Chat now with support
Chat with Support

Identity Manager 9.1.2 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Managing the Password Capture Agent Fine-tuning automated password synchronization The Password Capture Agent Windows PowerShell module Event log for the Password Capture Agent Customizing security for the Password Capture Agent service Achieving high availability for the web service with Windows Network Load Balancing Installing the Password Capture Agent with MSIEXEC Certificate lookup options Known error codes

Secured configuration parameters

The configuration parameters in this section are secured using the Microsoft Cryptography API and are not directly accessible. If you want to change or review these parameters after installing the Password Capture Agent installation, use either the Set-ServiceConfig.exe command line or the Password Capture Agent Windows PowerShell module.

The command line is supplied with the Password Capture Agent and is located in the Password Capture Agent installation folder ...\Service.

Example: local

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" WebServiceClientSkipHttpsValidation:0

NOTE: Retrieving secured configuration parameters requires a privileged user account. The process used to query for secured configuration parameters must be elevated to retrieve parameter values.

Secured configuration parameters for Password Capture Agent

WebServiceType

Specifies whether the web service should be accessed using the One Identity Manager application server (REST) or the One Identity ManagerSOAP Web Service (Soap).

It is strongly recommended you use the One Identity Manager application server. The One Identity ManagerSOAP Web Service support is only included for backward compatibility to One Identity Manager version 6.x and should not be used anymore.

Values: REST | Soap

Default: REST

WebServiceClientSkipHttpsValidation

If 1 (enabled), HTTPS connections are established without validation.

This is potentially unsecured and should never be used in production.

Values: 0 | 1

Default: 0

WebServiceClientCredentialType

Specifies if the authentication against the Internet Information Services (IIS) should use Windows integrated authentication or certificate based authentication.

Values: WindowsIntegrated | Certificate

Default: WindowsIntegrated

WebServiceClientCredentialCertificateFindByType

Specifies how to search for the authentication certificate. Used in combination with WebServiceClientCredentialType=Certificate.

Values: All values of the X509FindType-enumeration are allowed.

Default: FindByThumbprint

WebServiceClientCredentialCertificate

Finds the certificate based on the find type defined in the WebServiceClientCredentialCertificateFindByType parameter. Used in combination with WebServiceClientCredentialType=Certificate.

BackendClientCredentialType

Specifies how to authenticate against One Identity Manager. WebADS and ADSAccount reuse the Windows credentials used for authentication against IIS.

  • ADSAccount = One Identity Manager 7.x or later

  • WebADS = One Identity Manager 6.1.x

Values: DialogUser | WebADS | ADSAccount

Default: DialogUser

BackendClientCredentialUserName

Specifies a system user for the authentication against One Identity Manager. Used in combination with BackendClientCredentialType=DialogUser.

Default: viCaptureAgent

BackendClientCredentialUserPwd

Specifies the password of the system user used for authentication against One Identity Manager. Used in combination with BackendClientCredentialType=Dialog User.

NOTE: BackendClientCredentialUserPwd is a write-only parameter. The currently configured value cannot be retrieved using Set-ServiceConfig.

BackendClientCredentialUserPwd_AcceptEmpty

Required if your system user uses a blank password. This is potentially unsecured and should never be used in production. Used in combination with BackendClientCredentialType=DialogUser.

Values: 0 | 1

Default: 1

Example: Retrieve information about a secured configuration parameter

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Describe:WebServiceClientCredentialType

Configuration parameter 'BackendClientCredentialType':

Name: BackendClientCredentialType

Possible values: DialogUser;WebADS;ADSAccount

Default value: DialogUser

Corresponding installer property: PROP_BACKEND_CLIENT_CREDENTIAL_TYPE

Description: Specify one of the credential types for authentication against the One Identity Manager

Present in installer GUI: Yes

Write only (read out not allowed): No

Read only (setting not allowed): No

Public in registry: No

Hint:

Comment:

Example: Retrieving a secured configuration parameter

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Get:WebServiceClientCredentialType

WebServiceClientCredentialType=Certificate

Value was written to stderr.

Get configuration parameter - operation done.

Related topics

Authentication options

The One Identity Manager Password Capture Agent supports several authentication options that can be configured separately for authentication against the IIS hosting the web service and for the authentication against the One Identity Manager database.

Detailed information about this topic

Authentication against the web service

Authentication against the web service can be configured with the secured WebServiceClientCredentialType parameter.

Permitted values are:

  • WindowsIntegrated: Uses the credentials of the user running the Password Capture Agent service to authenticate against the IIS hosting the web service. By default, this is the Local System user that uses the machine account to authenticate over the network. You can change the user of the Password Capture Agent service. The user requires administrative privileges to access the configuration parameters.

  • Certificate: Uses a certificate to authenticate against the IIS hosting the web service. The certificates are searched in Cert:\CurrentUser\My\ and, if not found there, are searched in Cert:\LocalMachine\My\. Ensure that the user running the Password Capture Agent service has permissions to access the private key of the certificate.

Related topics

Authentication against One Identity Manager

Authentication against the One Identity Manager database can be configured with the secured BackendClientCredentialType parameter.

Permitted values are:

  • DialogUser: The One Identity Manager Service uses the credentials stored in the BackendClientCredentialUserName parameter and the BackendClientCredentialPwd parameter to log in as a One Identity Manager system user.

    You can test your configuration by running the Object Browser with the system user login.

  • ADSAccount: This option uses the credentials of the user running the Password Capture Agent service to authenticate against the One Identity Manager database. This option works for One Identity Manager version 7.x or later.

    NOTE: The user account must be synchronized by the One Identity Manager database and needs to be linked to an employee whose system user property is set accordingly. A machine account will not be able to authenticate against the One Identity Manager database.

    You can test your configuration by running the Object Browser with the same credentials as the Password Capture Agent service and using the Active Directory user account login.

  • WebADS: This option behaves the same as ADSAccount but also works for One Identity Manager version 6.1.x.

Example: Windows authentication and One Identity Manager system user login

The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the web service running. To authenticate against One Identity Manager, the system user viCaptureAgent is used.

  • Prerequisites

    Configure the IIS site to only use Windows authentication for the web service.

  • Testing

    You should be able to access the web service with a browser and the given WindowsActive Directory user account. Start a Windows PowerShell and try to access the web service using the given user account.

    Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -Credential $(Get-Credential <AD domain>\<AD user account>)

    You should be able to log into the Object Browser using the system user login and the credentials provided.

  • Password Capture Agent configuration settings

    • WebServiceClientCredentialType = WindowsIntegrated

    • BackendClientCredentialType = DialogUser

    • BackendClientCredentialUserName = viCaptureAgent

    • BackendClientCredentialUserPwd = viCaptureAgentPasswordHere

Example: Windows authentication and Active Directory login

The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the web service running. The Windows user account used to authenticate against the IIS will be reused to authentication against One Identity Manager.

  • Prerequisites

    • Configure the IIS site to only use Windows authentication for the web service.

    • Configure IIS site to allow given users to access the web service (authorization).

    • The Password Capture Agent service is not allowed to run as Local System and requires an administrative user account to run with.

    • Given user accounts must be known to the One Identity Manager database and must be linked to an employee who has a system user configured to use for this type of authentication.

  • Testing

    You should be able to access the web service with a browser and the given Active Directory user account. Start a Windows PowerShell and try to access the web service using the given user account.

    Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -Credential $(Get-Credential <ADDomain>\<ADUser>)

    You can test your configuration by running the Object Browser as the given user account and using the Active Directory user account login.

  • Password Capture Agent configuration settings

    • WebServiceClientCredentialType = WindowsIntegrated

    • BackendClientCredentialType = ADSAccount

Example: Certificate authentication and One Identity Manager system user login

This scenario allows you to connect from a host outside of your Active Directory domain. Stored credentials will be used to authenticate against One Identity Manager as system user.

  • Prerequisites

    • Configure the IIS site to use HTTPS and Client Certificate Mapping. If you are not using Active Directory Certificate Services, you need to map the certificate to an Active Directory user account within IIS.

    • Client certificate with private key installed on the domain controller.

  • Testing

    You should be able to access the web service with a browser using the given certificate. Start a Windows PowerShell as the user with the assigned certificate and try to access the web service.

    Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -CertificateThumbprint <ThumbprintOfGivenCertificate>

    You should be able to log into the Object Browser using the system user login and credentials.

  • Password Capture Agent configuration settings

    • WebServiceClientCredentialType = Certificate

    • WebServiceClientCredentialCertificateFindByType = FindByThumbprint

    • WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789

    • BackendClientCredentialType = DialogUser

    • BackendClientCredentialUserName = viCaptureAgent

    • BackendClientCredentialUserPwd = viCaptureAgentPasswordHere

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating