Deltek iAccess 2.3.4
Installation Guide
January 20, 2017
While Deltek has attempted to verify that the information in this document is accurate and
complete, some typographical or technical errors may exist. The recipient of this document is
solely responsible for all decisions relating to or use of the information provided herein.
The information contained in this publication is effective as of the publication date below and is
subject to change without notice.
This publication contains proprietary information that is protected by copyright. All rights are
reserved. No part of this document may be reproduced or transmitted in any form or by any
means, electronic or mechanical, or translated into another language, without the prior written
consent of Deltek, Inc.
This edition published January 2017.
© Deltek, Inc.
Deltek’s software is also protected by copyright law and constitutes valuable confidential and
proprietary information of Deltek, Inc. and its licensors. The Deltek software, and all related
documentation, is provided for use only in accordance with the terms of the license agreement.
Unauthorized reproduction or distribution of the program or any portion thereof could result in
severe civil or criminal penalties.
All trademarks are the property of their respective owners.
Installation Guide
ii
Contents
Overview .......................................................................................................................................... 1
Adding Custom Notes to This Guide ........................................................................................... 1
Before You Begin............................................................................................................................. 2
Server Installation Prerequisites ................................................................................................. 2
Client Requirements .................................................................................................................... 2
Installation ........................................................................................................................................ 4
Installing a Stand-Alone iAccess Server ......................................................................................... 6
Requirements .............................................................................................................................. 6
Installation ................................................................................................................................... 6
Stand-Alone iAccess Installations Using Windows Authentication ................................................. 7
Understanding Domain Configuration Changes ......................................................................... 7
On the Core Application Server (Vision, GovWin Capture Management, or Ajera CRM Server)8
On the iAccess Server................................................................................................................. 9
On the Domain Controller ......................................................................................................... 10
On the Firewall .......................................................................................................................... 11
Manually Set Up the iAccess Virtual Directory .......................................................................... 11
Appendix A: For Additional Information ......................................................................................... 14
Customer Care Connect Site .................................................................................................... 14
Additional Documentation ......................................................................................................... 15
Installation Guide
iii
Overview
Overview
This document describes the server prerequisites, client requirements, and installation
information for the following:

Deltek iAccess for Vision

Deltek iAccess for GovWin Capture Management

Deltek iAccess for Ajera CRM
For information about issues resolved in iAccess for this release, refer to the Deltek iAccess
2.3.4 Release Notes document for the iAccess product your firm uses.
Adding Custom Notes to This Guide
If you would like to add custom notes to this guide that are specific to your company, Adobe®
Reader® X provides this ability. If you do not already use Adobe Reader X, you can download it
here free from Adobe.
To add a custom note using Adobe Reader X, complete the following steps:
1. On the Reader toolbar, click Comment at the far right.
2. In the Annotations pane that displays, click
match the button.
Sticky Note. The cursor changes to
3. Position the cursor at the location in the guide where you want the note to appear, and
click. A note icon is inserted at the location and a text box pops up.
4. Enter your information in the text box.
5. Continue adding notes as needed.
6. Save the document.
Deltek recommends that you save the document to a slightly different filename so as to keep the
original from being overwritten.
When reading the document, cursor over a note icon to see the information. Double-click a note
icon to edit the information.
Installation Guide
1
Before You Begin
Before You Begin
Review the server installation and client requirements before you install iAccess.
Server Installation Prerequisites

Version 7.6 (CU 6) of your core Deltek product (Vision, GovWin Capture Management, or
Ajera CRM) must be installed. iAccess 2.3.4 is not compatible with earlier versions of
these products.

Supported platforms include Windows Server 2012 and Windows Server 2012 R2.

Microsoft .NET Framework 4.5.2 must be installed on the web/application server for your
core Deltek product.

