Converse agora com nosso suporte
Chat com o suporte

Password Manager 5.13.0 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Configuring Password Manager Secure Token Server

Before the first visit of STS settings, you need to have a binding for your Password Manager site in IIS with the same port that is present in the <Password Manager installation folder>\One Identity\Password Manager\Service\QPM.Service.Host.exe.config under the StsHttpsPort key. By default 20000 is used.

To start using Password Manager STS

  1. Open the IIS manager and create an HTTPS binding with this port for Password Manager sites.

  2. On the home page of the Administration site, click General Settings > Secure Token Server. The Secure Token Server page is displayed.

  3. To change the Password Manager STS settings, if you are prompted to enter RSTS client secret, provide the password. The default password is admin.

    The default secret for Password Manager STS is admin. Password Manager will prompt administrators to change the current secret if it is still set to admin. This password will be shared between Password Manager and Password Manager STS instances.

    CAUTION: For security reasons, you must change the password immediately after you have logged in to the configuration interface the first time.

    To change the password, go to Server settings > Administration Password.

To configure the port used by Password Manager STS

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. Click Set SSL. A modal is displayed with Port setting, SSL Certificate setting and Firewall setting.

  3. Set the desired port number and set a certificate which will be used for encrypting the communication. The selected certificate will be used only if there are no other settings are set in IIS for that port.

  4. (Optional) Administrators can select whether Password Manager should create the firewall rules for the newly selected port.

To set authentication providers

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. Under Add, edit or remove Secure Token Server authentication providers, click Add. A modal is displayed.

  3. Select an authentication provider type and its settings will be displayed in the modal. After entering the required settings, you can submit the form to create the authentication provider.

  4. The new authentication provider is displayed in the table above the Add button. To create and attach a new 2FA provider to the newly created authentication provider, click Add new 2FA.

To configure STS Server Settings

  1. On the home page of the Administration site, navigate to General Settings > Secure Token Server. The Secure Token Server page is displayed.

  2. Click Server Settings. A modal is displayed.

  3. After you have set the desired settings, click Save.

Provider-specific informations: Duo

In the Duo admin interface you need to create a Web SDK type application to connect with Password Manager STS.

IP range-based rules for hostname resolution

The IP range-based hostname resolution feature allows administrators to define specific IPv4 ranges using IP addresses and subnet masks, and associate hostnames with these ranges.

When a client makes a request to the server, it checks the client's IP address against the predefined ranges. If the client's IP falls within any of the defined ranges, the server responds by providing the corresponding hostname associated with that range to access Secure Token Server (STS).

This feature is particularly useful for network administrators who want to assign custom hostnames or apply specific configurations based on the clients' IP addresses. It enhances security and control by allowing targeted responses based on IP range assignments.

To access this configuration feature on the PMAdmin site, navigate to General Settings > Secure Token Server page.

Unregistering users from Password Manager

Using the unregister feature, users registered to the Password Manager can be removed. Note that the user is removed only from the Password Manager and not Active Directory.

To unregister a user from the Password Manager

  1. On the home page of the Administration site, click General Settings | Unregister Users.

  2. On the Unregister Users page:

    • If you want to unregister individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.
    • If you want to select a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.
    • If you want to select the entire organization unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Add.

  3. Click Unregister User to unregister the users.

NOTE:

  • If you want to run the task at a specified time, select the Schedule at check box to specify the time to run the task and click Save.
  • If a task to unregister an user is scheduled at a later time and you want to unregister the user at the current instance, click Remove Setting to delete the scheduled task settings and click Save.

  • If you have the Domain management account configured with a user other than the Active Directory Administrator then, make sure that the Write permissions are available to the storage attribute of the security questions (comment, by default) for all the users/ groups/OUs that is configured to be unregistered.

  • If the users/ groups/ OUs that needs to be unregistered are a member of Readers/ Administrators group in the ADLDS then, the Write Permissions are already inherited.

Bulk Force Password Reset

Use the Bulk Force Password Reset feature to force selected users, groups and organizational units to change their passwords.

To enforce a password change for users

  1. On the home page of the Administration site, click General Settings > Bulk Force Password Reset.

  2. On the Bulk Force Password Reset page:

    • If you want to enforce password change for individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.

    • If you want to enforce password change for a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.

    • If you want to enforce password change for the entire organizational unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Save.

  3. Click Reset Passwords.

NOTE: Consider the following when using the Bulk Force Password Reset feature:

  • Password reset is achieved by setting the Users must change password at next logon flag of the selected user(s) to true. This flag cannot be set to true, if the Password never expires flag is also true.

  • If you have the Domain management account configured with a user other than the Active Directory Administrator, make sure that write permissions are given to the pwdlastset attribute.

Fido2 key management

Use the Fido2 key management feature to unpair FIDO2 keys from selected users, groups and organizational units.

TO unpair Fido2 keys

  1. On the home page of the Administration site, navigate to General Settings > Fido2 key management.

  2. On the Fido2 key management page:

    • If you want to unpair Fido2 keys from individual users, expand the Select Users tree, click Add, manually search for the individual user, select the required user from the results, and click Save.

    • If you want to unpair Fido2 keys from a user group, expand the Select Groups tree, click Add, manually search for the individual groups, select the required group from the results, and click Save.

    • If you want to unpair Fido2 keys from the entire Organizational Unit (OU), expand the Select Organizational Units tree, click Add, manually search for the individual OU, select the required OU from the results, and click Save.

  3. Click Delete Fido2 Key(s).

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação