IdentityMesh Installer
The IdentityMesh MSI packages all server-side components into a single installer with selectable features. A separate MSI ships each Relay Agent.
Prerequisites
- .NET 8 Desktop Runtime x64 (
windowsdesktop-runtime-8.0-win-x64) - ASP.NET Core 10 Runtime x64 (
aspnetcore-runtime-10.0-win-x64) - SQL Server (local or remote, Windows auth recommended)
- IIS (optional, for the Admin Portal hosting)
The installer detects missing .NET runtimes and blocks installation with a descriptive error message including the download URL.
The MSI and all bundled binaries are Authenticode-signed.
MSI Features
The installer presents a feature selection dialog during Custom install.
| Feature | Default | Install Path | Description |
|---|---|---|---|
| SyncEngine | Installed | APPDIR\engine\ | Sync engine Windows service (IdentityMeshEngine) |
| AdminAPI | Optional | APPDIR\api\ | Admin REST API Windows service (IdentityMeshAdmin) |
| AdminUI | Optional | APPDIR\ui\ | Angular static files for IIS hosting |
| Database | Always | APPDIR\sql\ | SQL scripts + DbSetup.exe (hidden from UI) |
Default install directory: C:\Program Files\IdentityMesh\
All features are children of MainFeature — they appear as a single
product entry in Add/Remove Programs.
Install Wizard
The installer wizard collects configuration through the following flow:
- Welcome — Product intro.
- Folder — Install directory selection.
- Customize — Feature selection (SyncEngine, AdminAPI, AdminUI).
- SQL Configuration — SQL Server instance, database name, and Admin Portal IIS port (shown only when AdminUI is selected).
- Service Accounts — Separate accounts for Sync Engine and Admin API.
Supports domain accounts, gMSA (suffix
$, no password), or blank for Local System. - Role Group Mapping — AD security groups for Admin, Operator, and
Viewer roles. Pre-populated with
DOMAIN\IdentityMesh-Admins,DOMAIN\IdentityMesh-Operators,DOMAIN\IdentityMesh-Viewersusing the detected domain. Optional — leave blank to skip. - Verify Ready — Summary before install.
Install Behavior
msiexec /i IdentityMesh-1.0.26077.msi- Files are installed to the selected features’ directories.
- Windows services are registered (SyncEngine and/or AdminAPI).
- DbSetup.exe runs automatically after install (
NOT Installedcondition).
DbSetup Steps
| Step | Action |
|---|---|
| 1 | Create database if it doesn’t exist |
| 2 | Deploy schema (Deploy_All.sql — idempotent, safe to re-run) |
| 2b | Grant Sync Engine service account SQL access (db_owner) |
| 2c | Grant Admin API service account SQL access (if different) |
| 3 | Patch appsettings.json with connection string and role group mappings |
| 3b | Grant “Log on as a service” right (via secedit) |
| 3c | Register EventLog sources (IdentityMesh.Service, IdentityMesh.Admin.Api) |
| 3d | Configure service logon accounts (via sc.exe config) |
| 3e | Write ui\assets\config.json with API URL |
| 3f | Create IIS site for Admin Portal (via appcmd.exe, if IIS installed) |
| 4 | Start services |
| 5 | Create desktop shortcuts (Admin API, Admin Portal) |
Logs: %TEMP%\IdentityMesh.DbSetup.log (also copied to APPDIR\sql\dbsetup.log).
Windows Services
| Service Name | Display Name | Executable | Feature |
|---|---|---|---|
IdentityMeshEngine | IdentityMesh Engine | engine\IdentityMesh.Service.exe | SyncEngine |
IdentityMeshAdmin | IdentityMesh Admin API | api\IdentityMesh.Admin.Api.exe | AdminAPI |
Services are configured with the account and password entered during install.
If no account is specified, services run as LocalSystem. gMSA accounts
(ending with $) are supported — password is left empty.
IIS Site
When AdminUI is selected, DbSetup creates an IIS site:
- Site name:
IdentityMesh Admin Portal - Physical path:
APPDIR\ui\ - Port: Configured during install (default: 4200)
- Requires: IIS installed with
appcmd.exe
If IIS is not installed, DbSetup logs a warning and skips. The UI files can be hosted manually on any web server.
Role Group Mapping
The installer writes AD group mappings to api\appsettings.json:
{
"IdentityMesh": {
"SqlConnectionString": "...",
"Roles": {
"Admin": "DOMAIN\\IdentityMesh-Admins",
"Operator": "DOMAIN\\IdentityMesh-Operators",
"Viewer": "DOMAIN\\IdentityMesh-Viewers"
}
}
}See authentication.md for how roles and
permissions resolve at request time.
MSI Properties
Properties available for silent install (msiexec /i ... PROPERTY=value):
| Property | Default | Description |
|---|---|---|
SQL_SERVER | .\SQLEXPRESS | SQL Server instance |
DB_NAME | IdentityMesh | Database name |
SVC_ACCOUNT | (empty) | Sync Engine service account |
SVC_PASSWORD | (empty) | Sync Engine service password |
API_SVC_ACCOUNT | (empty) | Admin API service account |
API_SVC_PASSWORD | (empty) | Admin API service password |
ROLE_ADMIN_GROUP | DOMAIN\IdentityMesh-Admins | AD admin group |
ROLE_OPERATOR_GROUP | DOMAIN\IdentityMesh-Operators | AD operator group |
ROLE_VIEWER_GROUP | DOMAIN\IdentityMesh-Viewers | AD viewer group |
UI_PORT | 4200 | IIS port for Admin Portal |
UpgradeCode
The MSI UpgradeCode is stable across versions to support in-place upgrades:
{8A4E2C6D-F1B3-4A5E-9D7C-2E8F0B6A4C1D}Do not change this unless forking or creating a separate product.
Files
| File | Purpose |
|---|---|
build-installer.cmd | Main build script — publishes, creates .aip, builds MSI |
build-relay-installer.cmd | Relay agent installer build script |
patch-aip.ps1 | XML patching for features, dialogs, and custom actions |
patch-relay-aip.ps1 | XML patching for relay agent installer |
IdentityMesh.DbSetup/ | Post-install tool — DB setup, service config, IIS, shortcuts |
banner.bmp | Installer banner image (493x58, IdentityMesh branding) |
dialog.bmp | Installer sidebar image (493x312, blue gradient with logo) |
favicon.ico | Product icon |