> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truu.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation & Configuration

> Install the TAMS Windows Service, configure it via the registry, and open the required network ports and firewall rules.

This guide walks through installing TAMS and configuring the host so the service can serve unlock requests and reach both Active Directory and the TruU cloud.

<Note>
  Complete the [Prerequisites & Requirements](/docs/tams-prerequisites) before starting. In particular, confirm the host OS is supported and the `TRUU-HTTPS` certificate is installed.
</Note>

## Installation

<Steps>
  <Step title="Install the MSI">
    Run the TAMS MSI installer on the target Windows Server. TAMS installs as a native Windows Service.
  </Step>

  <Step title="Assign the service account">
    Configure the service to run under the dedicated Windows service account that holds the [minimum AD permissions](/docs/tams-ad-permissions). The account needs the **Log on as a service** right on the local machine.
  </Step>

  <Step title="Confirm the TLS certificate">
    Ensure the `TRUU-HTTPS` certificate is present in the Windows Certificate Store. Kestrel loads it at startup to serve HTTPS.
  </Step>

  <Step title="Apply registry configuration">
    Set the required values under `HKLM\SOFTWARE\TruU\AccountManagement` (see below), then start the service.
  </Step>
</Steps>

## Registry Configuration

All TAMS configuration is stored in the Windows Registry under:

```text theme={null}
HKLM\SOFTWARE\TruU\AccountManagement
```

This includes the listening web server port and other runtime settings. Each instance in a high-availability deployment must be configured with the same registry settings.

<Warning>
  Protect the `HKLM\SOFTWARE\TruU\AccountManagement` registry key with appropriate ACLs to prevent tampering by non-administrative users.
</Warning>

## Listening Port

| Port                                             | Protocol    | Direction | Description                                          |
| ------------------------------------------------ | ----------- | --------- | ---------------------------------------------------- |
| WebServerPort (configurable, stored in Registry) | HTTPS (TLS) | Inbound   | Kestrel web server — REST API for account operations |

## Network Calls

All network communication is outbound from TAMS except for the single inbound REST endpoint consumed by the Windows Authenticator.

### Inbound Traffic

| Direction | Protocol | Source                | Destination           | Purpose                     |
| --------- | -------- | --------------------- | --------------------- | --------------------------- |
| Inbound   | HTTPS    | Windows Authenticator | TAMS (:WebServerPort) | Account unlock API requests |

<Note>
  If this endpoint is resolved via local DNS only, then for Hybrid or domain-joined systems the device must be connected to the corporate network for the unlock to work.
</Note>

### Outbound Traffic

All outbound HTTP calls use a configurable **20-second** request timeout. Identity Server calls use a **10-second** cancellation timeout. The Directory Searcher server-side time limit is **10 seconds**.

| Direction | Protocol | Destination                          | Endpoint                                                        | Purpose                                         |
| --------- | -------- | ------------------------------------ | --------------------------------------------------------------- | ----------------------------------------------- |
| Outbound  | HTTPS    | TruU Platform API                    | Domain lookup at service startup to resolve Identity Server URL |                                                 |
| Outbound  | HTTPS    | TruU Identity Server (IDS)           | GET /api/v1/user/info                                           | OAuth token validation for every unlock request |
| Outbound  | LDAP     | Active Directory (RootDSE)           | LDAP://RootDSE                                                  | Discover forest root naming context             |
| Outbound  | LDAP/GC  | Active Directory (Global Catalog)    | GC://\<forestRootDn>                                            | Forest-wide user lookup by UPN                  |
| Outbound  | LDAP     | Active Directory (Domain Controller) | LDAP://\<domainName>                                            | Bind to user's domain to unlock account         |

## Required Firewall Rules (Outbound from TAMS Host)

| Port | Protocol | Destination                     | Purpose                                  |
| ---- | -------- | ------------------------------- | ---------------------------------------- |
| 443  | HTTPS    | TruU Platform / Identity Server | Domain lookup & OAuth token validation   |
| 389  | LDAP     | Active Directory DC(s)          | Directory queries and account unlock     |
| 636  | LDAPS    | Active Directory DC(s)          | LDAP over TLS (if enforced by AD policy) |
| 3268 | LDAP     | Global Catalog server(s)        | Forest-wide user search                  |
| 3269 | LDAPS    | Global Catalog server(s)        | Forest-wide user search over TLS         |

<Note>
  * The LDAP/GC ports used depend on your Active Directory TLS policy. In hardened environments LDAPS (636/3269) may be required. TAMS uses Windows Integrated Authentication for all LDAP connections; no LDAP credentials are stored in the application.
  * Firewall rules are necessary if internal firewalls block inbound and outbound communication between the domain controller and the TAMS server.
</Note>

### Allowed URLs (TAMS → TruU Cloud)

The following URLs must be allowed from the TAMS server to the TruU cloud:

* `https://global.platform.truu.ai`
* `https://[Customer].idp.id.truu.ai` — replace `[Customer]` with your tenant domain.
