Chat now with support
Chat with Support

Password Manager 5.11.1 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Appendix D: Feature imparities between the legacy and the new Self-Service Sites Glossary

Password Manager Credential Checker

The Password Manager Credential Checker is based on PowerShell scripts used to check if the user’s password is compromised. Credential Checker deals with actions related to change password, reset password, change password in ADLDS and connected systems, or reset password in ADLDS and connected systems. By default, the Credential Checker PowerShell script implements VeriClouds CredVerify functionality for leaked password with hash segment.

IMPORTANT: If you prefer to use other credential checker service, modify the Credential Checker PowerShell script appropraitely.

Configuring Password Manager credential checker

  1. After the Password Manager is installed, on the Password Manager Administrator portal, go to General settings | Extensibility and select Turn the credential checker mode on or off to enable the feature.

  2. On the Password Manager installation path, open the compromised_password_checker script. It is available in the <installation location\One Identity\Password Manager\Service\Resources\CredentialChecker> location.
  3. Edit the script to provide the Vericlouds credentials:

    $url=<valid URL>

    $api_key=<valid Key>

    $api_secret=<valid api secret>

  4. Save the file.

When you enter a new password on the Self-Service site using any of the workflows, such as, Forgot Password or Manage My Passwords, the Credential Checker validates the new password and check if it matches with the passwords listed in the VeriClouds. If the password matches, Provided password is compromised, type another password. If you've ever used it anywhere before, change it! is displayed.

This feature is not applicable if the user changes the password using CTRL+ALT+ DELETE on the Windows logon screen.

Typical Deployment Scenarios

This section describes typical deployment scenarios for Password Manager, including scenarios with installation of the Self-Service and Helpdesk sites on standalone servers, using realms, and others.

Simple Deployment

 

In this scenario, you install all main Password Manager components, i.e. the Password Manager Service, Administration, Self-Service and Helpdesk sites on a single server. This is the simplest deployment scenario, which can be used in small environments and for demonstration purposes.

Deployment of the Self-Service and Helpdesk Siteson Standalone Servers

Deployment of the Legacy Self-Service, Password Manager Self-Service Site, and Helpdesk Sites on Standalone Servers

 

In this scenario, you install the Self-Service and/or Helpdesk sites on a standalone server. Note, that the Administration site cannot be installed separately from the Password Manager Service.

You can use this scenario to deploy Password Manager in an environment with a perimeter network. Installation of the Self-Service site in the perimeter network enhances security of your environment while preventing access to your internal network.

When deploying Password Manager in an environment with the perimeter network, it is recommended to do a full installation of Password Manager in the internal corporate network, and then install the Self-Service site in the perimeter network.

When deploying Password Manager in an environment with the perimeter network, it is recommended to do a full installation of Password Manager in the internal corporate network, and then install the Self-Service site in the perimeter network.

When you use this installation scenario, only one port should be open in the firewall between the corporate network and the perimeter network (by default, port number 8081 for the Self-Service site).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating