立即与支持人员聊天
与支持团队交流

Password Manager 5.13.2 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Password Manager Secure Token Server

Password Manager Secure Token Server (STS) is installed with Password Manager. You can configure STS to use internal or external providers with optional Multi-Factor Authentication (MFA).

You can use this feature on the new Password Manager Self-Service Site to authenticate users in a workflow, or to authenticate admin and helpdesk users. This feature is installed as a service called Password Manager Secure Token Service (STS). It has a configuration and user login interface.

How to use Password Manager STS features

To use the Password Manager STS feature, drag "Authenticate with external provider" activity into any workflow.

  • If you have not set up Secure Token Server connection or did not have valid providers configured in authentication providers, you cannot use this activity.

  • If you set up at least one provider, you can start using it.

  • If you set up more than one, you can select a provider for each activity used in workflows.

Authenticate with external provider on Self-Service Site

When Authenticate with external provider is the current activity in a workflow, the user is presented with a login form, where they need to provide the credentials for the configured authentication provider. If the configured provider is using MFA, the user will be prompted for the next step. For more information, see Authenticate with external provider.

This login interface uses the browser's language. The supported languages are the following:

  • Argentinean (ar)

  • Chinese (zh)

  • Dutch (nl)

  • English (en)

  • French (fr)

  • German (de)

  • Italian (it)

  • Japanese (ja)

  • Korean (ko)

  • Russian (ru)

  • Spanish (es)

Password Manger STS account restrictions

By default, the Password Manager STS account is set to be the same account as the Password Manager Service Account by the Password Manager installer. The account requires read rights on domain.

Using STS features in a Password Manager realm

The Password Manager STS settings are stored separately from other Password Manager settings in a file on each server. That file will be encrypted using the service user’s DPAPI key by default, or a specified certificate and can be replicated to other servers in a realm. For the replication to work the Password Manager STS instances should use the same ports.

Using Certificate to protect STS configuration

A trusted X.509 certificate with a private key needs to be installed on each server in the LocalMachine’s certificate store. The provided Rsts.exe.config XML configuration file (\One Identity\Password Manager\Service\SecureTokenServer\) will need to be modified on each machine running a PasswordManager STS instance. An example of the XML configuration file is as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="rstsConfigSource" type="Rsts.Config.RstsConfigSource, Rsts"/>
  </configSections>
  <rstsConfigSource xmlns="urn:Rsts.Config"> 
   <source type="FileConfigProvider">
      <fileConfigProvider fileName="rstsConfig.bin">
        <protection type="RsaDataProtection">
          <rsaDataProtection certificateStore="LocalMachine" certificateLookupType="FindByThumbprint" certificateLookupValue="b23655f8ac0b81c5b00bac0bc0a15e7e1d2b78be"/>
        </protection>
      </fileConfigProvider>
    </source>
  </rstsConfigSource>
</configuration>

The thumbprint of the certificate used to encrypt the Password Manager STS settings file is set in the rsaDataProtection element’s certificateLookupValue attribute. Change the value of the certificateLookupValue attribute to match the used certificate’s thumbprint. In case of swapping to certificate encryption, copy the protection element and its child nodes and replace the existing protection element in the masterConfigProvider and slaveConfigProvider node.

NOTE: This configuration will be used after the restart of Password Manager Secure Token Server service.

NOTE: The specified certificate must be valid, trusted and it must exist in the Local Computer’s certificate store. It must have a private key. Access to the private key must be granted to the service account that is running the Password Manager Secure Token Server Windows Service. The private key must be an RSA key, of any length. A certificate with an ECC key is not supported.

CAUTION: The current rstsConfig.bin will be unusable. For master (or single) instances of STS, reconfiguration has to take place from start. In case of slave instances, if the replication process works correctly, no reconfiguration is needed.

Pre-configuration steps after swapping between encryption methods on master (or single) instance

Pre-configuration takes place on the Administration Site General Settings > Secure Token Server page. Password Manager will check if a reset happened, then try to configure the basic options needed for STS to work properly. If the configuration is successful, no modal should show up. After a page refresh, STS is useable again.

If Password Manager STS settings are not replicated automatically

To replicate the Password Manager STS settings manually, copy the rstsConfig.bin file from the server where you configured Password Manager STS to all other servers. After you copy the file, you must restart the Password Manager STS Windows Service.

NOTE: You can find rstsConfig.bin in <installdir>/One Identity/Password Manager/Service/SecureTokenServer/.

NOTE: This process needs to be repeated every time Password Manager STS settings are modified.

NOTE: : For this copy-paste process, the encryption method of the Password Manager STS has to be set to certification based encryption before configuration. See: Using Certificate to protect STS configuration.

RADIUS Two-Factor Authentication

RADIUS Two-Factor Authentication enables two-factor authentication on Password Manager. RADIUS Two-Factor Authentication uses one-time passwords to authenticate users on the Self-Service Site and Helpdesk Site.

To configure RADIUS Two-Factor Authentication in Password Manager, you have to configure the RADIUS server details in Password Manager.

To configure RADIUS Two-Factor Authentication

  1. On the home page of the Administration Site, click General Settings > RADIUS Two-Factor.

    The RADIUS Two-Factor Authentication page is displayed.

  2. To add a new RADIUS server for authentication, click Add RADIUS server.

    RADIUS Two-Factor Authentication page is displayed.

    NOTE: You can add only two servers, one is used as a primary server and the other as a secondary server. The server that is created first is considered as the primary server and used for RADIUS authentication.

  3. In the RADIUS Server (IP address or hostname) field, enter the RADIUS server IP address.

  4. In the Port number field, enter the port number assigned during configuration of RADIUS.

  5. In the RADIUS Shared Secret field, enter the password set during RADIUS configuration.

  6. Specify the Active Directory attribute to authenticate the user from the drop-down menu.

  7. From the Additional RADIUS Attribute section, select the required RADIUS attribute from the drop-down menu. Specify the value for the selected attribute and click +.

    The RADIUS attributes and the corresponding values that you add is displayed.

    NOTE: The RADIUS attributes supported are NAS-IP-Address, NAS-Port, NAS-Port-Type, and NAS-Identifier.

  8. Click Save.

For more information, see Authenticate with RADIUS Two-Factor Authentication.

Redistributable Secret Management Service

Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.

Alternative option

The Redistributable Secret Management Service (rSMS) feature, can be used as an alternative to One Identity Quick Connect Sync Engine.

NOTE: The Target platform IP address or the Hostname should not be same server where the One Identity rSMS service is installed.

Location sensitive authentication

The location sensitive authentication feature allow you to skip certain authentication methods for users trying to execute a workflow on Self-Service Site from a defined corporate network. Using this feature, you can also restrict the capability of searching for the users on Self-Service Site from IP addresses that is not specified in the defined corporate IP address range. For more information on restricting the user search, see Account Search Options Customization.

IMPORTANT: It is mandatory to have at least one authentication method for users accessing the application from the defined corporate network.

You can use the location sensitive authentication feature for any of the authentication activities listed here.

  • Q&A profile (random questions)

  • Q&A profile (specific questions)

  • Q&A profile (user-selected questions)

  • Defender
  • RADIUS Two-Factor Authentication

  • Phone

Configuring corporate IP address range

You must specify a defined corporate IP address range that help in determining if the users are trying to execute the workflow from an internal or external network.

  1. On the home page of the Administration Site, click General Settings > Corporate IP Address Ranges.

  2. On the Corporate IP Address Ranges page, click Add Corporate IP Address Range.

  3. Provide the Network Address and Subnet Mask.

  4. Click Save.

    The corporate IP address range is successfully added.

To edit the defined corporate IP address, click Edit. To delete the defined corporate IP address, click Remove .

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级