There are three separate areas in Password Manager where credentials may be specified. Carefully read and follow the guidance in the sections below to verify and update each appropriately. Unless the proper procedure is followed, it will not be possible to log into the Admin Site in Password Manager after changing the service account or updating the password, and data can be lost.
In the event of an improper Service Account modification, error messages in the Event Viewer logs and User Site will show the following:
Cryptography exception - Bad Data.
NOTE: If there is a requirement for a minimal permissions account see this article before completing the steps in this article to switch the service account being used. Assigning Minimum Permissions Required to Install and Run Password Manager (4227388)
Password Manager Service Account:
The Password Manager username and password is stored encrypted in the configuration. In order to change the account or password for the Service Account, a backup of the configuration must be exported before making any changes and re-imported after the credentials have been modified or the Password Manager service will no longer be able to read the configuration data, resulting in loss of configuration and user Q&A profile data.
To change the Password Manager Service Account, perform the following steps exactly as noted:
NOTE: Due to security enhancements, a complex password is generated when exporting the configuration. The password is only displayed once and changes each time the page is viewed. The password must be noted and secured at the time of the configuration export, as it will never be displayed again. The password is required to import the configuration.
Application Pool Identity:
Follow the guidance below to update the Application Pool Identity in Microsoft Internet Information Services (IIS). These credentials can be updated at any time without risk to product configurations and can be performed independently from the Service Account.
Domain Connection Override Account:
Follow the guidance below to update the Override Accounts used in any Domain Connections. Please note that many configurations may not utilize Override Accounts and may instead use the Password Manager Service Account to access the managed domains. These credentials can be updated at any time without risk to product configurations and can be performed independently from the Service Account.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center