To run setup, you must be a local administrator on the web/application server for your
core Deltek product.
Client Requirements
Client Operating Systems

Windows 7, 8, 8.1, or 10

Windows Vista (SP2)

Windows XP (SP3) — Chrome only
Browsers

Microsoft Internet Explorer 10 or 11

Microsoft Edge

Google Chrome 40 or later

Apple Safari 5 or later (Mac only)

Mozilla Firefox 35 or later
Devices

Android Tablets — Chrome browser only

iPad — Safari browser only
Installation Guide
2
Before You Begin
iAccess for Vision and Supporting Documents
If you use Vision Transactional Document Management (TDM) with iAccess for Vision for
uploading documents, the following system requirements apply:
Desktop Browsers

Google Chrome 40 or later

Apple Safari 5 or later

Mozilla Firefox 36 or later

Opera 11.0 or later

Microsoft Internet Explorer 10 or later

Microsoft Edge
Mobile Browsers

Apple Safari Mobile on iOS 6.0 or later

Google Chrome on iOS 6.0 or later

Google Chrome on Android 4.0 or later
Installation Guide
3
Installation
Installation
When you install iAccess, the setup log automatically defaults to
C:\Users\<User>\AppData\Local\Deltek and creates a temporary shortcut on your desktop.
To install iAccess, complete the following steps:
1. Download the installation file from Deltek Software Manager (DSM) based on your core
Deltek product:

Vision: DeltekiAccess234ForDeltekVision76.exe

GovWin Capture Management: DeltekiAccess234ForDeltekGovWinCM76.exe

Ajera CRM: DeltekiAccess234ForDeltekAjeraCRM76.exe
2. Run the installation file.
3. On the Welcome page of the installation wizard, click Next.
4. On the License Agreement page, select I accept the terms of the license agreement,
and click Next.
5. On the Choose Destination Location page, click Change if you need to change the
default installation location. Deltek recommends that you use the default installation
directory.
6. Click Next to continue.
7. On the Deltek Site page for your core Deltek product (for example, Deltek Vision Site),
specify your web services site for your core Deltek product. The URL must end with
VisionServices.asmx, regardless of what your core product is. Setup will validate this
site for connectivity. The URL that you specify is only accessed from iAccess to connect
to your core Deltek product. Because iAccess and the core Deltek product must be
installed on the same web server, use the default specified URL.
8. Click Next to continue. (The next page may take up to 10 seconds to display).
9. On the Customer Experience Improvement Program page, select the Send installation
data to Deltek option if you want to send technical installation data to help Deltek plan
future releases. No business data will be included if you select this option.
10. Click Next to continue.
11. On the Start Copying Files page, review the current settings, and click Next to continue.
The Setup Status dialog box displays. Setup installs the files and configures the web
server. When finished, the Installation Complete page displays. This page lists the URL
that you must provide to users to run iAccess.
If you are upgrading to iAccess 2.3.4 for Vision from a previous Navigator version, note
that the URL that you previously used to run Navigator is not valid for iAccess. The
Installation Complete page displays your new URL.
Notify those in your firm who used Navigator and will use iAccess of this change. Any
shortcuts that were set up to run Navigator must be updated to use the new URL.
12. Click Finish to complete the installation.
13. In your core Deltek product, go to Configuration » General » System Settings and click
the Email tab.
Installation Guide
4
Installation
14. In the iAccess URL field, enter the iAccess URL that was displayed on the Installation
Complete page in step 11.
Installation Guide
5
Installing a Stand-Alone iAccess Server
Installing a Stand-Alone iAccess Server
For certain installations, it may be necessary to implement iAccess on a dedicated server without
the core web application installed. This is useful for deploying iAccess in a DMZ.
Requirements

Windows Server 2012 or 2012 R2 with IIS installed/configured

Microsoft .NET Framework 4.5.2

Network Connectivity between servers (Port 80 or 443 if using TLS)

DMZ web server
Installation
Complete this installation process on a stand-alone iAccess web server, presumably in a DMZ.
Install on a Stand-Alone Server
To install iAccess on a stand-alone server, complete the following steps:
1. Run the installation file from Deltek Software Manager (DSM) based on your core Deltek
product, as shown below:

