Chat now with support
Chat with Support

Identity Manager 9.2.1 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Managing the Password Capture Agent Fine-tuning automated password synchronization The Password Capture Agent PowerShell module Event log for the Password Capture Agent Customizing security for the Password Capture Agent service Achieving high availability for the web service with Windows Network Load Balancing Installing the Password Capture Agent with MSIEXEC Certificate lookup options Known error codes

Using PowerShell to uninstall the Password Capture Agent

The Password Capture Agent provides a PowerShell module for remote and automated installation, configuration, and uninstall. You can use this method to automatically uninstall the Password Capture Agent on each domain controller in the source Active Directory domain.

For uninstalling the Password Capture Agent remotely, use the following command in an elevated PowerShell.

Import-Module OneIM-PasswordCaptureAgentMgmt

Uninstall-PasswordCaptureAgent`

-ComputerName <Computer name>`

-LogFile <UNC path to log file>`

–LogVerbose

Related topics

Fine-tuning automated password synchronization

This section provides information about the optional tasks related to configuring automated password synchronization from an Active Directory domain to connected target systems.

Detailed information about this topic

Configuring Password Capture Agent

The Password Capture Agent has several settings you can modify. After you install the Password Capture Agent, each of its parameters is assigned a default value.

NOTE: If you do not configure the thumbprint for the Password Capture Agent, the password is secured by transport layer security only (HTTPS).

Detailed information about this topic

Registry configuration parameters

Some of the configuration parameters for the Password Capture Agent can be changed using the Windows Registry Editor. The parameters are split up into those used by the Password Capture Agent service and those used by the Password Capture Agent driver.

Registry configuration parameters for the Password Capture Agent service

The base path for the parameters of the Password Capture Agent service is:

HKLM\SOFTWARE\One Identity\One Identity Manager\Password Capture Agent\Service\

WebService_URL

This setting determines the location - Uniform Resource Locator (URL) - of the web service to which the Password Capture Agent provides information about changed user passwords.

Syntax: https://<serverfqdn>/AppServer/

Type: REG_SZ

Values: URL of the web service

Default: (empty)

CertificateThumbprint

This setting specifies a certificate used to encrypt the data transfer channel between the Password Capture Agent and the web service. The certificate must be accessible both for the Password Capture Agent and the web service.

Type: REG_SZ

Values: Certificate used to encrypt the password befor submiting to the web service.

Default: (empty)

NOTE: If you disable this setting or do not configure it, the password will be secured by transport layer security only (HTTPS).

EncryptedPasswordTransmission

This setting specifies whether the password is encrypted when being sent to the web service. Requires the CertificateThumbprint parameter to be set.

Type: DWORD

Values: 0 | 1 - Disables or enables encrypted password transmission.

Default: 1

EncryptedPasswordTransmissionSigning

This setting specifies whether the password is signed after encryption, when being sent to the web service. Requires the CertificateThumbprint parameter to be set to a certificate with private key and the EncryptedPasswordTransmission parameter to be enabled.

Type: DWORD

Values: 0 | 1 - Disables or enables signed and encrypted password transmission.

Default: 1

Registry configuration parameters for the Password Capture Agent driver

The base path for the parameters of the Password Capture Agent driver is:

HKLM\SOFTWARE\One Identity\One Identity Manager\Password Capture Agent\Driver\

NOTE: No reboot is required to take effect.

DeactivateOnStart

Disables the Password Capture Agent without uninstalling. If the value is set to 1, the Password Capture Agent is disabled after the next reboot. The only action after reboot is a single hint, logged to the Password Capture Agent event log - named One Identity Manager Password Capture Agent - in the Windows Event Viewer.

Type: REG_DWORD

Values: 0 | 1

Default: 0

Diagnostic

Enables some diagnostic behavior if this parameter is set to 1.

  • Verbose logging to log file if it is specified (LogFile parameter). Every operation and its result is logged.

  • All logs are also sent as an operating system debug message for appropriate live viewers (for example, DebugView from Windows Sysinternals).

  • The LogFile parameter is enabled.

Type: REG_DWORD

Values: 0 | 1

Default: 0

FaultToleranceWaitTimeBeforeRetryInSeconds

If an error occurs, the value specified is the wait time in seconds before retrying. If the value is 0, a retry is run immediately.

Type: REG_DWORD

Values: Time in seconds

Default: 120

Logfile

Specifies a name for a log file that must be created. If no value is specified, no log file is created. Only the file name, without a path, needs to be specified, so the file will reside in the %ProgramData%\One Identity\One Identity Manager\Password Capture Agent\Driver installation folder.

The log file logs all activities, and more details if the Diagnostic parameter is enabled. The log file is read-only but can be accessed from any text viewer. It is always recreated on reboot and does not yet contain any history. The time format of the logged time stamps depends on the local language of the operating system and not on the user.

Type: REG_SZ

Values: File name (without a path)

Default: (empty)

LoggingSuccessfulOperations

Enable to force the One Identity Manager to log successful transmissions to the web service to the event log.

Type: REG_DWORD

Values: 0 | 1

Default: 0

RequiredServices

Services that the Password Capture Agent driver is waiting for, before starting the Password Capture Agent service.

Type: REG_MULTI_SZ

Values: List of services

Default: RpcSs EventSystem COMSysApp

PendingCapturesArchiveDepthInDays

Specifies the number of days for undelivered password changes to be saved for retrying. Undelivered password changes can arise if errors have occurred: for example, if the associated web service is not available due to network errors, timeouts, and so on. Every password change that cannot be delivered is also logged to the Password Capture Agent event log in Windows Event Viewer. If 0 is specified, no undelivered password changes are saved; they will be lost.

Type: REG_DWORD

Value: Number of days

Default: 7

Synchronous

If this parameter is set with a value of 1, every password change is handled sequentially. As a result, the initialization process is blocked until all other components in the beyond-processing chain are complete. All password change events that occur in parallel are also blocked until the current password change is complete. This setting also means that a user who only changes their password in the password-change-dialog must wait until the entire processing is complete. This setting is only for test purposes.

Type: REG_DWORD

Values: 0 | 1

Default: 0

Ignoring\PasswordResetOperations

Enable to force One Identity Manager to ignore password resets and only transmit password changes to the One Identity Manager Service.

Type: REG_DWORD

Values: 0 | 1

Default: 0

Ignoring\UserNames

Specifies a list of names of accounts that are to be ignored and whose password changes are irrelevant and are not to be tracked. It can be built-in accounts, such as machine accounts and guest accounts, or other operating system-related accounts, such as virtual machine accounts. Every account in this list is specified as a regular expression. The default is the machine account (^.*$$), which is to be ignored.

Type: REG_MULTI_SZ

Values: List of account names as regular expressions

Default: ^.*$$

Ignoring\UserRids

Specifies a list of User-RIDs (relative part of a user SID number) that are to be ignored and whose password changes are irrelevant and are not to be tracked. These are built-in accounts, such as machine accounts and guest accounts. Every account in this list is specified as a User-RID. RIDs of built-in accounts are the same on every machine. The default for this parameter is the RID of the built-in administrator account (500), the RID of the built-in guest account (501), and the RID of the built-in Kerberos ticket-granting ticket account (502).

Type: REG_MULTI_SZ

Values: List of numbers

Default: 500 501 502

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating