Chat now with support
Chat with Support

Password Manager 5.11.1 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Appendix D: Feature imparities between the legacy and the new Self-Service Sites Glossary

Installing Self-Service, New Self-Service (Preview), and Helpdesk Sites on a Standalone Server

Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server

Password Manager allows you to install the Legacy Self-Service, Password Manager Self-Service, and Helpdesk sites on a standalone server. For example, you can use this installation scenario to deploy Password Manager in a perimeter network (DMZ). For more information see Typical Deployment Scenarios and Password Manager in Perimeter Network.

When deploying Password Manager in a perimeter network, it is recommended to install the Password Manager Service and the sites in a corporate network at first (i.e. use the Full installation option in the Password Manager setup), and then install only the Self-Service site in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8085 is used).

To install Legacy Self-Service site, Password Manager Self-Service site, and Helpdesk sites on a standalone server

  1. Depending on the hardware, run Password Manager for AD LDS x64 from the autorun window of the installation CD.
  2. Read the license agreement, select I accept the terms in the license agreement, and then click Next.
  3. On the User Information page, specify the following options, and then click Next:
    Table 5:  User and license information

    Option

    Action

    Full name

    Type your name

    Organization

    Type the name of your organization

    Licenses

    Click this button, and then specify the path to the license file.

    A license file is a file with the .ASC extension that you have obtained from your One Identity representative.

  1. On the Custom Setup page, select the Legacy Self-Service Site, Password Manager Self-Service Site, and/or Helpdesk Site features, and then click Next.
  2. On the Specify Web Site and Application Pool Identity page, select the Web site name and specify the name and password for the account to be used as application pool identity, and then click Next. For more information on the requirements for the application pool identity, see Configuring Password Manager Service Account and Application Pool Identity.
  3. Click Install.
  4. When installation is complete, click Finish.

After you installed the Self-Service and Helpdesk sites on a standalone server, you need to initialize the sites to start using them.

To initialize the Legacy Self-Service site or the Password Manager Self-Service

  1. Open the Self-Service site by entering the following address: http(s)://<ComputerName>/PMUserADLDS, where <ComputerName> is the name of the computer on which Self-Service site is installed. The Self-Service Site Initialization page will be displayed automatically.

NOTE: For the Password Manager Self-Service site, enter the following address: http(s)://<ComputerName>/PMSelfServiceADLDS.

  1. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.
  2. In the Port number text box, specify the port number that the Self-Service site will use to connect to the Password Manager Service.
  3. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by One Identity. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the Web sites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites.

IMPORTANT: Before selecting a custom certificate on the Self-Service site, specify a custom certificate on the Administration site
  1. Click Save.

To initialize the Helpdesk site

  1. Open the Helpdesk site by entering the following address: http(s)://<ComputerName>/PMHelpdeskADLDS, where <ComputerName> is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically.
  2. In the Computer name or IP address text box, specify the Password Manager Service host name or IP address.
  3. In the Port number text box, specify the port number that the Helpdesk site will use to connect to the Password Manager Service.
  4. From the Certificate name drop-down list, select the name of the certificate to be used by this site. By default, Password Manager uses a built-in certificate issued by One Identity. You can specify a custom certificate for authentication and traffic encryption between the Password Manager Service and the Web sites (Self-Service and Helpdesk). For more information on using custom certificates, see Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites.

IMPORTANT: Before selecting a custom certificate on the Helpdesk site, specify a custom certificate on the Administration site.
  1. Click Save.

Installing Multiple Instances of Password Manager

Installing Multiple Instances of Password Manager

Several Password Manager instances sharing common configuration are referred to as a realm. A realm is a group of Password Manager Service instances sharing all settings and having the same set of Management Policies, that is, the same user and helpdesk scopes, Q&A policy, and workflow settings. Password Manager realms provide for enhanced availability and fault tolerance. For more information see Typical Deployment Scenarios.

Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.

To create a Password Manager Realm

  1. Export a configuration file from the instance belonging to the target realm.
    • To export instance settings to the configuration file, connect to the Administration site of the instance belonging to the target realm.
    • On the menu bar, click General Settings, then click Import/Export.
    • On the Import/Export Configuration Settings page, select the Export configuration settings option and enter the password to protect the configuration file. Click Export to save the configuration file.

IMPORTANT: Remember the password that you provide for the configuration file. You should enter this password when importing the configuration file for a new instance you want to join to the target realm.
  1. Install a new Password Manager instance by running Password Manager for AD LDS x86 or Password Manager for AD LDS x64 from the autorun window of the installation CD. For more information on the installation procedure, see Installing Multiple Instances of Password Manager.
  2. Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed. On the Instance Initialization page, select the A Replica of an existing instance option.
  3. Click Upload to select the configuration file that you exported from the instance belonging to the target realm.
  4. Enter the password to the configuration file and click Save.

FailSafe support in Password Manager

This feature allows a user to login to Helpdesk or Self-Service site when Password Manager Service is unavailable.

Helpdesk and Self-Service site use Password Manager Service to communicate with Active Directory. If Password Manager Service is unavailable, authentication and other such services do not function. For such scenario, Password Manager has a FailSafe feature integrated to connect to other available Password Manager service automatically.

After the initialization of Helpdesk and Self-Service site, WcfServiceRealms.xml file is created. This file has records of all the instances of Password Manager Services installed. The user can use one of the realm instances listed in WcfServiceRealms.xml file, in case of unavailability of services in the primary instance of Password Manager Service.

For example, helpdesk site is connected to PM service 1. If the PM service 1 is non-functional, with the integrated FailSafe feature, the helpdesk site automatically connects to PM service 2 to continue with the tasks uninterrupted. After the PM service 1 is restored, the helpdesk site is connected back to the initially connected PM service, that is PM service 1.

NOTE: Failsafe works in distributed environment. If all the Password Manager components are installed on the same server, the FailSafe operation might not work as expected.

NOTE: The Self-Service and Helpdesk Site's URLs must be accessible from Password Manager Service.

Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites

Specifying Custom Certificates for Authentication and Traffic Encryption
Between Password Manager Service and Web Sites

When the Password Manager Service is installed on one computer and the Self-Service and Helpdesk sites are installed on some other computers, certificate-based authentication and traffic encryption is used to protect traffic between these components.

By default, Password Manager uses built-in certificates issued by One Identity. However, you may want to install and use custom certificates issued by a trusted Windows-based certification authority.

This section provides instructions on how to start using custom certificates for authentication and traffic encryption between Password Manager components.

Complete the following steps:

  1. Obtain and install custom certificates from a trusted Windows-based certification authority.
  2. Provide certificate issued for a server computer to the Password Manager Service.
  3. Provide certificate issued for client computers to the Self-Service and Helpdesk sites.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating