Safeguard Authentication Services 5.0.2

Table of Contents

Privileged Access Suite for Unix

About this guide

Introducing One Identity Safeguard Authentication Services

About licenses System requirements

Windows and cloud requirements

Windows components Windows permissions

Unix agent requirements

Unix components Permissions matrix Encryption types

Management Console for Unix requirements

Network requirements

Installing and configuring Safeguard Authentication Services

Install the management console

Installing and configuring the management console

Install Safeguard Authentication Services Windows components

Installing Windows components Customizing installation options Installing using msiexec.exe

Configure Active Directory

Configuring Active Directory

About Active Directory configuration Join the host to AD without the Safeguard Authentication Services application configuration Version 3 Compatibility Mode

Configure Unix agent components

Set up Management Console for Unix wizard

Configure Console for Active Directory Logon dialog Set up console access by role dialog Identify Console dialog Set Supervisor Password dialog Summary dialog

Logging in to Management Console for Unix Prepare Unix hosts

Adding hosts to the management console Profiling hosts

Configuring automatic profiling

Installing software on hosts Checking readiness Joining hosts to Active Directory Check SAS agent status

Manually checking SAS agent status Configuring to automatically check agent status

Installing and joining from the Unix command line

The pre-installation diagnostic tool

Running preflight

The install script

Installing the Safeguard Authentication Services agent Installation script options

Licensing Safeguard Authentication Services

Verifying license information Installing licenses from the command line

Creating the application configuration from the Unix command line

Changing the schema configuration mode

Joining the domain

Joining the domain using VASTOOL Joining the domain using VASJOIN script Dynamic DNS update tool

Getting started with Safeguard Authentication Services

Getting acquainted with the Control Center

Group Policy

Filtering the list of GPOs Editing a GPO Generating a settings report Showing files Launching GPMC

Tools Preferences

Licensing

Adding licenses using the Control Center

Display specifiers

Registering display specifiers Unregistering display specifiers Display specifier registration tables

Global Unix Options Logging Options

Enabling debug logging on Windows

Starling Two-Factor Authentication

One Identity Starling integration

Starling Two-Factor Authentication requirements Setting up Starling users Joining Safeguard Authentication Services with Starling Configuring Starling to use a proxy server Starling Attributes: Configure LDAP attributes for use with push notifications Logging in with Starling Two-Factor Authentication Unjoining from Starling Disabling Starling 2FA for a specific PAM service

Schema Attributes

Unix Attributes

Active Directory schema extensions Configuring a custom schema mapping Active Directory optimization

Starling Attributes: Configure LDAP attributes for use with push notifications

Management Console for Unix Configuration

Learning the basics

Adding a local group Adding a local user account Adding an Active Directory group account Adding an Active Directory user account Changing the default Unix attributes Active Directory account administration

Enabling local user for AD authentication Testing the mapped user login Unix-enabling an Active Directory group Unix-enabling an Active Directory user Testing the Active Directory user login

Running reports

Reports

Host reports User reports Group reports Access & Privileges reports Product licenses usage report

Use Safeguard Authentication Services PowerShell

Unix-enabling a user and user group (PowerShell Console) PowerShell cmdlets

Change Auditor for Authentication Services

Installing Change Auditor for Authentication Services

Defender

Installing Defender

Troubleshooting

Getting help from technical support Disaster recovery Long startup delays on Windows Pointer Record updates are rejected Resolving DNS problems Resolving preflight failures Time synchronization problems Unable to install or upgrade Unable to join the domain Unable to log in vasypd has unsatisfied dependencies

Enterprise package deployment

Installing the agent package Agent upgrade commands

Restarting services

Uninstalling the agent packages Oracle Solaris 10 zones/containers support

Safeguard Authentication Services and Oracle Solaris 10 Zones installation guidelines

Installing licenses from the command line

Installing and joining from the Unix command line > Licensing Safeguard Authentication Services > Installing licenses from the command line

With root privileges, you can manually install a valid license by copying the new license file to the licenses directory on the Unix host.

To install a Safeguard Authentication Services license manually

Copy the license file to the /etc/opt/quest/vas/.licenses directory.
Ensure the permissions on the license file are set to 0644.

Restart vasd as root by running the command corresponding to your platform:

Linux/Oracle Solaris:
```
/etc/init.d/vasd restart
```
HPUX:
```
/sbin/init.d/vasd restart
```
AIX:
```
/etc/rc.d/init.d/vasd restart
```

macOS:

launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist
launchctl load /Library/LaunchDaemons/com.quest.vasd.plist

Creating the application configuration from the Unix command line

Installing and joining from the Unix command line > Creating the application configuration from the Unix command line

Before you join a Unix client to an Active Directory domain, One Identity recommends that you create the application configuration in the domain to which you are joining to utilize full Safeguard Authentication Services 5.0.1 functionality. While the Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to help you configure Active Directory for Safeguard Authentication Services the first time you start the Control Center, you do not need to have a Windows console to create the application configuration. You can run the vastool configure ad command from the Unix command line to create it. This is typically a one-time process.

Note: You only need to create one Safeguard Authentication Services application configuration per forest. For more information, see Version 3 Compatibility Mode.

To create the Safeguard Authentication Services application configuration

Run the following command from the Unix command line:
```
# /opt/quest/bin/vastool ad -u <user> configure -d <domain>
```
By default, Safeguard Authentication Services creates the application configuration in the Program Data container; however, if you do not have rights to create an organizational unit in the Program Data container, you can create the Safeguard Authentication Services application configuration in any location you have rights to by specifying the DN (distinguished name) of the creation location, as follows:
```
vastool -u <user> configure -d <domain> ou cn=myou,dc=example,dc=com
```
Enter the user’s password when prompted.

Changing the schema configuration mode

Installing and joining from the Unix command line > Creating the application configuration from the Unix command line > Changing the schema configuration mode

When you create the Safeguard Authentication Services application configuration, you set the global schema configuration mode to R2 by default. However, you can optionally configure Safeguard Authentication Services for "schemaless" operation using the schema configure command.

To switch to a schemaless configuration

Run the following command:
```
# /opt/quest/bin/vastool -u <user> schema -d <domain> configure schemaless
```
The schema configure command only allows you to set the schema mode to either R2 or "schemaless" modes. To set the schema configuration to any other mode, you must do so from the Control Center Preferences.
Enter the user’s password when prompted.

Joining the domain

Installing and joining from the Unix command line > Joining the domain

For full Safeguard Authentication Services functionality on Unix, you must join the Unix system on which you installed the Safeguard Authentication Services agent to the Active Directory domain. You can join an Active Directory domain either by running vastool join from the command line or the interactive join script, vasjoin.sh.

Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined.

To determine if you are joined to an Active Directory domain

Run the following command:

# /opt/quest/bin/vastool info domain

If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain, you will see the following error:

ERROR: No domain could be found.
ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm
default_realm not configured in vas.conf. Computer may not be joined to domain

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Authentication Services 5.0.2 - Installation Guide

Installing licenses from the command line

Creating the application configuration from the Unix command line

Changing the schema configuration mode

Joining the domain