 6

Install the Administration Console 9

Before you start 9

Install the Administration Console 9

Enable a static main page for the Administration Console 12

Upgrade the Administration Console 12

Publish the Configuration as a TCPG file 13

Change the sync interval to five minutes 14

Configure Preview bars 15

Enable and disable the Preview bar 15

Configure Classification Information bars 17

Enable and disable the Classification Information bar 18

Configure captions 18

About Titus Enterprise Services 20

Service protocol and default port numbers 20

Stop and start Titus Services on the Administration Console 21

Expected configuration targeting behavior on Active Directory 22

When a Configuration file is provided during the client installation 22

Administration Console Deployment Guide www.fortra.com page: 3

Table of Contents

When a Configuration file is provided post client installation 22

Logging information 24

Enable Windows installer logging 24

Install Debug log files 24

Data Classification log files 24

Titus Services log files 25

Roles and permissions 26

The user running the installer 26

The account creating or updating the database 27

The web application pool user 31

Accounts running the Titus services 32

Add a login user to the dbcreator server role 34

Grant db_owner database privileges to a login user 35

Kerberos authentication 36

Define the domain name for the Titus Service 36

Use the MSI files 37

Use the executable in a command line 39

Supported installation properties 39

Contacting Fortra 40

Fortra Community Portal 40

Administration Console Deployment Guide www.fortra.com page: 4

 About this guide / Audience

About this guide

Audience
This guide is for administrators who are installing the Data Classification Administration
Console in a trial or full deployment.

Purpose
This guide describes:

l install the Data Classification Administration Console

l what Titus Enterprise Services are used
l how a Configuration is targeted to an Active Directory group
l how to find logging information if you encounter issues

Administration Console Deployment Guide www.fortra.com page: 5

 Prerequisites for Fortra's Data Classification Suite (DCS) Administration Console (On-premises) /

Prerequisites for Fortra's Data

Classification Suite (DCS)
Administration Console (On-
premises)
You need the following prerequisites to install the DCS Administration Console.

NOTE: DCS Administration Console supports issues related only to products that are
currently supported by Microsoft. If any issues related to unsupported Microsoft
products are found, DCS Administration Console may not be able to address them. You
might have to upgrade to the latest supported Microsoft product and the latest Data
Classification Suite release.

The information in this section reflects the supported software environments at the time of
the product release. To obtain the latest information, contact Customer Support.

Operating The Administration Console is supported on the following 64-bit

Systems Operating Systems:
l Windows 10

l Windows Server 2016 R2

l Windows Server 2019
l Windows Server 2022
NOTE: Windows 10 is supported but not tested. If you encounter
errors, contact Support.

Administration Console Deployment Guide www.fortra.com page: 6

 Prerequisites for Fortra's Data Classification Suite (DCS) Administration Console (On-premises) /

Databases l SQL Server 2016

l SQL Server Express 2016
l SQL Server 2017
l SQL Server 2019
l SQL Server Express 2019
l SQL Server 2022
l SQL Server Express 2022
NOTE: SQLServer 2016, SQL Server Express 2016, SQL Server 2017,
and SQL Server Express 2019 are supported but not tested. If you
encounter errors, contact Support.

App Pool An App Pool User account is required to run the Data Classification
account Administration Console. This account requires db_owner permission
in the Titus database. The Network Service or the System account are
added automatically, but if a different account is used, they are added
separately.
Active Directory Connectivity to the Active Directory (AD) is required to assign
administrator privileges to the Data Classification Administration
Console, and to assign a Configuration to an AD user or group.

IMPORTANT: The Administration Console is supported on Active

Directory on-premises only. Active Directory in Azure is not
supported.

Microsoft Visual If it does not already exist, Microsoft Visual C++ Redistributable 2017
C++ will be installed.
Redistributable
Microsoft .NET .NET Framework V4.8 Redistributable Package or later. To download,
go to: https://dotnet.microsoft.com/download/dotnet-framework.
Microsoft IIS 10
Internet
Information IIS support depends on the operating system on the machine running
Services (IIS) the Administration Console. For more information, see:
https://docs.microsoft.com/en-us/dynamics-nav/how-to--install-and-
configure-internet-information-services-for-microsoft-dynamics-nav-
web-client.

Administration Console Deployment Guide www.fortra.com page: 7

 Prerequisites for Fortra's Data Classification Suite (DCS) Administration Console (On-premises) /

Web Browsers l Firefox version 46 or later

l Firefox Extended Support Release (ESR) 38 or later
l Chrome version 50 or later
l Microsoft Edge
NOTE: All
browsers are supported on screens with resolution of
1024 x 768 and higher. We recommend 1366 x 768. Firefox is
supported but not tested. If you find any issues, contact Support.

SSL Certificate To securely access the DCS Administration Console from a remote
machine, we recommend using HTTPS. An SSL Certificate is required
to allow encrypted communication. Your organization must obtain a
publicly trusted SSL Certificate prior to installing the DCS
Administration Console. You must ensure that it is in the machine’s
local computer Personal or Web Hosting store. The certificate must
match the DNS name used to access the website or be a wildcard
certificate. We recommend an authentic SSL certificate be used. Self-
signed certificates are not recommended.
RAM/ Processor l Minimum: 2 GB, Recommended: 8 GB
Requirements l 1.0 Ghz dual core x64
l 4 GB hard disk storage
NOTE: RAM and CPU requirements are not validated during
installation.

Tools for If you are using Custom Conditions, the following executables/tools
Custom are available to run when you install the Administration Console:
Conditions l DDConnector.OnPremApp.exe (located, by default, at

C:\inetpub\TitusWebAdministration\CustomFunctions\
Titus.DataDetection.Extensibility)
l TITUS.SmartRegex.QueryFileEncryptor.exe and
Titus.SmartRegex.Test.App.exe (located, by default, at
C:\inetpub\TitusWebAdministration\CustomFunctions\Titus.
SmartRegex.Extensibility)
If you run these executables, you require .NET Core Runtime V3.1 or
later. To download, go to:
https://dotnet.microsoft.com/download/dotnet-core. For more
information on Custom Conditions, see the Fortra's Data Classification
Suite (DCS) Administration Console (On-premises) User Guide and
Fortra's Data Classification Suite (DCS) Data Detection Engine
Deployment Guide.

Administration Console Deployment Guide www.fortra.com page: 8

 Install the Administration Console / Before you start

Install the Administration Console

The Administration Console is a local application used to create Configurations for
various Data Classification applications. You can access the Administration Console using
a web browser.

NOTE: The application that you can configure depends on your license key.

The Administration Console is required on at least one machine used to create and edit
Configurations. Do not install the Administration Console and client applications on the
same machine.

You can install the Administration Console using MSI files or using the command line. For
more information, see Use the MSI files on page 37 and Use the executable in a command
line on page 39 respectively.

Before you start

l Review the information about the accounts used during the Administration Console
installation process and during runtime and grant the appropriate permissions. See
Roles and permissions on page 26.
l Ensure that the RedistServerAC folder is in the same location as the
TitusAdminConsoleSetup.exe file. The RedistServerAC folder contains the
prerequisites and Services that are automatically installed when the .exe file is run.
l Ensure IIS is enabled.
l If you are using the ApplicationPoolIdentity built-in account, go to the Data
Classification Suite Analytics Collector Deployment Guide. You must follow steps 1 -
6 BEFORE you install the Administration Console. Once it is installed, follow steps 8 -
13. Contact Support for the Data Classification Suite Analytics Collector Deployment
Guide.

Install the Administration Console

1. Save then extract the Administration Console installation zip files to your machine.
The installation package contains the TitusAdminConsoleSetup.exe file and the
RedistServerAC folder. Ensure they are extracted to the same location so that the
prerequisites and services can also be installed.
2. Double-click TitusAdminConsoleSetup.exe.
3. Click Next.

Administration Console Deployment Guide www.fortra.com page: 9

 Install the Administration Console / Install the Administration Console

4. Select the I accept the terms in the License Agreement checkbox and click Install.
The Setup Progress bar appears.
5. Click Next.
6. In the Destination Folder dialog, either accept the default location or click Change to
select a new location where the Administration Console is installed. The default
value can only be changed to a directory that has been configured to work with IIS.
7. Click Next.
The SQL Database Options window appears.
8. In the Name of the SQL server\instance field, enter a database server or instance
name to which the Administration Console is connecting. The default value shown is
the name of the Server or desktop computer you are currently running.
9. Enter the name of the new or existing database.
10. Select one of the following database authentication methods:
l Trusted (Windows Authentication) to use the current user’s (user running
setup) credentials to create the database. The username defaults to your
current login credentials. See Roles and permissions on page 26 for more
information.
l Specify Username and Password (SQL Authentication) to use a SQL user
account to create the database. Enter your SQL account username and
password. Make sure that the account referenced exists and that the account
has the required privileges specified in SQL Server Database Privileges. See
Roles and permissions on page 26 for more information.
11. Click Next.
The SQL Server Database Selection window appears.
12. Select the checkbox if you are ready to create a new database or migrate an existing
one to the latest version.
13. Click Next.
The Change Web Site Information window appears.
14. Accept the default or change the name of Web site and site port.
Port number 34350 is used as a default. If this port is currently used in your
environment, select another port number.
15. Select the HTTPS checkbox if you want to access the Administration Console
remotely via a web browser using the following URL: http://localhost:34350/
NOTE:The HTTPS option is available only when you select Connect to an existing
SQL Server instance in step 4.

