Password Manager for AD LDS Components
Password Manager for AD LDS includes the following components:
About Password Manager
Getting Started
Different Site for Different Roles
Password Manager Components
Licensing
Checklist: Installing Password Manager
Installing Password Manager
Upgrading Password Manager
Password Manager Architecture
Configuring Password Manager Service Account and Application Pool Identity
Enabling HTTPS
Steps to Install Password Manager
Extending AD LDS Schema
Instance Initialization
Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server
Installing Multiple Instances of Password Manager
FailSafe support in Password Manager
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Password Manager Components and Third-Party Solutions
Management Policies
Password Manager Service and Administration Site
Self-Service Site
Helpdesk Site
TeleSign
SQL Server Database and SQL Server Reporting Services
Quick Connect Sync Engine
Defender
Starling Two-Factor Authentication
RADIUS Two-Factor Authentication
Redistributable Secret Management Service
Location sensitive authentication
Working with Power BI
Password Manager Credential Checker
Typical Deployment Scenarios
Simple Deployment
Deployment of the Self-Service and Helpdesk Siteson Standalone Servers
Realm Deployment
Multiple Realm Deployment
Password Manager in Perimeter Network
Management Policy Overview
Password Policy Overview
reCAPTCHA Overview
How It Works
How to Use reCAPTCHA on Password Manager Sites
System Requirements for Using reCAPTCHA
References
User Enrollment Process Overview
Questions and Answers Policy Overview
Data Replication
Phone-Based Authentication Service Overview
Configuring Management Policy
Checklist: Configuring Password Manager
Understanding Management Policies
Configuring Access to the Administration Site
Configuring Access to the Self-Service Site
Configuring Access to the Helpdesk Site
Configuring Questions and Answers Policy
Workflow overview
Custom workflows
Custom Activities
General Settings
Custom Activity Settings
Creating Custom Activities
Importing and Exporting Custom Activities
Removing Custom Activities
Self-Service Workflows
Register
Manage My Profile
Forgot My Password
Manage My Passwords
Unlock My Account
My Notifications
I Have a Passcode
Overview of Built-in Self-Service Activities
Helpdesk Workflows
Authentication Activities
Display CAPTCHA
Display reCAPTCHA
Authentication Methods
Authenticate with Password
Authenticate with Q&A Profile (Random Questions)
Authenticate with Q&A Profile (Specific Questions)
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Authenticate via Phone
Authenticate with Passcode
Action Activities
Edit Q&A Profile
Reset Password in AD LDS
Change Password in AD LDS
Reset Password in AD LDS and Connected Systems
Change Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Subscribe to Notifications
Lock Q&A Profile
Display User Agreement
Restart Workflow if Error Occurs
Notification Activities
Verify User Identity
Assign Passcode
Reset Password
Unlock Account
Unlock Profile
Enforce Update of Profile
Overview of Built-in Helpdesk Activities
User Enforcement Rules
Authentication Activities
Authentication Methods
Authenticate with Q&A Profile
Authenticate via Phone
Authenticate with Defender
Authenticate with Starling Two-Factor Authentication
Authenticate with RADIUS Two-Factor Authentication
Action Activities
Reset Password in AD LDS
Reset Password in AD LDS and Connected Systems
Unlock Account
Enable Account
Force User to Change Password at Next Logon
Assign Passcode
Unlock Q&A Profile
Enforce Update of Q&A Profile
Restart Workflow if Error Occurs
Notification Activities
General Settings Overview
Search and Logon Options
Password Policies
Configuring Search and Security Options for the Self-Service Site
Configuring Search Options for the Helpdesk Site
Configuring Security Settings
Import/Export Configuration Settings
Outgoing Mail Servers
Diagnostic Logging
Scheduled Tasks
Invitation to Create/Update Profile Task
Reminder to Create/Update Profile Task
Reminder to Change Password Task
Maximum Password Age Policy Task
Update RADIUS server status
User Status Statistics Task
Clear Old Records from Reporting Database
Web Interface Customization
Instance Reinitialization
Realm Instances
AD LDS Instance Connections
Using Connections to AD LDS Instances
Specifying Access Account for AD LDS Instance Connections
Changing Access Account for AD LDS Instance Connections
Removing Connection to AD LDS Instance
Extensibility Features
RADIUS Two-Factor Authentication
Unregistering users from Password Manager
Working with Redistributable Secret Management account
Redistributable Secret Management Service supported platforms
Customizing Redistributable Secret Management log path
Email Templates
About Password Policies
Creating a Password Policy
Managing Password Policy Scope
Configuring Password Policy Rules
One Identity Starling
Reporting
Password Compliance
Password Age Rule
Length Rule
Complexity Rule
Required Characters Rule
Disallowed Characters Rule
Sequence Rule
User Properties Rule
Symmetry Rule
Custom Rule
Deleting a Password Policy
Reporting and User Action History Overview
Appendix A: Accounts Used in Password Manager for AD LDS
Setting Up Reporting Environment
Using Reports
User Action History
Managing Connections to SQL Server and Report Server
Best Practices for Configuring Reporting Services
Password Manager Service Account
Application Pool Identity
Access Account for Application Directory Partition Connection
Account for Using One Identity Quick Connect
Appendix B: Open Communication Ports for Password Manager for AD LDS
Appendix C: Customization Options Overview
Customization of Steps in Self-Service and Helpdesk Tasks
Email Notification Customization
User Agreement Customization
Account Search Options Customization
Web Interface Customization
Customization of Password Policies List
Customization of Password Strength Meter
Glossary
Password Manager Components
Licensing
The Password Manager license specifies the maximum number of user accounts in the Password Manager across all domains. The Admin can identify whether the installation is legally compliant or not by running the User Status Statistics (USS) tasks, where the scheduler counts the actual number of user accounts, and compares it with the maximum number specified by the license. If a deviation occurs between the actual licenses purchased and the number of users using it, the status of the license changes accordingly in the Admin site indicating whether the installation is compliant or not.
