Chat now with support
Chat with Support

Password Manager 5.13.2 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring access to the Administration Site Configuring access to the Legacy Self-Service Site or Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Legacy Self-Service or Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Feature imparities between the legacy and the new Self-Service Sites Third-party contributions Glossary

Quest Enterprise Single Sign-On (QESSO)

This section includes the information on how to configure Password Manager for use with Quest Enterprise Single Sign-On (QESSO). To implement the guidance in this section, you must have a working knowledge of Quest Enterprise Single Sign-On (QESSO).

Quest Enterprise Single Sign-on is a solution that provides users with the ability to access all applications on their desktop using a single user ID and password. After users have logged in, they can access password-protected applications on their desktop without the need to enter any further account details.

If an application requires login name and password to be entered, QESSO will remember the entered details. When the application is next started, QESSO will automatically enter the required login name and password.

The account details for password-protected applications are encrypted by using user logon password. When user resets or changes this password, the encrypted data is lost. To prevent data loss, Password Manager should be configured to notify QESSO about password changes and QESSO will re-encrypt the data using the new password.

To enable QESSO integration

  1. Run the QESSO Client 32-bit or 64-bit wizard on the server where Password Manager resides. The wizard is located on the Individual Components tab of QESSO Autorun CD.

  2. Follow the wizard instructions.

  3. Install at least one of the following QESSO components on the server running a Password Manager instance:

    • SSOWatch

    • Advanced Login

    • Enterprise SSO Console

  4. Restart the Password Manager Service.

  5. On the Administration Site, open workflows for which you want to configure integration with QESSO. QESSO integration settings can be found in the following activities:

    • Reset password in Active Directory

    • Change password in Active Directory

    • Reset password in Active Directory and connected systems

    • Change password in Active Directory and connected systems

  6. In required activities, select the Enable QESSO integration check box.

  7. Provide the account details for the QESSO administrator to be used for password resets.

  8. Click OK.

For the complete information about installing and using QESSO, see the documentation for QESSO.

Redistributable Secret Management Service

Redistributable Secret Management Service (rSMS) can be used to manage user passwords across multiple connected systems. Using the rSMS service it is possible to quickly synchronize the passwords across connected systems. By default, the rSMS service is installed with the Password Manager software.

For more information on creating an rSMS account, see Working with Redistributable Secret Management account.

For more information on resetting passwords in connected systems through embedded systems, see Reset password in connected systems through embedded connectors.

Alternative options

The Redistributable Secret Management Service (rSMS) feature, can be used as an alternative to One Identity Quick Connect Sync Engine.

NOTE: Target platform IP address or the Hostname should not be same server where One Identity rSMS service is installed.

Location sensitive authentication

The location sensitive authentication feature allow you to skip certain authentication methods for users trying to execute a workflow on Self-Service Site from a defined corporate network. Using this feature, you can also restrict the capability of searching for the users on Self-Service Site from IP addresses that is not specified in the defined corporate IP address range. For more information on restricting the user search, see Configuring account search options.

IMPORTANT: It is mandatory to have at least one authentication method for users accessing the application from the defined corporate network.

You can use the location sensitive authentication feature for any of the authentication activities listed here.

  • Q&A profile (random questions)

  • Q&A profile (specific questions)

  • Q&A profile (user-selected questions)

  • Defender
  • RADIUS Two-Factor Authentication

  • Phone

Configuring corporate IP address range

You must specify a defined corporate IP address range that help in determining if the users are trying to execute the workflow from an internal or external network.

  1. On the home page of the Administration Site, click General Settings > Corporate IP Address Ranges.

  2. On the Corporate IP Address Ranges page, click Add Corporate IP Address Range.

  3. Provide the Network Address and Subnet Mask.

  4. Click Save.

    The corporate IP address range is successfully added.

To edit the defined corporate IP address, click Edit. Click Remove to delete the defined corporate IP address.

Password Manager permission checker

The Password Manager permission checker is a script used to check the user permissions and privileges. The basic permissions for a user includes the local system permissions and the Active Directory read, write, and delete permissions. Using the permission checker script, you can evaluate the local and Active Directory permissions for the domain account to check if sufficient permissions are available to the Password Manager with all privileges.

IMPORTANT:

  • Active Directory module for Windows PowerShell version 5.0 or later must be installed to run the tool. You can download relevant dependent script modules from the PowerShell Gallery, if not available before executing the permission checks.

  • Windows Server 2016, and Windows Server 2019 operating systems are supported.

Configuring Password Manager permission checker

  1. Login to the server by providing the domain account credentials where the Password Manager is to be installed.

  2. From the installation folder, <Password Manager\Setup\Tools\Permission Checker>, copy the Permission Checker folder and paste it on to the server.

  3. Update the Configuration.xml file with the required domain objects information that needs to be validated from the tool.

    The permissions associated with the user account is displayed. The PermissionChecker.log file available at the same location where the tool is placed and it contains the same permission report displayed in the script console.

IMPORTANT: If the data in the Configration.xml is not specified or incorrect, permis-sion checks are ignored for those sections. After this, the Permission check Warning Summary Report is displayed that is part of the tool which specifies the reasons for the domain account which doesn't have sufficient privileges.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating