Chat now with support
Chat with Support

Password Manager 5.13.1 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Legacy Self-Service Site and Password Manager Self-Service site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Legacy Self-Service or Password Manager Self-Service site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

How to use phone-based authentication

To use phone-based authentication on the Self-Service and Helpdesk sites, add the Authenticate via Phone activity in self-service and helpdesk workflows. When configuring this activity, you can specify Active Directory attributes from which phone numbers can be retrieved, and available authentication methods: that is, SMS or automated voice call.

Phone numbers that belong to Private Branch Exchange (PBX) are also supported. PBX phones require either a live switchboard operator or an automated attendant to complete the call. By default, Password Manager supports automated attendant scenario. It can be configured for live operators by changing PhoneNumberExtensionType parameter in QPM.Service.Host.exe.config file. For automated attendants, set PhoneNumberExtensionType to 1 and for live operators, set PhoneNumberExtensionType to 2.

For PhoneNumberExtensionType set to 1 (DTMF digits are dialed), include commas in the PhoneNumberExtensionTemplate, where each comma represents one second pause in the dialing sequence. To increase the pause in the dialing sequence, add the required number of commas in PhoneNumberExtensionTemplate in the configuration file.

NOTE: The phone number extension must be configured with extension separator in the Active Directory. Phone number with extension must have "x" or "X" in it to separate the extension number from the phone number as given in the following examples:

+91-98881234567 Extension 1234

+91-98881234567 Ext 1234

+91-98881234567 Extn 1234

+91-98861234567 x 1234

+91-98861234567 Ex 1234

For more information on configuring this activity, see Authenticate via Phone.

System requirements

To use the phone-based authentication service, the following requirements must be met:

  • You have a valid license for the phone-based authentication service (see the About page of the Administration site for the service status).

  • Outbound SSL connections are allowed from the computer on which Password Manager Service runs to the following address: https://*.telesign.com. * can be replaced with any valid subdomain name; for example, https://api.telesign.com or https://www.telesign.com.

Configuring Management Policy

After initializing the Administration site, you need to configure the default Management Policy to enable users to use the Self-Service site.

The required settings you need to configure for the Management Policy are a user scope and secret questions.

Configuring Permissions for Access Account

When you connect to an AD LDS instance, you can create a new connection or use existing connections, if any. When creating the connection, you must specify an access account - an account under which Password Manager will access the AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:

  • Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account)

  • Membership in the Readers group in the application directory partition (for the AD LDS account)

  • Membership in the Administrators group in the configuration directory partition

  • The Read permission for all attributes of user objects

  • The Write permission for the following attributes of user objects: pwdLastSet, Comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled

    NOTE: If the Storage attribute for Security questions under Reinitialization page is a custom value (say userParameters), then the Write permissions must be provided for that attribute instead of Comment attribute.

  • The right to reset user passwords

  • The permission to create user accounts and containers in the Users container

  • The Read permission for attributes of the organizationalUnit object and container objects

  • The Write permission for the gpLink attribute of the organizationalUnit objects and container objects

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers

  • The permission to create container objects in the System container

  • The permission to create the serviceConnectionPoint objects in the System container

  • The permission to delete the serviceConnectionPoint objects in the System container

  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

    If you want to use the same connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.

  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.

  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.

  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.

  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

Corporate Authentication

In the Register workflow, if the administrator selects Corporate authentication check box, the user can only review the corporate account details during registration. If Allow user to edit corporate details is selected, the user can update their respective corporate details, such as Corporate email or Corporate phone number, if the administrator did not previously populate the details in Active Directory (AD).

If Corporate authentication registration mode is selected in the Register activity, make sure that Domain management account has the following set of permissions.

  1. The read permission for Corporate email attribute and Corporate phone attribute where, Mobile is the default attribute for the Corporate phone.

  2. If Allow user to edit corporate details is selected under Corporate authentication, both Read and Write permission must be available for Corporate email attribute and Corporate phone attribute, where Mobile is the default attribute for the Corporate phone.

NOTE: If the Corporate phone attribute under Reinitialization page is a custom value (for example, pager), the Read/Write Permissions must be provided for that attribute instead of the mobile attribute.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating