This section describes the prerequisites and steps for deploying and configuring Secure Password Extension to provide access to the Self-Service site from the Windows logon screen on end-user computers. Secure Password Extension also provides dialog boxes displayed on end-user computers, these dialog boxes notify users who must create or update their Questions and Answers profiles with Password Manager.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Instance Initialization
Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server
FailSafe support in Password Manager
Installing Multiple Instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 2: Provide Certificate Issued for Server Computer to Password Manager Service
Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring User Scope
Configuring Permissions for Domain Management Account
Adding Domain Connection
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
User Logon Requirements
Adding Secret Questions
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
Telesign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Password Manager Secure Token Server
RADIUS Two-Factor Authentication
Quest Enterprise Single Sign-On
Redistributable Secret Management Service
Location sensitive authentication
Password Manager permission checker
Working with Power BI templates
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Legacy Self-Service, Password Manager Self-Service site and Helpdesk Sites on Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Installing Password Manager in Perimeter Network with Read-Only Domain Controllers
Installing Password Manager in Perimeter Network with Reverse Proxy
Installing Password Manager in Perimeter Networ kwithout AD DS
Management Policy Overview
Password Policy Overview
Using One Identity Password Policies
Using Fine-Grained Password Policies
Applying Multiple Password Policies
Using Password Policy Manager
Secure Password Extension Overview
Locating Self-Service Site
reCAPTCHA Overview
Obtaining Self-Service Site URL from Service Connection Point
Changing Self-Service Site URL on the Administration Site
Launching User Notification
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Password Change and Reset Process Overview
Resetting and Changing Password in Connected Systems
Enforcing Password History When Resetting Password
Replicating Password Changes
Data Replication
Phone-Based Authentication Service Overview
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
General Settings
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Self-Service Activities Overview
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with an external provider
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Register
Manage My Profile
Edit Q&A Profile
Reset Password in Active Directory
Change Password in Active Directory
Reset Password in Active Directory and Connected Systems
Change Password in Active Directory and Connected Systems
Reset password in connected systems through embedded connectors
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Issue BitLocker Recovery Key
Provide product feedback
Notification Activities
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Verify User Identity
Enforce Update of Profile
Helpdesk Activities Overview
Notification Activities
Customizing Notifications
Email User if Workflow Succeeds
Email User if Workflow Fails
Email Administrator if Workflow Succeeds
Email Administrator if Workflow Fails
User Enforcement Rules
General Settings Overview
Search and Logon Options
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Upgrading Password Manager
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Active Directory Sites
Maximum Password Age Policy Task
User Status Statistics Task
Clear Old Records from Reporting Database
Environment Health Checker Task
Update RADIUS server status
Web Interface Customization
Instance Reinitialization
Realm Instances
Domain Connections
Using Domain Connections
Specifying Access Account for Domain Connections
Changing Access Account for Domain Connections
Specifying Advanced Options for Domain Connection
Removing a Domain Connection
Extensibility Features
RADIUS Two-Factor Authentication
Password Manager components and third-party applications
Unregistering users from Password Manager
Bulk Force Password Reset
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
Upgrade Requirements
About Secure Password Extension
Upgrading Multiple Instances of Password Manager
Upgrading Password Manager
Administrative Templates
In-place upgrade
Upgrade 5.7.1 or later versions
Running the Migration Wizard
Modifying the service account
Converting Q&A Profiles
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Installing Administrative Templates
Configuring Administrative Templates
Updating Administrative Templates
Removing Administrative Templates
Secure Password Extension
Configuring Access to Self-Service Site from Windows Logon Screen
Deploying and Configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Managing Secure Password Extension Using Administrative Templates
Uninstalling Secure Password Extension
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy Scope
Deleting a Password Policy
Enable S2FA for Administrators & Enable S2FA for HelpDesk Users
Reporting
Reporting and User Action History Overview
Password Manager Integration
Appendixes
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Appendix A: Accounts Used in Password Manager
Glossary
Password Manager Service Account
Application Pool Identity
Domain Management Account
Password Policy Account
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Customization of User Name
Appendix D: Feature imparities between the legacy and the new Self-Service Sites
Deploying and Configuring Secure Password Extension
Deploying Secure Password Extension
Secure Password Extension > Deploying and Configuring Secure Password Extension > Deploying Secure Password Extension
Secure Password Extension is deployed on client computers through Group Policy. You can create a new Group Policy object (GPO) or use an existing one to assign the installation package with Secure Password Extension for installing it on the destination computers. Secure Password Extension is then installed on computers to which the GPO applies. Depending on the operating system running on the destination computers, you must apply either of the following installation packages included on the installation CD:
- SecurePasswordExtension_x86.msi - Installs Secure Password Extension on computers running x86 versions of operating systems.