Vision: DeltekiAccess234ForDeltekVision76.exe

GovWin Capture Management: DeltekiAccess234ForDeltekGovWinCM76.exe

Ajera CRM: DeltekiAccess234ForDeltekAjeraCRM76.exe
iAccess installs with the checks related to the core product.
2. Follow the prompts to complete the installation.
When prompted for the Deltek Vision, GovWin CM, or Ajera CRM site, be sure to enter
the remote Vision, GovWin CM, or Ajera CRM server.
Installation Guide
6
Stand-Alone iAccess Installations Using Windows Authentication
Stand-Alone iAccess Installations Using Windows
Authentication
Stand-alone iAccess installations that also use Windows Authentication require additional
installation steps, including creating a Service Principal Name (SPN) for the iAccess Application
Pool Identity and also configuring domain-based delegation. This section explains some domain
configuration concepts and provides the steps to perform on the iAccess server and on your core
server.
Understanding Domain Configuration Changes
The following information applies to multi-tier installations of iAccess that use Windows
Authentication only. If you will install iAccess and the Deltek core application (Vision, GovWin
Capture Management, or Ajera CRM) to the same physical server, this information does not
apply to your installation.
Delegation and Kerberos Authentication
Delegation is required for a multi-tier deployment of iAccess that uses Windows Authentication. A
multi-tier installation is an installation in which iAccess and your core Deltek application exist on
separate physical servers.
Delegation is the process of passing a logged-in user’s credentials from one server to another. In
the case of iAccess, the iAccess server passes the user’s credentials to the Deltek core server.
You configure iAccess delegation by modifying the domain user account of the iAccess
Application Pool Identity to perform delegation.
Kerberos Authentication is a secure key-based authentication protocol that delegation requires.
The core application web server requests a key from the Key Distribution Center (KDC). The KDC
is a service that runs on domain controllers. The KDC authenticates the user and provides the
key to the iAccess server for use in delegating users’ credentials to the core server.
Constrained Delegation, Unconstrained Delegation, and Protocol Transition

Unconstrained Delegation: Delegation is allowed from one computer in the domain to
any other user/computer or service on the domain with no restrictions. This is the only
method available in domain models that support Windows 2000 domain controllers.
iAccess does not support Unconstrained Delegation.

Constrained Delegation: Delegation that can be performed by a user or computer in the
domain is limited to a specific user/computer or service. This method of delegation is
much more granular and secure than Unconstrained Delegation and is only available in
SQL Server 2003 (or later) native domains.

Protocol Transition: Use Protocol Transition to transition the authentication protocol
from the trusted server during the delegation. For iAccess in an internet deployment, we
must transition the protocol from NTLM on the iAccess server to Kerberos when
communicating with the core server because Kerberos is not available through the
external firewall. This is necessary because the client must negotiate the Kerberos ticket,
which requires that port 88 be open inbound through the external firewall to the domain
controller (not an advisable security configuration). The iAccess server requests the ticket
on the client's behalf from the KDC. Once it is granted, the ticket is used to authenticate
the user with Kerberos to the core server. This option is only available if the domain
function level is SQL Server 2003 (or later) native.
Installation Guide
7
Stand-Alone iAccess Installations Using Windows Authentication
The following is the Properties dialog box for the Application Pool Identity/Service Account.
The Delegation tab displays the available delegation and protocol transition configuration
options.
No Delegation
Unconstrained Delegation (not supported)
Constrained Delegation
Protocol Transition
On the Core Application Server (Vision, GovWin Capture
Management, or Ajera CRM Server)
Step 1: Verify the Application Pool Identity of the Core Application Pool
To verify the Application Pool Identity of the core Application Pool, complete the following
steps:
1. Open IIS and expand Application Pools.
2. Right-click the Application Pool and select Advanced Settings.
3. Note the user account specified in Identity. You will use this account for the iAccess
Application Pool Identity. The account must be a domain user account.
Step 2: Verify Windows Integrated Security Configuration
To verify Windows integrated security configuration, complete the following steps:
1.
Open IIS.
2.
Expand Sites and expand the Web site where the core application is installed.
3.
Click the virtual directory for the core application.
4.
Click Authentication in the Feature pane.
Installation Guide
8
Stand-Alone iAccess Installations Using Windows Authentication
5.
If Anonymous Access is enabled, disable it.
6.
To verify Kernel Mode Authentication, complete the following steps:
a. Select Advanced Settings in the Action pane.
b. If Kernel Mode Authentication is enabled (selected), use this command to verify that
there is no SPN for the Application Pool Identity. The command lists any SPNs that
exist for the Application Pool Identity domain account.
setspn –L <domain>\<user>
If an SPN exists for the Application Pool Identity and Kernel Mode Authentication is
enabled, it causes a duplicate SPN conflict and results in an HTTP 401 error when
attempting to use iAccess.
c.
If Kernel Mode Authentication is disabled (not selected), use this command to verify
that SPNs exist for the Application Pool Identity. The command lists any SPNs that
exist for the Application Pool Identity domain account.
setspn –L <domain>\<user>
An SPN should exist for the server name (Netbios) and the FQDN as well as for any
custom DNS FQDNs that are being used. Use the commands below to add any
missing SPNs. (You must have domain admin rights.)
setspn –A http/<server> <domain>\<user>
setspn –A http/<FQDN> <domain>\<user>
7.
To verify provider order, select Providers in the Action pane and confirm that Negotiate
is at the top of the list of authentication providers. The default configuration lists
Negotiate followed by NTLM. Negotiate must be first in the list for Kerberos
Authentication to work, and Kerberos Authentication is required for delegation.
On the iAccess Server
Step 1: Verify That the iAccess Server Is a Domain Member
The iAccess server must be a member of the same or trusted domain as the core application
server.
If the iAccess server is in a DMZ, port 88 (Kerberos) must be open on the internal firewall to allow
domain authentication.
Step 2: Verify the Application Pool Identity of the iAccess Application Pool
To verify the Application Pool Identity of the iAccess Application Pool, complete the
following steps:
1. Open IIS and expand Application Pools.
2. Right-click the Application Pool and select Advanced Settings.
3. Set the identity to be the same domain user as the core server Application Pool Identity.
(By default iAccess does not require an identity so it will likely be set to the default of
ApplicationPoolIdentity.)
Installation Guide
9
Stand-Alone iAccess Installations Using Windows Authentication
Step 3: Verify Windows Integrated Security Configuration
To verify Windows integrated security configuration, complete the following steps:
1.
Open IIS.
2.
Expand Sites and expand the Web site where the core application is installed.
3.
Click the virtual directory for the core application.
4.
Click Authentication in the Feature pane.
5.
If Anonymous Access is enabled, disable it.
6.
Verify that ASP .Net impersonation is enabled. Click Edit in the Action pane and select
Authenticated User.
7.
Select Advanced Settings in the Action pane.
8.
If Kernel Mode Authentication is enabled, disable it.
9.
Use this command to verify that SPNs exist for the Application Pool Identity. The
command lists any SPNs that exist for the Application Pool Identity domain account.
setspn –L <domain>\<user>
An SPN should exist for the server name (Netbios) and the FQDN as well as for any
custom DNS FQDNs that are being used. Use the commands below to add any missing
SPNs. (You must have domain admin rights.)
setspn –A http/<server> <domain>\<user>
setspn –A http/<FQDN> <domain>\<user>
10. To verify provider order, select Providers in the Action pane and confirm that Negotiate
is at the top of the list of authentication providers. The default configuration lists
Negotiate followed by NTLM. Negotiate must be on top for Kerberos Authentication to
work, and Kerberos Authentication is required for delegation. NTLM must also be listed if
Protocol Transition will be used for delegation. (For more on Protocol Transition and
delegation, see “On the Domain Controller” below.)
On the Domain Controller
Configure Constrained Delegation for the domain user running the iAccess Application Pool
Identity.
To configure Constrained Delegation for the domain user running the iAccess Application
Pool Identity, complete the following steps:
1. In the Users and Computers tool, right-click the domain user and select Properties.
2. On the Delegation tab, select Trust this user for delegation to specified services
only.
3. Do one of the following:

If the iAccess server is inside the firewall, select Use Kerberos only.

If the iAccess server is an internet deployment (the iAccess server is in the DMZ
and/or users access iAccess using the internet), select Use any authentication
protocol (Protocol Transition). Because port 88 (Kerberos) will not be open on the
external firewall, only NTLM authentication will pass. Configuring Protocol Transition
enables the domain to transition the NTLM authentication passed to the iAccess
server to Kerberos so that a Kerberos ticket can be granted for the user.
Installation Guide
10
Stand-Alone iAccess Installations Using Windows Authentication
On the Firewall
If the iAccess server is in a DMZ, open port 88 (Kerberos) on the internal firewall to allow
Kerberos domain authentication.
Manually Set Up the iAccess Virtual Directory
If you receive the following Install Shield Wizard error during the installation process, complete
the procedure in this section.
Prerequisite: For this procedure, you need to know your iAccess installation directory. By default,
it could be C:\Program Files\Deltek\iAccess.
To configure the iAccess virtual directory and finish the installation, complete the
following steps:
1. From the iAccess server, open Internet Information Services Manager.
2. Expand the Server and verify that a DeltekiAccess Application Pool was created and is
using the v4.0 .NET Framework.
3. If the DeltekiAccess application pool does not exist, right-click Application Pools (under
your server), and click Add Application Pool on the shortcut menu.

Name — DeltekiAccess

.NET Framework Version — NET Framework v4.0.30319

Managed Pipeline Mode — Integrated
Installation Guide
11
Stand-Alone iAccess Installations Using Windows Authentication
4. Expand the Default Web Site, and check for the iAccess virtual directory. If it does not
exist, continue to Step 5.
5. Right-click Default Web Site, and click Add Application on the shortcut menu. The Add
Application dialog box displays.
6. On the Add Application dialog box, complete the fields as follows:

Alias — iAccess

Application Pool — Click the Select button, and select DeltekiAccess from the
drop-down list.

Physical Path — Enter your installation directory for iAccess (for example,
C:\Program Files (x86)\Deltek\iAccess).
7. Click OK to create the IIS Application.
8. Check the Authentication mode for your core product’s virtual directory, and set it to the
same for the iAccess virtual directory. These must match for you to use the same security
model in your core product.
Installation Guide
12
Stand-Alone iAccess Installations Using Windows Authentication
Ensure that ASP.NET Impersonation is enabled:
a. Select iAccess.
b. Select Authentication.
c.
Review ASP.NET Impersonation status.
9. Test iAccess by launching http://localhost/iAccess. The iAccess log in page displays.
If the iAccess log in page does not display, contact Deltek Customer Care.
Installation Guide
13
Appendix A: For Additional Information
Appendix A: For Additional Information
Customer Care Connect Site
The Deltek Customer Care Connect site is a support Web site for Deltek customers who
purchase an Ongoing Support Plan (OSP).
The following are some of the many options that the Customer Care Connect site provides:

Search for product documentation, such as release notes, install guides, technical
information, online help topics, and white papers

Ask questions, exchange ideas, and share knowledge with other Deltek customers
through the Deltek Connect Customer Forums

Access Cloud specific documents and forums

Download the latest versions of your Deltek products

Search Deltek’s knowledge base

Submit a support case and check on its progress

Transfer requested files to a Customer Care analyst

Subscribe to Deltek communications about your products and services

Receive alerts of new Deltek releases and hot fixes

Use Quick Chat to submit a question to a Customer Care analyst online
For more information regarding Deltek Customer Care Connect, refer to the online help available
from the Web site.
Access Customer Care Connect
To access the Customer Care Connect site, complete the following steps:
1. Go to http://support.deltek.com.
2. Enter your Customer Care Connect Username and Password.
3. Click Log In.
If you forget your username or password, you can click the Account Assistance button on the
login screen for help.
Installation Guide
14
Appendix A: For Additional Information
Additional Documentation
Release notes and other guides are available for this release. You can download these
documents in two ways.
Deltek Software Manager
The Documents tab in Deltek Software Manager lists all of the documents associated with a
release and lets you download the ones that you want.
To download documents, complete the following steps:
1. On the Deltek Customer Care site, click the Product Downloads tab, then select Launch
Deltek Software Manager.
2. When the Deltek Software Manager opens, highlight a release in the left pane.
Do not enter a check next to the release name or click Add to
Download Queue. If you do so, you will download the software as
well as any documentation that you want.
3. Click the Documents tab to display a list of available documents for the release.
4. Select the documents that you want.
5. Click View Download Queue to see a list of documents that you selected.
6. Click Download.
Customer Care Site Enterprise Search
Use the search feature to find specific documents or to see a list of all documents associated with
a release. Then open or download the ones that you want.
To download documents, complete the following steps:
1. On the Deltek Customer Care site, click Enterprise Search.
2. Select Release Documentation as the Source.
3. Perform one of the following actions:

To see a list of all available documentation for a release, enter the product and
release number (for example, Vision 7.6) in the search field.

To find a specific document, enter a description of the document (for example, Vision
7.6 release notes) in the search field.
4. Click on the document, then choose to open or save it.
Installation Guide
15
Deltek is the leading global provider of enterprise software and information solutions for government
contractors, professional services firms and other project- and people-based businesses. For decades, we
have delivered actionable insight that empowers our customers to unlock their business potential. 20,000
organizations and millions of users in over 80 countries around the world rely on Deltek to research and
identify opportunities, win new business, recruit and develop talent, optimize resources, streamline
operations and deliver more profitable projects. Deltek – Know more. Do more.®
deltek.com