Confirm the following requirements are met before installing TAMS. Meeting these prerequisites up front avoids the most common deployment and startup failures.
Host Requirements
- Architecture: x64 only. ARM64 and x86 hosts are not supported.
- Role: A Windows Server joined to, or with network access to, your Active Directory domain/forest.
- Runtime: .NET 10 (Windows) — see TAMS Overview for the full technology stack.
Supported Windows Server Versions
TAMS targets net10.0-windows10.0.18362.0, which sets the minimum required OS API level at Windows build 18362 (Windows 10 version 1903, May 2019).
| Windows Server Version | Build | Supported | Notes |
|---|
| Windows Server 2025 | 26100 | ✅ Yes — recommended | Highest LTS alignment with .NET 10 |
| Windows Server 2022 | 20348 | ✅ Yes | — |
| Windows Server 2019 | 17763+ | ✅ Yes — requires cumulative updates applied past build 18362 | Baseline LTSC install (17763) must be patched before deployment |
| Windows Server 2016 | 14393 | ❌ No | OS build is below the TFM minimum (18362) |
| Windows Server 2012 R2 and earlier | — | ❌ No | Dropped in .NET 7 |
For Windows Server 2019 deployments, ensure all Windows Updates are applied before installing TAMS. The LTSC baseline build (17763) is below the required API floor (18362) and TAMS will not run until the host is patched.
Network Connectivity
TAMS requires outbound HTTPS connectivity to the TruU cloud and LDAP/LDAPS connectivity to your domain controllers and global catalog servers. The single inbound connection is the REST endpoint consumed by the Windows Authenticator.
Ensure the following are reachable from the TAMS host:
- TruU Platform API and TruU Identity Server over HTTPS (port 443).
- Active Directory domain controllers and global catalog servers over LDAP/LDAPS.
See Installation & Configuration for the full port and firewall rule details.
TLS Certificate
TAMS requires a valid TLS certificate installed in the Windows Certificate Store with the friendly name TRUU-HTTPS. Kestrel loads this certificate at startup to serve the HTTPS REST API.
The TRUU-HTTPS certificate must be managed and renewed by your team. An expired or missing certificate will cause the service to fail on startup, which is surfaced through the health check endpoint.
Service Account
TAMS runs under a dedicated Windows service account that holds only the minimum Active Directory permissions required to unlock accounts. No AD credentials are stored in the application or registry.
Review the full permission set and the recommended delegation approach in Active Directory Permissions.
Windows Authenticator Version
To target a shared DNS name for high availability, use TruU Windows Authenticator v26.1.0 or later.