- SecurePasswordExtension_x64.msi - Installs Secure Password Extension on computers running x64 versions of operating systems.
You can modify the behavior and on-screen appearance of Secure Password Extension components by configuring an administrative template's settings, and then applying the template to the target computers through Group Policy.
The administrative template is available in only one format: prm_gina.admx.
The prm_gina.admx administrative template file is located in the \Password Manager\Setup\Template\Administrative Template\ folder of the installation CD. This administrative template is designed to be used with Windows Server 2012 R2 or later operating systems. Before using this administrative template, copy the prm_gina.admx and prm_gina.adml files from the installation CD to the following locations: %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions(for the prm_gina.admx file) and %systemroot%\SYSVOL\sysvol\domain\Policies\PolicyDefinitions\en-US (for the prm_gina.adml file).
Alternatively, you could use the Administrative Template configuration tool to copy and use the admx templates.
Follow the steps below to configure and deploy the Secure Password Extension on end-user computers.
To deploy and configure Secure Password Extension
- Copy the required installation package (SecurePasswordExtension_x86.msi or SecurePasswordExtension_x64.msi) from the installation CD to a network share accessible from all domain controllers where you want to install Secure Password Extension. The MSI packages are located in the \Password Manager\Setup\ folder of the installation CD.
- Create a GPO and link it to all computers, sites, domains, or organizational units where you want to use Secure Password Extension. You may also choose an existing GPO to use with Secure Password Extension.
- Open the Group Policy Management Editor in the Group Policy Management, and then do the following
- Expand Computer Configuration/Policies/Software Settings, right-click Software installation, and then select New | Package.
- Browse for the MSI package you have copied in step 1, and then click Open.
- In the Deploy Software window, select a deployment method and click OK.
- Verify and configure the properties of the installation, if needed.
Configuring Secure Password Extension
Secure Password Extension > Deploying and Configuring Secure Password Extension > Configuring Secure Password Extension
This section describes how to override automatic location of the Self-Service site and customize Secure Password Extension.
Overriding Automatic Self-Service Site Location
Secure Password Extension > Deploying and Configuring Secure Password Extension > Configuring Secure Password Extension > Overriding Automatic Self-Service Site Location
By default, Secure Password Extension uses service connection points published in Active Directory to locate the Self-Service site. If you need to override the default behavior and force Secure Password Extension to use a specific Self-Service site, you must manually specify the URL path and override the default behavior of Secure Password Extension.
To override automatic Self-Service site location on a computer running Windows Server 2012 R2 or later
- Click the Start button, click Run, and type mmc. Click OK.
- In the Console window on the File menu, click Add/Remove Snap-in.
- Double-click Group Policy Management Editor in the list of available snap-ins.
- In the Group Policy Wizard window, click Browse, select Default Domain Policy and click OK.
- Click Finish to exit Group Policy Wizard.
- Click OK.
-
Login to the Active Directory Domain Controller machine with Administrative Privileges.
-
Copy the Administrative Template Configuration folder from <CD >/Password Manager/Setup/Tools.
-
Copy the Administrative Template folder into the Machine from <CD>/Password Manager/Setup/Template.
-
Double click QPM.AdministrativeTemplateConfiguration.exe tool from the Administrative Template Configuration folder.
-
In the Password Manager Administrative Template Configuration windows, browse the Administrative Template folder path and verify the path to Policy Definitions.
-
Click Execute to run the tool.
- Once the execution is complete, click Exit to close the window.
-
Launch the Group Policy Management utility.
-
Right click the domain, and then on the shortcut menu, click Create a GPO in the domain and Link it here to link the policy.
- Enter a name to the New GPO, say "OneIdentity".
-
Right click the new GPO (OneIdentity) and select Enforced to apply the policy.
-
Right click the new GPO (OneIdentity) and select Edit.
- To view the latest Administrative Template, follow the steps mentioned below
- Double-click Specify URL path to the Self-Service site.
- Select the Enabled option on the Settings tab and then enter the URL path to the Self-Service site into the entry field using the following format: https://COMPUTER_NAME/PMUser/, where COMPUTER_NAME is the name of the server in which the Self-Service site is installed. Substitute https:// with http:// if you don’t use HTTPS.
IMPORTANT: It is strongly recommended that you enable HTTPS on the Password Manager server. - Click OK. The specified URL will be used only if service connection points are unavailable or if the Self-Service site URL specified in the service connection point cannot be found. If you want Secure Password Extensions to always use the specified URL, perform the following steps.
- Double-click Override URL path to the Self-Service site.
- Select the Enabled option on the Settings tab.
- Click OK.
- Apply the updated policy to the computers in the managed domain.
NOTE: Application of the updated policy to the computers in the managed domain may take some time to complete.