To view the compliance statuses of the license
- Login to the Admin site.
- On the left pane, click Licensing. The Licenses page appears.
- Click the Licenses tab and view the Compliant column.
In the Licenses page, you can view the licensing information of both Password Manager and Telephone Verification, if needed.
The table below provides more information on various compliant status.
|
Conditions |
Status | Description |
|
If the total number of users in the user scope exceeds the purchased license or if the license expires |
 |
Appears when the license is not compliant. |
|
If the total number of users in the user scope matches with the purchased license or when the user count does not exceed, and the license does not expire |
 |
Appears when the license is compliant. |
|
If the total number of users exceeds the purchased license or if the license expires |
 |
Appears when the license is not compliant. By clicking this icon, a pop up window appears indicating the reason for not being compliant. |
To view the license number, navigate to the About section in the Administration site and click Licenses tab. The License Number appears.
In the event of a license violation, you have the following options
- Exclude the additional number of user accounts from the user accounts managed by Password Manager to bring your license count in line with the licensed value and run the User Status Statistics(USS) scheduled task in the Administration site to recalculate and display the new user counts.
- Remove one or more managed AD LDS instances to decrease the number of managed user accounts.
- Purchase a new license with a greater number of user accounts, and then update your license using the instructions provided later in this section.
Note that the following items are not limited by the license
Installing the License
The license is initially installed when you install the Password Manager:
- In the Installation Wizard, click Licenses to display the License status dialog box.
- Click Browse license, locate and open your license key file using the Select License File dialog box, and then click Close.
Some license types may include counters for managed persons and managed external persons along with a counter for user accounts. Managed persons are users that have several accounts; for example, one managed person can have three user accounts. Managed external persons are external or temporary employees. The same license violation policy is applied to managed persons and managed external persons as to user accounts. To specify these user groups, use the corresponding license scopes after you install Password Manager.
Note, that such scopes are available only if your license includes managed persons and managed external persons.
To add AD LDS instance to the managed persons scope
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed Persons tab.
- On the Scope of Managed Persons page, click Connect to AD LDS instance.
- If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.
- If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:
- In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
- In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
- In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
- In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
- In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.
For information on how to prepare the access account, see Configuring Permissions for Access Account.
- Click Save.
To specify groups or OUs included in the scope of managed persons
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed Persons tab.
- On the Scope of Managed Persons page, select the connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups included into the scope of managed persons.
- To specify the OUs, click Add under Organizational units included into the scope of managed persons.
- Click Save.
To specify groups or OUs excluded from the scope of managed persons
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed Persons tab.
- On the Scope of Managed Persons page, select the connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups excluded from the scope of managed persons.
- To specify the OUs, click Add under Organizational units excluded from the scope of managed persons.
- Click Save.
You can use the procedures below to specify the scope of managed external persons.
To add AD LDS instance to the managed external persons scope
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed External Persons tab.
- On the Scope of Managed External Persons page, click Connect to AD LDS Instance.
- If connections already exist, select a connection from the list. If you want to create a new connection, click Add new connection.
- If you selected to create the new connection, in the Connect to AD LDS Instance dialog, configure the following options:
- In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
- In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
- In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
- In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
- In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.
For information on how to prepare the access account, see Configuring Permissions for Access Account.
- Click Save.
To specify groups or OUs included in the scope of managed external persons
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed External Persons tab.
- On the Scope of Managed External Persons page, select the connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups included into the scope of managed external persons.
- To specify the OUs, click Add under Organizational units included into the scope of managed external persons.
- Click Save.
To specify groups or OUs excluded from the scope of managed external persons
- On the menu bar of the Administration site, click Licensing.
- On the Licenses page, click the Managed External Persons tab.
- On the Scope of Managed External Persons page, select the connection for which you want to specify groups or OUs and click Edit.
- Do the following:
- To specify the groups, click Add under Groups excluded from the scope of managed external persons.
- To specify the OUs, click Add under Organizational units excluded from the scope of managed external persons.
- Click Save.