Chat now with support
Chat mit Support

Identity Manager 9.1.1 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Managing the Password Capture Agent Fine-tuning automated password synchronization The Password Capture Agent Windows PowerShell module Event log for the Password Capture Agent Customizing security for the Password Capture Agent service Achieving high availability for the web service with Windows Network Load Balancing Installing the Password Capture Agent with MSIEXEC Certificate lookup options Known error codes

Password

To change the password used to authenticate against One Identity Manager, use either the Set-ServiceConfig.exe command line or the Password Capture Agent Windows PowerShell module.

The command line is supplied with the Password Capture Agent and is located in the Password Capture Agent installation folder ...\Service.

NOTE: The Password Capture Agent must be configured to use the BackendClientCredentialType parameter with the DialogUser value.

Example: local

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" BackendClientCredentialUserPwd:<new password>

The command line can also be used to set the password on a remote server on which the Password Capture Agent is installed. Use the optional Servername parameter to specify the name or the IP address of the remote server. In this case, COM+ Network Access must be enabled on the remote server in the application server role. If it is not enabled, see the Microsoft documentation to enable it.

Example: remote

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" BackendClientCredentialUserPwd:<new password> Servername: <Server name or IP address>.

NOTE: It is not required to restart the Password Capture Agent service. The new password takes effect immediately.

Related topics

Delete processes

The Password Capture Agent manages a queue with the password change processes that are sent to One Identity Manager. If you need to delete some of these processes from the internal queue, use the Set-ServiceConfig command line.

Example: local

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" DeleteJob:<Job-ID>::=<YYYY.MM.DD HH.MM.SS.mmm>|*

Sample for a certain Job-ID: '2014.10.03 16:45:07.647'

Set-ServiceConfig.exe DeleteJob:"2014.10.03 16:45:07.647"

To delete all processes use * as the Job-ID.

Set-ServiceConfig.exe" DeleteJob:*

Logging with NLog

Starting with version 2.0, the Password Capture Agent uses NLog for logging. NLog allows logging to be configured with an XML file.

By default, an nlog.config in the Password Capture Agent installation folder is provided, which uses the same event log as previous versions.

This nlog.config also provides additional examples of how to configure NLog to log directly to a file or other tools, such as chainsaw. You can enable these by uncommenting the matching rules in the rules section of the nlog.config.

More detailed examples of how to configure NLog can be found here: https://nlog-project.org/.

NOTE: A faulty nlog.config will cause the Password Capture Agent to stop logging.

Configuring the web service

You can modify the default values of the following configuration parameters related to password synchronization in the Designer.

Table 1: Configuration parameters and default values
Configuration parameter

Description

QER | Person | UseCentralPassword |
PasswordCaptureAgent | Certificate

Specifies if a certificate is used to encrypt the password synchronization traffic between the Password Capture Agent and the web service.

Default value: enabled.

QER | Person | UseCentralPassword | PasswordCaptureAgent | Certificate | SignAndEncrypt

Specifies if a certificate is used to sign the encrypted password synchronization traffic between the Password Capture Agent and the web service.

Default value: enabled.

IMPORTANT: Passwords for user accounts marked as privileged in One Identity Manager are not synchronized with other connected target systems.

TIP: If you have configured more than one Active Directory domain or have employees with more than one user account, use the Password Capture Agent to check your password policy for employee's central password. To avoid circular password resets, the password history value should be 1 or greater.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen