Password Manager Service account is used to install Password Manager. For Password Manager to run successfully, Password Manager Service account must be a member of the Administrators group on the Web server where Password Manager is installed.
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Instance Initialization
Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server
FailSafe support in Password Manager
Installing Multiple Instances of Password Manager
Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Web Sites
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 2: Provide Certificate Issued for Server Computer to Password Manager Service
Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites
Configuring Management Policy
Configuring User Scope
Configuring Permissions for Domain Management Account
Adding Domain Connection
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
User Logon Requirements
Adding Secret Questions
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
Password Policy Manager
Secure Password Extension
Offline Password Reset
Migration Wizard
Telesign
SQL Server Database and SQL Server Reporting Services
One Identity Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Quest Enterprise Single Sign-On
Redistributable Secret Management Service
Location sensitive authentication
Password Manager permission checker
Working with Power BI templates
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Legacy Self-Service, Password Manager Self-Service site and Helpdesk Sites on Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Installing Password Manager in Perimeter Network with Read-Only Domain Controllers
Installing Password Manager in Perimeter Network with Reverse Proxy
Installing Password Manager in Perimeter Networ kwithout AD DS
Management Policy Overview
Password Policy Overview
Using One Identity Password Policies
Using Fine-Grained Password Policies
Applying Multiple Password Policies
Using Password Policy Manager
Secure Password Extension Overview
Locating Self-Service Site
reCAPTCHA Overview
Obtaining Self-Service Site URL from Service Connection Point
Changing Self-Service Site URL on the Administration Site
Launching User Notification
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Password Change and Reset Process Overview
Resetting and Changing Password in Connected Systems
Enforcing Password History When Resetting Password
Replicating Password Changes
Data Replication
Phone-Based Authentication Service Overview
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
General Settings
Specifying Advanced Options for Domain Connection
Changing Domain Management Account
Removing a Domain Connection
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Self-Service Activities Overview
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Register
Manage My Profile
Edit Q&A Profile
Reset Password in Active Directory
Change Password in Active Directory
Reset Password in Active Directory and Connected Systems
Change Password in Active Directory and Connected Systems
Reset password in connected systems through embedded connectors
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Issue BitLocker Recovery Key
Provide product feedback
Notification Activities
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Verify User Identity
Enforce Update of Profile
Helpdesk Activities Overview
Notification Activities
Customizing Notifications
Email User if Workflow Succeeds
Email User if Workflow Fails
Email Administrator if Workflow Succeeds
Email Administrator if Workflow Fails
User Enforcement Rules
General Settings Overview
Search and Logon Options
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Upgrading Password Manager
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Active Directory Sites
Maximum Password Age Policy Task
User Status Statistics Task
Clear Old Records from Reporting Database
Environment Health Checker Task
Update RADIUS server status
Web Interface Customization
Instance Reinitialization
Realm Instances
Domain Connections
Using Domain Connections
Specifying Access Account for Domain Connections
Changing Access Account for Domain Connections
Specifying Advanced Options for Domain Connection
Removing a Domain Connection
Extensibility Features
RADIUS Two-Factor Authentication
Unregistering users from Password Manager
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
Upgrade Requirements
About Secure Password Extension
Upgrading Multiple Instances of Password Manager
Upgrading Password Manager
Administrative Templates
In-place upgrade
Upgrade 5.7.1 or later versions
Running the Migration Wizard
Modifying the service account
Converting Q&A Profiles
Upgrading Secure Password Extension
Upgrading Password Policy Manager
Installing Administrative Templates
Configuring Administrative Templates
Updating Administrative Templates
Removing Administrative Templates
Secure Password Extension
Configuring Access to Self-Service Site from Windows Logon Screen
Deploying and Configuring Secure Password Extension
Password Policies
Deploying Secure Password Extension
Configuring Secure Password Extension
Managing Secure Password Extension Using Administrative Templates
Uninstalling Secure Password Extension
About Password Policies
Installing Password Policy Manager
Uninstalling Password Policy Manager
Creating and Configuring a Password Policy
Managing Password Policy Scope
Deleting a Password Policy
One Identity Starling
Reporting
Reporting and User Action History Overview
Password Manager Integration
Appendixes
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Appendix A: Accounts Used in Password Manager
Glossary
Password Manager Service Account
Application Pool Identity
Domain Management Account
Password Policy Account
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager
Appendix C: Customization Options Overview
Password Manager Service Account
Application Pool Identity
Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity during Password Manager setup will be used to run Password Manager Web sites.
Application pool identity account must meet the following requirements:
- This account must be a member of the IIS_IUSRS local group on the Web server in IIS 7.0.
- This account must have permissions to create files in the <Password Manager installation folder>\App_Data folder.
- Application pool identity account must the full control permission set for the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Password Manager.
Domain Management Account
Domain management account is an account under which Password Manager accesses a managed domain. Domain management account must meet the following minimum requirements to successfully perform password management tasks in the managed domain:
- Membership in the Domain Users group
- The Read permission for all attributes of user objects
- The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime
- The right to reset user passwords
- The permission to create user accounts and containers in the Users container
- The Read permission for attributes of the organizationalUnit object and domain objects
- The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects
- The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
- The permission to create container objects in the System container
- The permission to create the serviceConnectionPoint objects in the System container
- The permission to delete the serviceConnectionPoint objects in the System container
- The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container
Password Policy Account
You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy account is an account that you specify when you add a domain for configuring password policies.
Password policy account must meet the following minimum requirements:
- The Read permission for attributes of the groupPolicyContainer objects.
- The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
- The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.
- The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
- The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
- The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.
- The Write permission for the following attributes of the msDS-PasswordSettings object:
- msDS-LockoutDuration
- msDS-LockoutThreshold
- msDS-MaximumPasswordAge
- msDS-MinimumPasswordAge
- msDS-MinimumPasswordLength
- msDS-PasswordComplexityEnabled
- msDS-PasswordHistoryLength
- msDS-PasswordReversibleEncryption
- msDS-PasswordSettingsPrecedence
- msDS-PSOApplied
- msDS-PSOAppliesTo
- name
For more information on password policies that can be configured in Password Manager, see Creating and Configuring a Password Policy.
Corporate Authentication
In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.
If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.
- The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.
- If Allow user to edit corporate details checkbox is selected under Corporate authentication check box, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.
