Chatta subito con l'assistenza
Chat con il supporto

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Domain management account

Domain management account is an account under which Password Manager accesses a managed domain. Domain management account must meet the following minimum requirements to successfully perform password management tasks in the managed domain:

  • Membership in the Domain Users group

  • The Read permission for all attributes of user objects

  • The Write permission for the following attributes of user objects: pwdLastSet, comment, userAccountControl, and lockoutTime

  • The right to reset user passwords

  • The permission to create user accounts and containers in the Users container

  • The Read permission for attributes of the organizationalUnit object and domain objects

  • The Write permission for the gpLink attribute of the organizationalUnit objects and domain objects

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers

  • The permission to create container objects in the System container

  • The permission to create the serviceConnectionPoint objects in the System container

  • The permission to delete the serviceConnectionPoint objects in the System container

  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

Password policy account

You can use Password Manager to create password policies that define which passwords to reject or accept. Password policy account is an account that you specify when you add a domain for configuring password policies.

Password policy account must meet the following minimum requirements:

  • The Read permission for attributes of the groupPolicyContainer objects.

  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.

  • The Read permission for the nTSecurityDecriptor attribute of the groupPolicyContainer objects.

  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.

  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

  • The Write permission for the following attributes of the msDS-PasswordSettings object:

    • msDS-LockoutDuration

    • msDS-LockoutThreshold

    • msDS-MaximumPasswordAge

    • msDS-MinimumPasswordAge

    • msDS-MinimumPasswordLength

    • msDS-PasswordComplexityEnabled

    • msDS-PasswordHistoryLength

    • msDS-PasswordReversibleEncryption

    • msDS-PasswordSettingsPrecedence

    • msDS-PSOApplied

    • msDS-PSOAppliesTo

    • name

For more information on password policies that can be configured in Password Manager, see Creating and Configuring a Password Policy.

 

Corporate Authentication

In the Register workflow, if the Admin selects Corporate authentication check box, user will only be able to review the corporate account details while registration. If Allow user to edit corporate details check box is selected, the user will be able to update the respective corporate details such as Corporate email and Corporate phone number, provided that the details are not previously populated by administrator in the AD.

If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.

  1. The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.

  2. If Allow user to edit corporate details is selected under Corporate authentication, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.

NOTE: If the Corporate phone attribute under Reinitialization page is a custom value (for example, pager), the Read/Write Permissions must be provided for that attribute instead of the mobile attribute.

Account for using One Identity Quick Connect

You can configure cross-platform password synchronization using One Identity Quick Connect. If used in conjunction with Quick Connect, Password Manager allows you to enable users and helpdesk operators to manage passwords across a wide variety of connected systems.

To enable Password Manager to connect to Quick Connect and set passwords in connected systems, the account used to access Quick Connect must be a member of the local administrators group on the Quick Connect server. For more information on using Quick Connect with Password Manager, see Reset Password in Active Directory and Connected Systems.

Open communication ports for Password Manager

This section provides a list of communication ports that must be open in the firewall for Password Manager to function properly.

Administration Site
  • Port 80 (Default HTTP) TCP Inbound

  • Port 443 (Default HTTPS) TCP Inbound/Outbound

  • Port 8081 TCP Inbound/Outbound

  • Port 25 (Default SMTP port) TCP Outbound

  • Port 135 TCP Inbound/Outbound

Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites
  • Port 80 (Default HTTP) TCP Inbound

  • Port 443 (Default HTTPS) TCP Inbound/Outbound

  • Port 8081 TCP Inbound/Outbound

  • The Password Manager Self-Service Site has all functionality similar to the Legacy Self-Service Site with a new and improved user interface. The Password Manager Self-Service Site can co-exist along with the already existing Legacy Self-Service Site and you can select to revert anytime to the Legacy Self-Service Site.

Password Manager Service
  • Port 53 (Outgoing DNS lookups) UDP Outbound

  • Port 88 (Kerberos Authentication) TCP/UDP Outbound

  • Port 389 (LDAP Access) TCP/UDP Outbound

  • Port 636 (LDAP Access) TCP Outbound

  • Port 137 (NetBIOS Name Service) TCP Outbound

  • Port 139 (NetBIOS Session Service) TCP Outbound

SQL Server
  • Port 1433 (SQL Server) TCP/UDP Outbound

  • Port 1434 (SQL Server Browser Service) TCP/UDP Outbound

Report Server
  • Port 80 (SQL Server Report Services) TCP Outbound

Email Notification
  • Port 25 (Default SMTP port) TCP Outbound

One Identity Quick Connect Sync Engine
  • Port 808 TCP Outbound

  • Secure Password Extension
    • Port 80 (Default HTTP) TCP Outbound

    • Port 88 (Kerberos Authentication) UDP Outbound

    • Port 389 (LDAP Access) TCP Outbound

    • Port 443 (Default HTTPS) TCP Outbound

    Telesign
    • Port 443 TCP Outbound

    Defender
    • Port specified in the activity settings (Authenticate with Defender)

    BitLocker with MBAM
    • Port specified in the activity settings (Issue BitLocker recovery key)

    Related Documents

    The document was helpful.

    Seleziona valutazione

    I easily found the information I needed.

    Seleziona valutazione