Administration Console Deployment Guide www.fortra.com page: 10

 Install the Administration Console / Install the Administration Console

16. Enter the username in the Web App Pool user text box. By default, the Web Pool user
is the user who is currently logged in.
The “application pool account” needs “read” rights for the default AD containers
“CN=Users” and “CN=Computers”. If you cannot connect to Active Directory, the
Domain Name is not auto-populated during the installation and the setup fails.
We recommend that you create a username and password that cannot change or
expire.
If you are using a domain account to run the website, enter the domain account to be
used as the Web App Pool user and enter the password in the Web App Pool user
password text box.
If you are using a built-in IIS account as the username instead of domain account, a
password is not required. The following IIS built-in accounts are available to use:
l LocalSystem
l NetworkService
l ApplicationPoolIdentity
NOTE: The Local Service built-in account is not supported. If you are using
ApplicationPoolIdentity built-in account, ensure it is set correctly. See the
Fortra's Data Classification Suite (DCS) Analytics Collector (On-premises)
Deployment Guide. Contact Support for the Data Classification Suite Analytics
Collector Deployment Guide.

17. Enter a password.

By default, the Open port in firewall to allow remote access to this application option
is enabled.
18. Click Next.
19. If you have selected the HTTPS checkbox in step 15:
l select the SSL Certificate prepared for this installation. For more information,
see Prerequisites for Fortra's Data Classification Suite (DCS) Administration
Console (On-premises) on page 6.
l enter the host name for the web site
The certificate and host name must include a real top level domain name, e.g.
company.com. For deployments only intended to be accessed internally, this
can be a domain that only resolves on internal DNS servers.
If this is not set correctly, authentication attempts will result in the following
error message: “Non-public domains not allowed”.
The Host name for web site field is populated when the SSL certificate is
selected.

Administration Console Deployment Guide www.fortra.com page: 11

 Install the Administration Console / Enable a static main page for the Administration Console

l enter the host name for the web site manually, if you have installed a wildcard
SSL Certificate. In many cases, the host name for the web site is the server
name.
20. Leave the location of the Reporting Collector Service blank. This relates to the
Reporting Collector Dashboard which was deprecated.
21. Click Next, then click Install. The installation process begins.
22. Click Finish.
The Completed the Administration Console Wizard Setup screen appears.
23. When finished, click Launch Administration Console.
NOTE: Insome instances, systems must be restarted to complete an installation. If you
are prompted, restart your system.

Enable a static main page for the Administration

Console
1. Navigate to the Web.config file located at C:\inetpub\TitusWebAdministration.
2. Open the Web.config file, then add the following key to the appSettings node:
<add key="TITUSAdminConsoleStaticOverviewContent" value="true">

3. Save the file and restart the Administration Console website.

Upgrade the Administration Console

If you are upgrading the Administration Console from version:

l prior to 2021.4, you must uninstall that version before installing this version. You can
select an existing database; the database will be migrated as part of the installation.
l 2021.4 or later, you can do an in-place upgrade (that is, you do not need to uninstall
the previous version before installing this version)

Administration Console Deployment Guide www.fortra.com page: 12

 Publish the Configuration as a TCPG file /

Publish the Configuration as a

TCPG file
Once you have created a Configuration in the Administration Console, you can publish it to a
file type (TCPG) that you distribute to other users in your organization. These files contain
all the settings, custom resources, and configured targets that will be consumed for use by
the client service. If no targets are configured, the default is used.

NOTE: You can publish the configuration to a JSON file for the DCS SDK. For more
information, see the Fortra's Data Classification Suite SDK Developers Guide.

NOTE: The default interval to detect a new or updated TCPG file is 60 minutes. To change
this interval, use the Sync Interval parameter in the System Settings of the Data
Classification Administration Console. See Change the sync interval to five minutes on
page 14.

To publish a TCPG file:

1. Click the Configurations tab.

2. Click TCPG – Classification Suite Clients.
A Titus.new.tcpg file is saved to the local Download folder where you have the Data
Classification Administration Console installed.
When distributed, the Client service will consume the file.

Administration Console Deployment Guide www.fortra.com page: 13

 Change the sync interval to five minutes /

Change the sync interval to five

minutes
NOTE: By default, the workstation is set to sync every 60 minutes. As you will be making
frequent Configuration changes, set the sync interval to five minutes during the
implementation and testing. Once you are done testing DCS for Windows and making
changes to the TCPG, increase the sync interval.

This change allows you to receive Configuration updates on client machines five minutes
after an updated TCPG file has been provided.

1. Click the System Settings tab and select Settings.

2. In the Sync Settings section, change the Sync Interval (minutes) setting to 5.
3. Click Save.

Administration Console Deployment Guide www.fortra.com page: 14

 Configure Preview bars / Enable and disable the Preview bar

Configure Preview bars

When you use a Classification Selector dialog, a Preview bar is visible. This bar shows a
summary of your selections.

By default, the background color of the bars is based on the Classification color. If no
Classification color is available, it is set to Microsoft Windows ‘InactiveCaption’ (pale blue).

Only Schema fields with valid values display in the bars. The bars do not display date or
time values.

If you are using Policy Manager, you can configure, enable, and disable the Preview bars
using the Application settings. See Fortra's Data Classification Suite (DCS) Policy Manager
(Cloud) Online Help for more information.

If you are using the Administration Console, you can disable these bars using registry keys.
Contact Support to get these registry keys.

To configure the Preview bar, open the registry editor and go to one of the following:

l HKEY_CURRENT_USER\SOFTWARE\Policies\TITUS
l HKEY_CURRENT_USER\SOFTWARE\Titus
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS

Enable and disable the Preview bar

To enable the Preview bar:

1. Right-click Titus or TITUS, select New > DWORD (32-bit) Value.

2. Enter ShowClassificationPreviewBar.
3. Right-click ShowClassificationPreviewBar, and select Modify.

Administration Console Deployment Guide www.fortra.com page: 15

 Configure Preview bars / Enable and disable the Preview bar

4. Enter 1 in the Value data field, and click OK.

5. Restart Microsoft Outlook or your Microsoft Office application.

To disable the Preview bar:

1. Right-click ShowClassificationPreviewBar and click Modify.

2. Enter 0 in the Value data field, and click OK.
3. Restart Microsoft Outlook or your Microsoft Office application.

Administration Console Deployment Guide www.fortra.com page: 16

 Configure Classification Information bars /

Configure Classification
Information bars
When a recipient receives a classified file, document, or email, the Classification appears at
the bottom in a Classification Information bar, for example:

By default, the background color of the bars is based on the Classification color. If no
Classification color is available, it is set to Microsoft Windows ‘InactiveCaption’ (pale blue).

Only Schema fields with valid values display in the bars. The bars do not display date or
time values.

If you are using Policy Manager, you can configure, enable, and disable the Classification
Information bars using the Application settings. See Fortra's Data Classification Suite (DCS)
Policy Manager (Cloud) Online Help for more information.

If you are using the Administration Console, you can disable these bars using registry keys.
Contact Support to get these registry keys.

To configure the Classification Information bar, open the registry editor and go to one of the
following:

l For Microsoft Outlook:

l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\Message Classification
for Microsoft Outlook
l HKEY_CURRENT_USER\SOFTWARE\Titus\TITUS\Message Classification for
Microsoft Outlook
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\TITUS\Message
Classification for Microsoft Outlook
l For Microsoft Office:

Administration Console Deployment Guide www.fortra.com page: 17

 Configure Classification Information bars / Enable and disable the Classification Information bar

l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\Document Classification
for Microsoft <application>
l HKEY_CURRENT_USER\SOFTWARE\Titus\TITUS\Document Classification for
Microsoft <application>
l HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TITUS\TITUS\Document
Classification for Microsoft <application>
where <application> is Microsoft Word, Excel, or PowerPoint

Enable and disable the Classification Information bar

To enable the Classification Information bar:

1. Right-click one of the options in the registry editor above, select New > Key, and
enter ClassificationInformationBar.
2. Right-click ClassificationInformationBar, select New > DWORD (32-bit) Value, and
enter Enabled.
3. Right-click Enabled and select Modify.
4. Enter 1 in the Value data field, and click OK.
5. Restart Microsoft Outlook or your Microsoft Office application.

To disable the Information bar:

1. Right-click ClassificationInformationBar and click Modify.

2. Enter 1 in the Value data field, and click OK.
3. Restart Microsoft Outlook or your Microsoft Office application.

Configure captions
You can configure the caption text and how you want the text to display.

Administration Console Deployment Guide www.fortra.com page: 18

 Configure Classification Information bars / Configure captions

1. Right-click ClassificationInformationBar.
2. Select New > String Value.
3. If you want to add and Then
configure a
Caption a. Enter Caption.
b. Right-click Caption and click Modify.
c. Enter any text you would like to have as a caption,
for example, Selected Classification.
d. Click OK.
Display Format a. Enter DisplayFormat.
b. Right-click DisplayFormat and click Modify.
c. Enter field codes and the order you want them
displayed. Enclose the values with {{ }}. For
example, if you want to add a Classification, enter
{{Metadata.Classification|Prefix=Classification:
|}}.
d. Click OK.
No Classification a. Enter NoClassificationCaption.
Caption b. Right-click DisplayFormat and click Modify.
c. Enter any text to indicate that you have not
selected any classification, for example, None
Selected.
d. Click OK.
4. Restart Microsoft Outlook or your Microsoft Office application.

Administration Console Deployment Guide www.fortra.com page: 19

 About Titus Enterprise Services / Service protocol and default port numbers

About Titus Enterprise Services

Titus Services enterprise-grade software services operate in a service-oriented architecture.
All common capabilities from applications are centralized within these services. The Data
Classification Administration Console installation includes the following services.

l Titus.Enterprise.Management1
l Titus.Enterprise.AuditLog2
l Titus.Enterprise.Settings3

Service
Titus.Enterprise.Management
Titus.Enterprise.AuditLog
Titus.Enterprise.Settings
Role
Manages communication with the Administration
Console and local Titus Services. When this Service
starts, it automatically starts the other Titus Services.
Processes audit log messages from Titus services and
Fortra-enabled applications.
Processes requests for Configurations from Fortra-
enabled applications and services.

Service protocol and default port numbers

Titus Services are implemented using Microsoft’s Windows Communication Foundation
(WCF) framework. The Data Classification Suite communicates with a Windows Service
installed on each client. The Administration Console communicates with the Titus Services
running on the Administration Console.

NOTE: You can configure all ports in the installer or with assistance from technical
support.

Service Protocol Default Port Number

AuditLogServicePort NetNamedPipeBinding net.pipe//localhost/AuditLogService
SettingsServicePort NetNamedPipeBinding net.pipe//localhost/DataService

1- Manages communication with the Data Classification Administration Console and local
Titus Services. When this Service starts, it automatically starts the other Titus Services.
2- Processes audit log messages from Titus Services and Fortra-enabled applications.
3- Processes requests for Configurations from Fortra-enabled applications and services.

Administration Console Deployment Guide www.fortra.com page: 20

 About Titus Enterprise Services / Stop and start Titus Services on the Administration Console

Service Protocol Default Port Number

ManagementService NetTCPBinding 34300
Port
This is internal only and not required
to be opened on the firewall.
Data Classification TCP 34350
Administration
Console Web Site Open this port to access the
Administration Console using a
browser from other machines. Do not
open it if using RDP or accessing the
Administration Console from the
machine on which it is installed.

Stop and start Titus Services on the Administration

Console
You can start and stop Titus Services during troubleshooting procedures or to circumvent
the regular update intervals for Configuration dissemination.

1. On the machine where you have installed Data Classification Administration

Console, select:
Start >All Programs >Administrative Tools >Services
2. Stop the following Titus Services (in the following order):
l Titus.Enterprise.Management
l Titus.Enterprise.Settings
l Titus.Enterprise.AuditLog
3. Restart Titus.Enterprise.Management.

Restarting the Titus.Enterprise.Management Service automatically starts the other Titus

Services.

Administration Console Deployment Guide www.fortra.com page: 21

 Expected configuration targeting behavior on Active Directory / When a Configuration file is provided during the client

Expected configuration targeting

behavior on Active Directory
NOTE: Not all Client applications use Active Directory to deploy Configurations to users.

When a Configuration is targeted to an Active Directory (AD) Group and AD is offline, the
user will only receive the targeted Configuration if the AD information is still available in the
cache. If the AD information is not available in the cache, the user will receive the Default
Configuration. If no Default Configuration exists, the user will be disabled.

When a Configuration file is provided during the client

installation
The information in the following table applies if the Configuration file is provided during the
installation using fileshare/website.

No Group Group Group Targeted

Targeted Default Targeted Targeted Config for
or Default Config Config AND Config AND user name
Config Config has Config has
default NO default
Online User User gets User gets User gets User gets
AD - disabled default targeted targeted targeted
install Configuration Configuration Configuration Configuration
Offline User User gets User gets User disabled User gets
AD – disabled default default targeted
install Configuration Configuration Configuration

NOTE: Thedefault interval to detect a new or updated .tcpg file is 60 minutes. You can
change this interval in the System Settings of the Administration Console.

When a Configuration file is provided post client

installation

Administration Console Deployment Guide www.fortra.com page: 22

 Expected configuration targeting behavior on Active Directory / When a Configuration file is provided post client installation

The information in the following table applies if the Configuration file is provided to
machines after installing the client. The information in this table pertains to logged-in users.

No targeted Default Targeted Targeted Targeted

or Default Configuratio Configuratio Configuratio Configuratio
Configuratio n for group n for group n for group n for user
n AND AND name
Configuratio Configuratio
n has default n has NO
default
Online n/a * User gets User gets User gets User gets
AD – default targeted targeted targeted
within Configuration Configuration Configuration Configuration
expiry
Offline n/a * User gets User gets User gets User gets
AD – default targeted targeted targeted
within Configuration Configuration Configuration Configuration
expiry
Online n/a * User gets User gets User gets User gets
AD – default targeted targeted targeted
after Configuration Configuration Configuration Configuration
expiry
Offline n/a * User gets User gets User gets User gets
AD – default default targeted targeted
after Configuration Configuration Configuration Configuration
expiry

*Because the user is disabled, there is no expiry.

Administration Console Deployment Guide www.fortra.com page: 23

 Logging information / Enable Windows installer logging

Logging information
If you are experiencing problems with DCS for Windows, log into the Support portal.

Provide Support for a client log, Services logs from the client machine, the client
Configuration file Titus.tcpg, Titus.new.tcpg, and any additional information that can help
replicate the issue.

Enable Windows installer logging

To enable Windows Installer logging manually, open the registry and create the following
path and keys:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Reg_SZ: Logging
Value: voicewarmupx

Install Debug log files

Log files related to the Install Debug Log can be found in the following location: “%temp%”.
i.e. \Users\<username>\AppData\Local\Temp

l Installer: Forta_Data_Classification_Administration_Console_<year month day

time>.log
l ConfigUtil log: Titus.Internal.Database.Config.log
l Server: Forta_Data_Classification_Administration_Console_<year month day time>_
MainInstall.log
l Services: Forta_Data_Classification_Administration_Console__<year month day
time>_ServicesInstall_x64.log
l Core Plugins: Forta_Data_Classification_Administration_Console__<year month day
time>_CorePluginsInstall_x64.log

Data Classification log files

Log files for Data Classification Suite are located at
C:\Users\<username>\AppData\Local\Titus. The log files are as follows:

Log file names Description

Administration Console Deployment Guide www.fortra.com page: 24

 Logging information / Titus Services log files

Classification Logs information associated with the DCS for Desktop application
For Desktop
Message Logs information associated with DCS for Outlook application
Classification
Document Logs information associated with DCS for Officek application
Classification
for Word

Document
Classification
for PPT

Document
Classification
for Excel
File Watcher Logs information about files that have been placed in Watched Folders
in the Patrol Add-In Settings. See the Fortra's Data Classification Suite
(DCS) for Windows (On-premises) User Guide for more information.

Titus Services log files

Log files associated with Titus Services (Titus Enterprise Audit Service, Titus Enterprise
Client Service, Titus Enterprise Health Monitor Service, Titus Enterprise Management
Service, and Titus Enterprise Settings Service) are located at C:\ProgramData\TITUS.

Administration Console Deployment Guide www.fortra.com page: 25

 Roles and permissions / The user running the installer

Roles and permissions

There are multiple account roles that can be used during installation and runtime.

To simplify deployment, we recommend that you install the Administration Console using a
single account with the following characteristics:

l is a domain user
l is a local administrator on the server where you are installing Administration Console
l is part of the sysadmin role on the SQL Server that hosts the Administration Console
database (securityadmin and dbcreator at minimum)

This account provides the access required to the accounts running the Titus services. For
more information, see Accounts running the Titus services on page 32.

If your organization's IT security policies require strict segregation of account permissions,

provision accounts using the specifications outlined below. You can use a single account
for many of these roles. Review the information below before choosing the accounts to use
for each role.

Role Can also be used for ...

The user running the
installer
The account creating
or updating the
database
The web application
pool user
The accounts running
the Titus services
l Creating the database (required for Windows
authentication mode)
l The Web Application Pool user
l The user running the installer (Windows authentication
mode only)
l The Web Application Pool user (Windows authentication
mode only)
l The user running the installer (Windows authentication
mode only)
l The account creating or updating the database (Windows
authentication mode only)
Data Classification Administration Console uses two system
accounts by default for its services. You cannot change these
accounts.

The user running the installer

This is the user that launches TitusAdminConsoleSetup.exe.

Administration Console Deployment Guide www.fortra.com page: 26

 Roles and permissions / The account creating or updating the database

If you want to communicate with your Data Classification Administration Console database
using Windows authentication, this account must be part of the required database roles.
See The account creating or updating the database on page 27 for more information.

You can also use this account as your Web Application Pool user. See The web application
pool user on page 31 for the additional requirements.

Permissions Details
Local This permission is required to create the Administration Console
administrator website in IIS and to install the required services.

This account becomes the default administrator in the Data

Classification Administration Console.

The account creating or updating the database

You can create or update the database using Windows or SQL authentication modes.

If you want to use Windows authentication, the domain user, who has sufficient access to
the SQL server instance (for new databases) or database (for upgrades), must launch the
installer. These credentials are not used for any future communication with the database.

If you want to use SQL authentication, the SQL credentials entered are used for all
communication with the database. You can use any local administrator account to launch
the installer, but the machine must be joined to a domain or the installation fails.

If you are using SQL authentication, choose an account where the password will not expire.
If the SQL password expires, you must reinstall the Data Classification Administration
Console.

Administration Console Deployment Guide www.fortra.com page: 27

 Roles and permissions / The account creating or updating the database

Authentication Task Permissions Details

method
Windows Create a Member of the dbcreator is required to create
authentication new following server roles the Administration Console
database in the SQL Server database.
instance:
securityadmin is required to
l dbcreator add NTAUTHORITY\NETWORK
SERVICE and
l securityadmin
NTAUTHORITY\SYSTEM to
roles in the Data Classification
Administration Console
database. These roles are
required for Titus services to
communicate with the
database. See Accounts
running the Titus services on
page 32 for more information.

NOTE: The securityadmin

role is not required to install
the Administration Console.
Add the accounts running
the Titus services to the
required database roles
after installation. The Data
Classification
Administration Console will
run in a faulty state until
these roles are added.

TIP:
You can downgrade these
permissions after the
database is created.
At runtime, this account
must be a member of the
db_owner role in the Data
Classification
Administration Console
database.

Administration Console Deployment Guide www.fortra.com page: 28

 Roles and permissions / The account creating or updating the database

Authentication Task Permissions Details

method
Upgrade Member of the db_ db_owner is required to update
an existing owner role in the Data the database schema and
database Classification content.
Administration
Console database. securityadmin is not required to
upgrade the database, but is
securityadmin is also required for upgrading the Data
recommended (see Classification Suite Analytics
details) Collector.

Administration Console Deployment Guide www.fortra.com page: 29

 Roles and permissions / The account creating or updating the database

Authentication Task Permissions Details

method
SQL Create a Member of the dbcreator is required to create
authentication new dbcreator server role the Administration Console
database in the SQL Server database.
instance
This account is used for all
securityadmin is also communication with the SQL
recommended (see server.
details)
securityadmin is not required to
create the database, but is
required for the Data
Classification Suite Analytics
Collector.

TIP:
You can downgrade these
permissions after the
database is created.
At runtime, this account
must be a member of the
db_owner role in the Data
Classification
Administration Console
database.

Upgrade Member of the db_ db_owner is required to update

an existing owner role in the Data the database schema and
database Classification content.
Administration
Console database. This account is used for all
communication with the SQL
securityadmin is also server.
recommended (see
details) securityadmin is not required to
upgrade the database, but is
required for upgrading the
Reporting Analytics Collector.

Permissions required for remote databases

If you are communicating with your SQL Server using Windows authentication and you are
connecting to a database located on another server, you must add the machine hosting the

Administration Console Deployment Guide www.fortra.com page: 30

 Roles and permissions / The web application pool user

Data Classification Administration Console to the following roles in the Administration

Console database:

l db_datareader
l db_datawriter
l db_owner

These roles are required for the Titus services to communicate with the remote database.
When the machine's Network Service and LocalSystem accounts attempt to communicate
with another machine, they represent themselves as the originating machine.

Add the machine name to the database roles in the following format:
Domain\MachineName$

For example: MyCompany\TitusAdminServ$

The web application pool user

This account runs the Data Classification Administration Console website. If desired, you
can use the same account you use to run the installer.

You can use a Windows service account or domain user account.

Permissions Details
Read rights for the following Active Directory This account reads Active Directory
containers: containers to grant Administrator rights
and configure Configuration targeting.
CN=Users
If connectivity to Active Directory is not
CN=Computers available, the domain name is not auto-
populated during the installation and the
setup will fail.

Administration Console Deployment Guide www.fortra.com page: 31

 Roles and permissions / Accounts running the Titus services

Permissions Details
Read/write access to the following folders Access to %programdata% is required for
on the machine hosting the Data logging.
Classification Administration Console:
Access to
l %programdata% C:\inetpub\TITUSWebAdministration is
required to publish Configurations
l C:\inetpub\TITUSWebAdministration
(TCPGs).
(or the location specified during
install)
TIP: Accessto
C:\inetpub\TITUSWebAdministration
can be granted after the product is
installed.

Member of the db_owner role in the Data Required so the Data Classification
Classification Administration Console Administration Console website can
database communicate with the database.

This role is only required if you use Windows
Authentication to communicate with the
database.
See to learn how to grant the access
required.
TIP: Theuser can be added to the db_
owner role after the database is
created.

Accounts running the Titus services

NOTE:These roles are not required if you selected SQL Authentication during the
Administration Console installation.

If you are communicating with your SQL Server using Windows authentication, service
accounts for Titus services must be added to the following roles in the Data Classification
Administration Console database:

l db_datareader
l db_datawriter
l db_owner

If the Windows account running the installer has sufficient permissions, the default service
accounts are added to these roles when the database is created. See The account creating
or updating the database on page 27 for more information.

Administration Console Deployment Guide www.fortra.com page: 32


The Administration Console uses two system accounts by default for its services. These
accounts cannot be changed.
Service
Titus Enterprise Audit Service
Titus Enterprise Management
Service
Titus Enterprise Settings Service
Administration Console Deployment Guide
Roles and permissions / Accounts running the Titus services
Default service account
Network Service (NTAUTHORITY\NETWORK
SERVICE)
Local System (NTAUTHORITY\SYSTEM)
Network Service (NTAUTHORITY\NETWORK
SERVICE)
www.fortra.com page: 33
 Add a login user to the dbcreator server role /

Add a login user to the dbcreator

server role
To perform this procedure, SQL Server Management Studio (SSMS) is required. For
information on installing SSMS, see https://docs.microsoft.com/en-us/sql/ssms/download-
sql-server-management-studio-ssms?view=sql-server-ver15.

1. Launch Microsoft SQL Server Management Studio.

2. Connect to the SQL Server.
3. Click Security > Logins.
4. If you want Then
to
use an double-click that login name and proceed to step 5.
existing login
create a new 1. Right-click the Logins folder and select New Login.
login 2. Enter a Login name and click Search.
3. Enter the name again in the Enter the object name to select
section and click Check Names.
4. When validated, click OK.
5. Select an authentication type. If using SQL Server
authentication, enter, then re-enter your password.
6. Click OK.
5. Select Server Roles on the Login Properties page.
6. Select the dbcreator checkbox and click OK.
7. Under Security > Logins, double-click NT AUTHORITY\NETWORK SERVICE.
8. Select Server Roles, and ensure Public is checked.
9. Select User Mapping and make sure Titus_Reporting or your report Database is
checked. Click OK.

Administration Console Deployment Guide www.fortra.com page: 34

 Grant db_owner database privileges to a login user /

Grant db_owner database privileges

to a login user
The Titus database must exist before performing this procedure. If the database was not
created manually, this procedure can only be performed after installing Data Classification
Administration Console.

1. Open SQL Server Management Studio.

2. Connect to the SQL Server.
3. Select Databases > <your Titus database folder> > Security > Users.
4. Double-click a user login name.
5. Select Membership on the left side of the form.
6. Select the db_owner checkbox and click OK.
7. Double-click the user NT AUTHORITY\NETWORK SERVICE.
8. Click Membership.
9. Ensure db_owner, db_datawriter, and db_datareader are selected.

Administration Console Deployment Guide www.fortra.com page: 35

 Kerberos authentication / Define the domain name for the Titus Service

Kerberos authentication
To further secure your environment, you can enforce Kerberos authentication when
authenticating to a remote SQL database. You must use Windows NT while installing the
Data Classification Administration Console to enable Kerberos authentication. The Kerberos
protocol prevents phishing by preventing client machines from being redirected to an
endpoint hosted by a malicious service.

When installing on a remote database, change the management service or the permissions
in the database to successfully publish the Configuration file.

Define the domain name for the Titus Service

When the Administration Console has been installed, you can define the domain name if
Windows Authentication was used to create the database and you want to enable Kerberos
authentication.

1. Stop all Titus Services. See Stop and start Titus Services on the Administration
Console on page 21.
2. Double-click the Titus Enterprise Management Service. A Titus Enterprise
Management Service Properties window appears.
3. Select the Log On tab and select This account .
3. Enter the <domain nameTITUS Service account> in the text box and the password
and click OK .
4. Restart all Titus Services. See Stop and start Titus Services on the Administration
Console on page 21.

Administration Console Deployment Guide www.fortra.com page: 36

 Use the MSI files /

Use the MSI files

You can manually install the Administration Console using MSI files. Instead of running the
TITUSAdminConsoleSetup.exe file, navigate to and open the RedistSuite folder. Install the
files in the order they appear below.

Installation File Notes

Order
1 SQLSysClrTypes2012_SP1_
x64.msi
2 SharedManagementObjects2012_
SP1_x64.msi
3 Synchronization-v2.1-x64-
ENU.msi
4 DatabaseProviders-v3.1-x64-
ENU.msi
5 Titus_Core_Plugins_x64.msi
6 Titus_Server_Setup.msi The following properties are
supported for the Titus_Server_
Setup.msi file:

l CONFIGUTILLOGLEVEL
Sets the logging to DEBUG,
WARN, INFO, or ERROR:
CONFIGUTILLOGLEVEL=DEBUG
By default, the logging level is
WARN.
l SERVICESLOGLEVEL
Sets the services logging to
DEBUG, WARN, INFO, or ERROR
enter:
SERVICESLOGLEVEL=DEBUG
By default, the logging level is
WARN.

Administration Console Deployment Guide www.fortra.com page: 37

 Use the MSI files /

Installation File Notes

Order
7 Titus_Services_Setup_x64.msi The following properties are
supported for the Titus_Services_
Setup_x64.msi file:

l SERVICESLOGLEVEL
Sets the services logging to
DEBUG, WARN, INFO, or ERROR
enter:
SERVICESLOGLEVEL=DEBUG
By default, the logging level is
WARN.
l EVENT_LOG_FILE_SIZE
Sets the size of the Event
source log file in MBs.
EVENT_LOG_FILE_SIZE=20
By default, the maximum size is
set at 5MB.
8 VC_redist.x64.exe

Administration Console Deployment Guide www.fortra.com page: 38

 Use the executable in a command line / Supported installation properties

Use the executable in a command

line
When running the TITUSAdminConsoleSetup.exe in a command line, the RedistServerAC
folder and the TITUSAdminConsoleSetup.exe file must be in the same location during the
installation. The RedistServerAC folder contains the prerequisites and Services that are
automatically installed when the .exe file is run.

The following properties are optional but can be used to configure the software installation.
For details on how to perform the install see Install the Administration Console on page 9.

Supported installation properties

The installation properties are case-sensitive and will fail if not entered as listed in the table
below.

Property Description
EXISTINGSQLRADIOBUTTON Enables or disables the “Connect to an existing SQL
Server instance” radio button during installation

To enable, enter 1; to disable, enter 0. For example:

EXISTINGSQLRADIOBUTTON=0

By default, the radio button is enabled during this

installation.
CONFIGUTILLOGLEVEL Sets the logging to DEBUG, WARN, INFO, or ERROR
enter:

CONFIGUTILLOGLEVEL=DEBUG

By default, the logging level is WARN.

SERVICESLOGLEVEL Sets the services logging to DEBUG, WARN, INFO, or
ERROR:

SERVICESLOGLEVEL=DEBUG

By default, the logging level is WARN.

Administration Console Deployment Guide www.fortra.com page: 39

 Contacting Fortra / Fortra Community Portal

Contacting Fortra
Please contact Fortra for questions or to receive information about Data Classification Suite
for Windows (On-premises).

Fortra Community Portal

For additional resources, or to contact Technical Support, visit our website at
https://dataclassification.fortra.com/ or support.fortra.com. You can email Support at
[email protected].

Gather and organize as much information as possible about the problem including job/error
logs, screen shots or anything else to document the issue.

Administration Console Deployment Guide www.fortra.com page: 40