Prerequisites for the Nodinite Web API
Prepare your environment for a seamless Nodinite Web API deployment. This guide details all technical prerequisites, security requirements, and best practices to ensure a successful installation and smooth operation.
✅ Complete checklist for Windows, SQL, and firewall requirements
✅ Visual architecture diagrams for clarity
✅ Direct links to troubleshooting and expert support
This page describes the prerequisites to install and run the Nodinite Web API successfully.
You install the Nodinite Web API (a Web Application hosted within IIS) from the Nodinite Install and Update Tool. The Nodinite Web API is part of the Core Services package.
The diagram above illustrates the architecture and key dependencies for the Nodinite Web API.
| Verified | Topic |
|---|---|
| IIS Windows Features | |
| MSDTC | |
| Windows rights | |
| Database rights | |
| Firewall |
Use the checklist above to verify that you have performed all steps required to get Nodinite flying.
IIS Windows Features
The Nodinite Web API is an IIS-hosted web application built on .NET 9 and ASP.NET Core (Nodinite 7) or .NET Framework 4.8 (Nodinite 6).
Key requirements:
- Windows Authentication - Required for integrated security and ASP.NET Impersonation
- ASP.NET Core Module V2 - Required for Nodinite 7 (.NET 9)
- ASP.NET 4.x / .NET Extensibility 4.x - Required for Nodinite 6 (.NET Framework 4.8)
IIS Windows Features - Complete feature list, installation scripts, and troubleshooting
Important
The Default Web Site must exist within IIS. The Nodinite installer will fail if this is missing.
Microsoft Distributed Transaction Coordinator (DTC)
The Web API is involved in SQL Server related operations. Nodinite uses the Windows Service Microsoft Distributed Transaction Coordinator (DTC),responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with the best practices to install and configure the DTC Windows Service.
Important
You must configure the DTC as documented. Otherwise, Nodinite will not be operational.
What Windows rights does the Web API require?
The Nodinite Web API runs as an IIS web application with a dedicated App Pool. The v7 PowerShell installation scripts automatically configure these settings during installation.
Service Account Requirements:
- The App Pool service account must be able to login to the server:
Allow Logon locally - If the service account is not a local administrator, it must be a member of the
IIS_IUSRSgroup - The service account must have Read rights on
%windows%\system32\inetsrv\configfolder (for redirection.config access)
Note
To grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the "Allow logon locally" system right, or grant the right to that user account directly.
How It Works:
The v7 PowerShell installation scripts create a dedicated IIS App Pool for the Web API. This App Pool runs with ASP.NET Impersonation enabled, which means:
- The App Pool runs with the configured service account identity
- All consumers of the Web API are impersonated to this dedicated Windows service account
- Calls to SQL Server are performed as this identity, enabling role-based access control and audit logging
IIS Authentication settings - Complete guide to authentication configuration, encryption, and troubleshooting
Important
If the Windows User account for the Application Pool is not assigned the sysadmin role, then you must make sure the account is added to the list of logins to apply correct user rights for (as new databases are created). This setting is governed by the LogServiceUsers system parameter.
Tip
Troubleshooting permissions: If you encounter "Cannot read configuration file due to insufficient permissions" errors, ensure the App Pool account has Read rights on
%windows%\system32\inetsrv\config. See the IISConfigurationFile troubleshooting guide.
What SQL Rights does the Web API require?
Master
Grant VIEW SERVER STATE rights.
GRANT VIEW SERVER STATE TO [Domain\user]
Replace [Domain\user] with the Windows account being used for the Monitoring Service
If applicable, repeat the grant on all nodes part of an AOAG environment.
AOAG
Apply the settings below if you are using SQL Server Always on.
Grant GRANT VIEW DEFINITION ON AVAILABILITY GROUP rights.
GRANT VIEW DEFINITION ON AVAILABILITY GROUP ::AOAGGROUPNAME TO [Domain\user];
Replace [Domain\user] with the Windows account being used for the Monitoring Service.
If applicable, repeat the grant on all nodes part of an AOAG environment.
Nodinite databases
The Nodinite Web API accesses the databases using the impersonated identity configured for the Web API and requires the following SQL roles and grants:
| Database | Permission | Description | Microsoft Docs Link |
|---|---|---|---|
| Configuration Database | db_datareader | Grants read access to all tables and views | db_datareader |
| Configuration Database | db_datawriter | Grants write access to all tables and views | db_datawriter |
| Configuration Database | db_ddladmin | Allows running DDL statements (e.g., create/alter/drop objects) | db_ddladmin |
| Configuration Database | sysadmin/db_owner | Required for certain administrative tasks (e.g., shrinking databases) | sysadmin, db_owner |
| Log Databases | db_datareader | Grants read access to all tables and views | db_datareader |
| Log Databases | db_datawriter | Grants write access to all tables and views | db_datawriter |
| Log Databases | db_ddladmin | Allows running DDL statements (e.g., create/alter/drop objects) | db_ddladmin |
This table lists the minimum SQL Server permissions required for the Nodinite Web API's Configuration Database and Log Databases. Ensure these grants are set for uninterrupted operation, maintenance, and automation.
Grant Execute rights on all existing and future stored procedures for the account used by the Web API:
GRANT EXECUTE TO [Domain\\user]
Replace [Domain\user] with the Windows account being used for the Web API.
Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more here. Contact our support if you have any questions about this.
Tip
Review system parameters LogServiceUsers and LogAccessRoles
What Firewall settings are required for the Web API
The Web API requires both inbound and outbound ports to be opened.
Four types of consumers access the Web API; plan firewall rules for each:
| Consumer | Access Pattern |
|---|---|
| End-Users (via Web Client) | Browsers → Web Client → Web API |
| Reporting Tools | PowerBI, Excel, QlikView → Web API (REST) |
| Core Services | Monitoring/Logging Services → Web API (internal port 8000) |
| SQL Server | Web API → SQL Server (Configuration & Log Databases) |
Three servers commonly participate in Web API deployments:
| Server | Role |
|---|---|
| Web Server | Hosts the Web API and Web Client (IIS) |
| SQL Server | Hosts Configuration and Log Databases (queried via Windows authentication) |
| Domain Controller | Provides Kerberos authentication and LDAP/DNS services |
Plan firewall rules for communication between these servers (Web Server ↔ SQL Server, Web Server ↔ Domain Controller, SQL Server ↔ Domain Controller).
Note
Nodinite v7 Port Configuration: HTTP/HTTPS and internal service ports are configured during installation in the Nodinite Portal. The v7 PowerShell installation scripts automatically configure IIS bindings and Core Services communication based on your Portal settings.
Required Firewall Ports
- TCP Ports for REST
- Inbound communication from end-users, reporting tools
- Outbound communication with Monitoring Service and Logging Service
- TCP Ports between Web API and SQL Server
- Configuration Database and Log Databases
1. TCP Ports for REST
| Port | Name | Inbound | Outbound | TCP | UDP | Comment |
|---|---|---|---|---|---|---|
| 80 | HTTP | default for HTTP | ||||
| 443 | HTTPS | default for HTTPS |
Custom ports (1-65535): Depends on IIS bindings configured in the Nodinite Portal during installation.
Important
If you intend to host Nodinite on non-default ports, contact support for guidance at support@nodinite.com.
Internal Core Services Communication
| Port | Name | Inbound | Outbound | TCP | UDP | Comment |
|---|---|---|---|---|---|---|
| 8000 | Internal Core Services | Used by Monitoring and Logging Services |
Info
Port 8000 is used for internal communication between Nodinite Core Services. The specific port is configured in the Portal. See Why do Nodinite use port 8000 for details.
Diagram: End-users, reporting tools, and Core Services communicate with the Web API over HTTP/HTTPS and internal ports.
2. TCP Ports between Web API and SQL Server
The Web API communicates with SQL Server using Windows authentication, Kerberos, and distributed transactions (MSDTC). For comprehensive SQL Server firewall configuration, including:
- DNS resolution (port 53)
- Kerberos authentication (port 88)
- MSDTC/RPC (port 135 and dynamic ports)
- SQL Server instances (port 1433 and custom ports)
- Linked Servers configuration
- Azure SQL Managed Instance connectivity
- Always On Availability Groups (AOAG) requirements
See the comprehensive SQL Server Firewall Configuration guide.
Frequently asked questions
Additional solutions to common problems and the Nodinite Web API FAQ exist in the Troubleshooting user guide.
Can I secure the Web API?
Yes, the Web API fully supports SSL certificates. Add your certificate to IIS and configure the Web API to allow only HTTPS traffic for enhanced security.
Important
Review the Nodinite IIS Hardening user guide for more information.
Next Step
Install Nodinite
IIS Windows Features
MSDTC
Related Topics
Core Services Package
Configuration Database
Log Databases
Logging Service
Monitoring Service
Roles
Log Audits
SQL Server Firewall
IIS Authentication settings