立即与支持人员聊天
与支持团队交流

Password Manager 5.13.2 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Q&A Policy and Authentication

When you configure the Q&A policy, you should remember that the settings you specify may affect the authentication process. The following authentication activities use the Q&A policy settings:

  • Authenticate with Q&A profile (random questions): This activity is used in self-service workflows. It relies on the number of secret questions you specify in the activity. If a user’s profile contains fewer questions, you can select whether to authenticate the user or not. For more information, see Authenticate with Q&A Profile (Random Questions).

  • Authenticate with Q&A profile (specific questions): This activity is used in self-service workflows. It relies on the specific secret questions you specify in the activity. If the specified questions cannot be found in a user’s profile, the user will not be authenticated. For more information, see Authenticate with Q&A Profile (Specific Questions).

  • Authenticate with Q&A profile (user-selected questions): This activity is used in self-service workflows. It relies on the number and type of secret questions you specify in the activity. Users will be able to choose questions to authenticate with from their profile's answered questions. If the user's profile contains fewer questions than the set minimum, you can select whether to authenticate the user or not. For more information, see Authenticate with Q&A Profile (User-selected questions)

  • Authenticate with Q&A profile: This activity is used in helpdesk workflows. It relies on the specific secret questions you specify in the activity and on the Store answers using reversible encryption option that you specify in the Q&A profile settings. If the specified questions cannot be found in a user’s profile, the user will not be authenticated.

    This activity uses mandatory and helpdesk questions. Helpdesk questions are always stored using reversible encryption. Mandatory questions are hashed, unless you select the Store answers using reversible encryption option in the Q&A profile settings. Note, that if mandatory questions are hashed, you will not be able to use the activity option that specifies that helpdesk operators verify user identity by comparing the answers provided by users with the displayed answers (the Answers to the specified questions (user’s answer is shown) option). For more information, see Authenticate with Q&A Profile.

Q&A Policy and User Enforcement

The Q&A profile settings affects the Invite users to create/update Q&A profiles enforcement rule. This rule has conditions that state when users should be notified to create or update their profiles. These conditions correspond to the Q&A profile settings. For example, the User’s answers are shorter than required condition corresponds to the Minimum length of answers setting. So, when you change any of the Q&A profile settings, you can then select the corresponding condition in the rule and enforce users to create or update their profiles in accordance with the new settings. For more information, see Invite Users to Create/Update Profiles.

Data Replication

This section provides information on how Password Manager stores and replicates data.

Storing Data

There are two types of data stored by Password Manager: Password Manager configuration data and users’ Q&A profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.

Q&A profiles are stored in the attribute of a user account in AD LDS that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance; for more information, see Instance Reinitialization.

Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager for AD LDS folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.

The Shared.storage file contains configuration data that is shared among all instances of a realm: Management Policies, General Settings, AD LDS connections, Custom Activities and Workflows, instance settings, and so on.

The Local.storage file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.

The LocalizationStorage folder contains the user interface texts localized in several languages.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级