The configuration parameters in this section are secured using the Microsoft Cryptography API and are not directly accessible. If you want to change or review these parameters after installing the Password Capture Agent installation, use either the Set-ServiceConfig.exe command line or the Password Capture Agent PowerShell module.
The command line is supplied with the Password Capture Agent and is located in the Password Capture Agent installation folder ...\Service.
Example: local
"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" WebServiceClientSkipHttpsValidation:0
NOTE: Retrieving secured configuration parameters requires a privileged user account. The process used to query for secured configuration parameters must be elevated to retrieve parameter values.
Secured configuration parameters for Password Capture Agent
WebServiceType
Specifies whether the web service should be accessed using the One Identity Manager application server (REST) or the One Identity ManagerSOAP Web Service (Soap).
It is strongly recommended you use the One Identity Manager application server. The One Identity ManagerSOAP Web Service support is only included for backward compatibility to One Identity Manager version 6.x and should not be used anymore.
Values: REST | Soap
Default: REST
WebServiceClientSkipHttpsValidation
If 1 (enabled), HTTPS connections are established without validation.
This is potentially unsecured and should never be used in production.
Values: 0 | 1
Default: 0
WebServiceClientCredentialType
Specifies if the authentication against the Internet Information Services (IIS) should use Windows integrated authentication or certificate based authentication.
Values: WindowsIntegrated | Certificate
Default: WindowsIntegrated
WebServiceClientCredentialCertificateFindByType
Specifies how to search for the authentication certificate. Used in combination with WebServiceClientCredentialType=Certificate.
Values: All values of the X509FindType-enumeration are allowed.
Default: FindByThumbprint
WebServiceClientCredentialCertificate
Finds the certificate based on the find type defined in the WebServiceClientCredentialCertificateFindByType parameter. Used in combination with WebServiceClientCredentialType=Certificate.
BackendClientCredentialType
Specifies how to authenticate against One Identity Manager. WebADS and ADSAccount reuse the Windows credentials used for authentication against IIS.
Values: DialogUser | WebADS | ADSAccount
Default: DialogUser
BackendClientCredentialUserName
Specifies a system user for the authentication against One Identity Manager. Used in combination with BackendClientCredentialType=DialogUser.
Default: viCaptureAgent
BackendClientCredentialUserPwd
Specifies the password of the system user used for authentication against One Identity Manager. Used in combination with BackendClientCredentialType=Dialog User.
NOTE: BackendClientCredentialUserPwd is a write-only parameter. The currently configured value cannot be retrieved using Set-ServiceConfig.
BackendClientCredentialUserPwd_AcceptEmpty
Required if your system user uses a blank password. This is potentially unsecured and should never be used in production. Used in combination with BackendClientCredentialType=DialogUser.
Values: 0 | 1
Default: 1
Example: Retrieve information about a secured configuration parameter
"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Describe:WebServiceClientCredentialType
Configuration parameter 'BackendClientCredentialType':
Name: BackendClientCredentialType
Possible values: DialogUser;WebADS;ADSAccount
Default value: DialogUser
Corresponding installer property: PROP_BACKEND_CLIENT_CREDENTIAL_TYPE
Description: Specify one of the credential types for authentication against the One Identity Manager
Present in installer GUI: Yes
Write only (read out not allowed): No
Read only (setting not allowed): No
Public in registry: No
Hint:
Comment:
Example: Retrieving a secured configuration parameter
"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Get:WebServiceClientCredentialType
WebServiceClientCredentialType=Certificate
Value was written to stderr.
Get configuration parameter - operation done.
Related topics
The One Identity Manager Password Capture Agent supports several authentication options that can be configured separately for authentication against the IIS hosting the web service and for the authentication against the One Identity Manager database.
Detailed information about this topic
Authentication against the web service can be configured with the secured WebServiceClientCredentialType parameter.
Permitted values are:
-
WindowsIntegrated: Uses the credentials of the user running the Password Capture Agent service to authenticate against the IIS hosting the web service. By default, this is the Local System user that uses the machine account to authenticate over the network. You can change the user of the Password Capture Agent service. The user requires administrative privileges to access the configuration parameters.
-
Certificate: Uses a certificate to authenticate against the IIS hosting the web service. The certificates are searched in Cert:\CurrentUser\My\ and, if not found there, are searched in Cert:\LocalMachine\My\. Ensure that the user running the Password Capture Agent service has permissions to access the private key of the certificate.
Related topics
Authentication against the One Identity Manager database can be configured with the secured BackendClientCredentialType parameter.
Permitted values are:
-
DialogUser: The One Identity Manager Service uses the credentials stored in the BackendClientCredentialUserName parameter and the BackendClientCredentialPwd parameter to log in as a One Identity Manager system user.
You can test your configuration by running the Object Browser with the system user login.
-
ADSAccount: This option uses the credentials of the user running the Password Capture Agent service to authenticate against the One Identity Manager database. This option works for One Identity Manager version 7.x or later.
NOTE: The user account must be synchronized by the One Identity Manager database and needs to be linked to an identity whose system user property is set accordingly. A machine account will not be able to authenticate against the One Identity Manager database.
You can test your configuration by running the Object Browser with the same credentials as the Password Capture Agent service and using the Active Directory user account login.
-
WebADS: This option behaves the same as ADSAccount but also works for One Identity Manager version 6.1.x.
Example: Windows authentication and One Identity Manager system user login
The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the web service running. To authenticate against One Identity Manager, the system user viCaptureAgent is used.
-
Prerequisites
Configure the IIS site to only use Windows authentication for the web service.
-
Testing
You should be able to access the web service with a browser and the given WindowsActive Directory user account. Start a PowerShell and try to access the web service using the given user account.
Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -Credential $(Get-Credential <AD domain>\<AD user account>)
You should be able to log into the Object Browser using the system user login and the credentials provided.
-
Password Capture Agent configuration settings
-
WebServiceClientCredentialType = WindowsIntegrated
-
BackendClientCredentialType = DialogUser
-
BackendClientCredentialUserName = viCaptureAgent
-
BackendClientCredentialUserPwd = viCaptureAgentPasswordHere
Example: Windows authentication and Active Directory login
The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the web service running. The Windows user account used to authenticate against the IIS will be reused to authentication against One Identity Manager.
-
Prerequisites
-
Configure the IIS site to only use Windows authentication for the web service.
-
Configure IIS site to allow given users to access the web service (authorization).
-
The Password Capture Agent service is not allowed to run as Local System and requires an administrative user account to run with.
-
Given user accounts must be known to the One Identity Manager database and must be linked to an identity who has a system user configured to use for this type of authentication.
-
Testing
You should be able to access the web service with a browser and the given Active Directory user account. Start a PowerShell and try to access the web service using the given user account.
Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -Credential $(Get-Credential <ADDomain>\<ADUser>)
You can test your configuration by running the Object Browser as the given user account and using the Active Directory user account login.
-
Password Capture Agent configuration settings
Example: Certificate authentication and One Identity Manager system user login
This scenario allows you to connect from a host outside of your Active Directory domain. Stored credentials will be used to authenticate against One Identity Manager as system user.
-
Prerequisites
-
Configure the IIS site to use HTTPS and Client Certificate Mapping. If you are not using Active Directory Certificate Services, you need to map the certificate to an Active Directory user account within IIS.
-
Client certificate with private key installed on the domain controller.
-
Testing
You should be able to access the web service with a browser using the given certificate. Start a PowerShell as the user with the assigned certificate and try to access the web service.
Invoke-WebRequest -Uri https://<servername.domain.com>/AppServer/ -CertificateThumbprint <ThumbprintOfGivenCertificate>
You should be able to log into the Object Browser using the system user login and credentials.
-
Password Capture Agent configuration settings
-
WebServiceClientCredentialType = Certificate
-
WebServiceClientCredentialCertificateFindByType = FindByThumbprint
-
WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789
-
BackendClientCredentialType = DialogUser
-
BackendClientCredentialUserName = viCaptureAgent
-
BackendClientCredentialUserPwd = viCaptureAgentPasswordHere
Related topics