Chat now with support
Chat with Support

Active Roles 8.2 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About Active Roles Configuration Shell

The ActiveRolesConfiguration module (also known as the "Configuration Shell") provides cmdlets for configuring Active Roles Administration Service instances and Web Interface sites. The names of the cmdlets provided by this module start with the AR prefix, such as New-ARDatabase, New-ARService, or New-ARWebSite.

NOTE: Consider the following when planning to use the ActiveRolesConfiguration module:

  • This module is available on 64-bit operating systems only.

  • You can only install this module on computers where the Administration Service or Web Interface modules are also installed. Otherwise, the module will not provide all cmdlets.

The following table lists the cmdlets of the Configuration Shell.

Table 12: Configuration Shell Cmdlets

Command

Description

Get-ARComponentStatus

Returns the installation and configuration status of the Active Roles components.

New-ARDatabase

Creates a new Active Roles database.

Import-ARDatabase

Transfers Active Roles configuration data or management history data from one database to another.

Backup-AREncryptionKey

Backs up the current encryption key of the configuration database in the local Administration Service instance into a file.

Restore-AREncryptionKey

Restores the configuration database encryption key from a backup file to the local Administration Service instance.

Reset-AREncryptionKey

Creates a new encryption key for the configuration database in the local Administration Service instance.

New-ARService

Creates the Active Roles Administration Service instance on the local computer.

Get-ARService

Gets the status of the Active Roles Administration Service instance from the local computer.

Set-ARService

Modifies the Active Roles Administration Service instance on the local computer.

Start-ARService

Starts the Active Roles Administration Service instance on the local computer.

Stop-ARService

Stops the Active Roles Administration Service instance on the local computer.

Restart-ARService

Stops and starts the Active Roles Administration Service instance on the local computer.

Remove-ARService

Deletes the Active Roles Administration Service instance from the local computer.

Test-ARServiceDatabaseSettings

Verifies whether the specified Active Roles database settings would cause Management History issues due to setting separate Configuration and Management History databases.

Get-ARServiceStatus

Gets the Active Roles Administration Service status information from the local computer.

Get-ARVersion

Gets the version of the local Active Roles installation.

New-ARWebSite

Creates a new Active Roles Web Interface site.

Get-ARWebSite

Gets the Active Roles Web Interface sites from the web server.

Set-ARWebSite

Modifies the specified Active Roles Web Interface site on the web server.

Remove-ARWebSite

Deletes the specified Active Roles Web Interface site from the web server.

Get-ARWebSiteConfig

Gets Web Interface site configuration objects from the Active Roles Administration Service.

Export-ARWebSiteConfig

Exports the specified Web Interface site configuration to a file.

About System Checker

You can start the System Checker by running the Active Roles System Checker application from the Start menu or Apps page, depending upon your version of the Windows operating system.

From the System Checker main window, you can perform the following tasks:

  • To check your computer, click System Readiness Checks, then select the appropriate Active Roles version for which to perform the checks.

  • To check a particular SQL Server instance, click SQL Server Checks and specify the SQL Server instance to check. You can also specify the authentication method and connection credentials for access to the SQL Server instance.

  • To check a particular Active Directory domain or a particular Domain Controller (DC), click Active Directory Checks and specify the name of the domain or the name of the DC. You can also specify connection credentials for access to the domain or DC.

System Checker then creates a report of the selected action, and displays it in its report viewer. Reports are divided into sections, each of which represents the results of a single check. If a report section includes any errors or warning messages, you can view the messages by expanding the section in the report viewer.

The report viewer also allows you to:

  • Print the report.

  • Export the report to an HTML file, so that you can open the report in a web browser later.

  • Save the report to a report file, so that you can open the saved report in the report viewer later.

  • Open a saved report by clicking Open in the main menu of System Checker, and selecting the report file.

  • Rebuild the report, and optionally also changing the report options.

    To rebuild the report, click Recheck on the toolbar of the report viewer.

About Active Roles Log Viewer

The Active Roles Log Viewer tool allows you to browse and analyze:

  • Diagnostic log files created by the Active Roles Administration Service.

  • Event log files created by saving the Active Roles event logs in the Windows Event Viewer on the computer running the Administration Service.

The Log Viewer tool can help you to:

  • Check the sequence or hierarchy of requests processed by the Administration Service.

  • Identify error conditions that the Administration Service encountered during request processing.

  • Find Knowledge Base (KB) Articles for specific log messages and errors.

You can open Active Roles diagnostic log files (ds.log) or saved event log files (*.evtx) with the Log Viewer tool, allowing you to check:

  • The errors encountered by the Administration Service and recorded in the log file.

  • Requests processed by the Administration Service and traced in the log file.

  • All trace records found in the diagnostic log file.

  • All events found in the event log file.

When you select an error from the list, you can also look for applicable One Identity KB Articles to learn more about the log entry or troubleshoot selected errors.

In addition, the Active Roles Log Viewer tool also allows you to:

  • Search in the loaded log file for a particular text string, such as an error message.

  • Filter the list by various conditions to narrow the listed items to those you are actually interested in.

  • View detailed information about each list item, such as error details, request details or stack trace.

Getting started

To start using Active Roles Log Viewer, see the following resources:

  • For more information on how to install Active Roles Log Viewer, see Installing the Diagnostic Tools in the Active Roles Installation Guide.

  • For more information on using Active Roles Log Viewer, see Using the Log Viewer tool in the Active Roles Administration Guide.

About federated authentication

Federated authentication (also known as claim-based authentication) allows users to access applications or websites by authenticating them against a certain set of rules, known as claims. When federated authentication is configured, users are validated across multiple applications, websites or IT systems via authentication tickets or their token.

During federated authentication, authorization is performed by acquiring the identity-related information of users both for on-premises and cloud-based products. Based on the predefined claims to identify the users trying to access the applications or websites, a single token is created for each user. This security token is used to identify the user type after the user is successfully identified.

Active Roles supports federated authentication using the WS-Federation protocol as well as SAML 2.0 authentication, allowing users to access websites or sign in to an application once with the single sign-on (SSO) option.

CAUTION: Due to RSTS connection limitations, federated authentication must be enabled for only one Active Roles instance. If you try to configure federated authentication for multiple Active Roles instances, the connection to the Active Roles database will break in the previously configured Active Roles instance.

NOTE: To use SAML 2.0 authentication, you must have a valid SSL/TLS certificate configured for Active Roles.

NOTE: After an Active Roles upgrade, to ensure that Active Roles automatically refreshes expired certificates:

  • in case of using WS-Federation, in the Active RolesConfiguration Center, in Web Interface > Authentication, reconfigure federated authentication.

  • in case of using SAML 2.0 authentication, in the Active RolesConfiguration Center, in Web Interface > Authentication, make sure to load the federation metadata from URL (instead of loading it from file) when configuring the federated authentication.

NOTE: Federated authentication is not supported and does not work on a standalone Active Roles Web Interface instance.

For more information on configuring federated authentication for various identity providers, see Federated authentication settings and identity providers in the Active Roles Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating