- 5 minutes to read

Prerequisites for the Nodinite Web API

This page describes the prerequisites to install and run the Nodinite Web API successfully.

You install the Nodinite Web API (a Web Application hosted within IIS) from the Nodinite Install and Update Tool. The Nodinite Web API is part of the Core Services package.

graph LR subgraph "PowerBI, Excel, QlikView Reports" roReport[fal Metrics chart Custom Reports] end subgraph "Application Server" roLoggingService(fal:fa-hard-drive Logging Service) --- roWebAPI roMonitoringService --- roWebAPI roWebClient(fal:fa-globe Web Client) ---roWebAPI(fal:fa-cloud-sun Web API) end subgraph "SQL Server" roConfigDatabase(fal:fa-database Configuration database) --- roLogDatabase(fal:fa-database fal:fa-database fal:fa-database Log databases) roWebAPI --- roConfigDatabase roLoggingService -.- roConfigDatabase roMonitoringService(fal:fa-watch-fitness Monitoring Service) -.- roConfigDatabase roReport --- roWebAPI end

Verified	Topic
	MSDTC
	Windows rights
	Database rights
	Firewall

Use the checklist above to verify that you have performed all steps required to get Nodinite flying.

Microsoft Distributed Transaction Coordinator (DTC)

The Web API is involved in SQL Server related operations. Nodinite uses the Windows Service Microsoft Distributed Transaction Coordinator (DTC),responsible for coordinating transactions that span multiple resource managers. We have written a dedicated tutorial for Nodinite with the best practices to install and configure the DTC Windows Service.

Important
You must configure the DTC as documented. Otherwise, Nodinite will not be operational.

What Windows rights does the Web API require?

The service account in use for the WebAPI must be able to login to the server: Allow Logon locally

If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the Allowed logon locally system right or grant the right to that user account.

The service account in use for the WebAPI must be a member of the IIS_IUSRS.

When you install Nodinite using the install and update tool, the Web API is assigned an IIS App Pool. This IIS App Pool is set to run with ASP.NET Impersonation and all consumers of the Web API will be impersonated to a dedicated Windows Service account.

The Web API uses ASP.NET Impersonation which is a feature built into IIS and further call to SQL Server(s) are being performed as this identity.

If the impersonated service account for IIS App Pool is not a local administrator then the Windows Domain account must be added to the local IIS_IUSRS group. The account used must also be assigned certain SQL Rights; see next paragraph.

Important
If the Windows User account for the Application Pool is not assigned the sysadmin role, then you must make sure the account is added to the list of logins to apply correct user rights for (as new databases are created). This settings is governed by the ImLogServiceUsers system parameter.

What SQL Rights does the Web API require?

Master

Grant VIEW SERVER STATE rights.

GRANT VIEW SERVER STATE TO [Domain\user]

Replace [Domain\user] with the Windows account being used for the Monitoring Service

If applicable, repeat the grant on all nodes part of an AOAG environment.

AOAG

Apply the settings below if you are using SQL Server Always on.

Grant GRANT VIEW DEFINITION ON AVAILABILITY GROUP rights.

GRANT VIEW DEFINITION ON AVAILABILITY GROUP ::AOAGGROUPNAME TO [Domain\user];

Replace [Domain\user] with the Windows account being used for the Monitoring Service.

If applicable, repeat the grant on all nodes part of an AOAG environment.

Nodinite databases

The Web API accesses the databases using the impersonated configured for the Web API and must have the following SQL rights assigned:

Configuration Database
- db_datareader
- db_datawriter
- db_ddladmin
- Grant Execute rights on all existing and future stored procedures:

GRANT EXECUTE TO [Domain\user]

Replace [Domain\user] with the Windows account being used for the Web API.

Log Databases (can be multiple )
- db_datareader
- db_datawriter
- db_ddladmin

Important
db_ddladmin is required for the service account to have proper rights to read statistics. Without this permission, performance may be degraded, especially true for remote servers (linked servers). Read more here. Contact our support if you have any questions about this.

Tip
Review system parameters ImLogServiceUsers and ImLogAccessRoles

What Firewall settings are required for the Web API

The Web API requires both inbound and outbound ports to be opened. Since Nodinite is highly configurable, the actual ports in use may differ from what's being exampled here.

The Web API requires both inbound and outbound ports to be open. Depending on your environment different ports may be used. On a high level the following services must be allowed:

TCP Ports for REST
- Inbound communication from consumers typically HTTP and HTTPS
- Outbound communication with Monitoring Service and Logging Service Nodinite performs internal alive checks
Configuration Database - ports used to communicate with SQL Server

1. TCP Ports for REST

Port	Name	Inbound	Outbound	TCP	UDP	Comment
80	HTTP					default for HTTP
443	HTTPS					default for HTTPS

1-65535 - It depends on what port you have assigned using 'Edit Bindings' for the Web Site hosting the Web API (inbound and outbound see next bullet)

If you're going to host Nodinite on non default ports, Please contact our support for guidance at support@nodinite.com
8000 HTTP with X API Key (outbound)
- Monitoring Service
- Logging Service

graph LR subgraph "App Server" roMS(fal:fa-watch-fitness Monitoring Service) roLS(fa:fa-hard-drive Logging Service) end subgraph "Web Server" roWebAPI(fal:fa-cloud-sun Web API) roWebClient(fal:fa-globe Web Client) -->|80,443,...| roWebAPI end subgraph "PowerBI, Excel, QlikView Reports" roReport[fal Metrics chart Custom Business Reports] roReport-->|80,443,...| roWebAPI roWebAPI -->|8000| roMS roWebAPI -->|8000| roLS end

2. TCP Ports between Web API and SQL Server

The Web API accesses the databases using the Impersonated Windows Account. You must ensure that TCP ports used are allowed by your firewalls, depending on location of the SQL database the actual ports used may differ. The following Windows Services are involved:

Port	Name	Comment
53	DNS	The Agent needs to know where your other servers/services are (can sometimes optionally be solved with user-defined entries in the `hosts` file in each Windows server instance), review the following 'Microsoft' user guide
88	Kerberos	Review 'Microsoft Kerberos' user guide
135	DTC/RPC	This port is shared between many Windows Services
1433/...	SQL Server instance ports (multiple)	Depends on policies and settings on target environment. Please review the How to configure RPC dynamic port allocation to work with firewalls user guide

graph LR subgraph "Web Server" roWebAPI(fal:fa-cloud-sun WebAPI) end subgraph "SQL Server" roSQL1(fal:fa-database Configuration Database) --- roSQL2(fal:fa-database Active Log Database) roWebAPI -->| SQL, DTC, DNS, RPC |roSQL1 end

Frequently asked questions

Additional solutions to common problems and the Nodinite Web API FAQ exist in the Troubleshooting user guide.

Can I secure the Web API?

Yes, the Web API supports the usage of SSL Certificates. Simply add your certificate to IIS and configure the Web API to only allow https.

Next Step

Install Nodinite

Core Services Package

Explore Nodinite for 30 days – completely free

See how Nodinite resolves your technical issues, in a

LIVE Demo!