Chat now with support
Chat with Support

Identity Manager 8.0 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Appendix About us

Installing the Password Capture Agent with MSIEXEC

Installing the Password Capture Agent with MSIEXEC

The Password Capture Agent Setup can be automated using MSIEXEC parameters. The parameters are listed in the following table.

Parameters for MSIEXEC
Table 22: Parameter "PROP_WEBSERVICE"
Configuration after Setup Values Comment

Registry value:

Service\WebService_URL

  The Webservice URL.
Table 23: Parameter "PROP_WEB_SERVICE_TYPE"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

WebServiceType

REST | Soap WebService Api Type.
Table 24: Parameter "PROP_CERTIFICATE"
Configuration after Setup Values Comment

Registry value:

Service\CertificateThumbprint

  The One Identity Manager password encryption certificate.
Table 25: Parameter "PROP_LOGGING_SUCCESSFUL_OPERATIONS"
Configuration after Setup Values Comment

Registry value:

Driver\LoggingSuccessfulOperations

0 | 1

Default: 0

 
Table 26: Parameter "PROP_IGNORE_PASSWORD_RESET_OPERATIONS"
Configuration after Setup Values Comment

Registry value:

Driver\Ignoring\PasswordResetOperations

0 | 1

Default value: 0

 
Table 27: Parameter "PROP_BACKEND_CLIENT_CREDENTIAL_TYPE"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

BackendClientCredentialType

DialogUser | WebADS | ADSAccount

Default: DialogUser

 
Table 28: Parameter "PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

BackendClientCredentialUserName

Default:

viCaptureAgent

 
Table 29: Parameter "PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

BackendClientCredentialUserPwd

   
Table 30: Parameter "PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD_ACCEPT_EMPTY"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

BackendClientCredentialUserPwd_AcceptEmpty

0 | 1

Default: 0

 
Table 31: Parameter "PROP_WEB_SERVICE_CLIENT_SKIP_HTTPS_VALIDATION"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

WebServiceClientSkipHttpsValidation

0 | 1

Default: 0

 
Table 32: Parameter "PROP_WEB_SERVICE_CLIENT_CREDENTIAL_TYPE"
Configuration after Setup Values Comment

Set-ServiceConfig.exe:

WebServiceClientCredentialType

WindowsIntegrated | Certificate

Default: WindowsIntegrated

 
Table 33: Parameter "PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE_FIND_BY_TYPE"
Configuration after Setup Values Comment

Set-ServiceConfig.Exe:

WebServiceClientCredentialCertificateFindByType

Default: FindByThumbprint  
Table 34: Parameter "PROP_WEB_SERVICE_CLIENT_CREDENTIAL_CERTIFICATE"
Configuration after Setup Values Comment

Set-ServiceConfig.Exe:

WebServiceClientCredentialCertificate

   
Table 35: Parameter "PROP_FINAL_FUNCTION_TEST"
Configuration after Setup Values Comment
Only used by - and during the setup.

0 | 1

Default: 1

Only used by setup to determine whether final function test should be executed. Failure will cause setup to fail.

NOTE: MSIEXEC does not recognize 0 to uncheck checkboxes, instead use PROP_FINAL_FUNCTION_TEST="" for example.
Example 1: Silent install with default settings

msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart /L "<LOGFILE>"

Example 2: Silent install with parameters

msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEBSERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_DENY_SELF_SIGNED_CERTIFICATES_FOR_HTTPS="1" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"

Example 3: Interactive Installation

msiexec.exe /i "<SETUP_MSI_FILE>" /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEBSERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_USERNAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_DENY_SELF_SIGNED_CERTIFICATES_FOR_HTTPS="1" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"

Example 4: Uninstall

msiexec.exe /X{E7D3E2C0-0BD9-4EBB-A70C-E835D575611B} /quiet /norestart /L "<LOGFILE>"

Certificate Lookup Options

Because certificates have a limited lifetime and therefore have to be renewed or updated, Password Capture Agent service has the option to configure the search for valid certificates. Be aware that not all configurable FindByTypes may be suitable for you needs.

Example 1: Use certificate from local trusted root certificate authority (Active Directory Certificate Services)

All certificates issued by "DEMOCORP DEMO ROOT CA" to be valid for this purpose. Automatically enrollment is used to distribute the certificates and new certificates will automatically be generated before expiration.

  • WebServiceClientCredentialCertificateFindByType = FindByIssuerName
  • WebServiceClientCredentialCertificate = "DEMOCORP DEMO ROOT CA"

- OR-

  • WebServiceClientCredentialCertificateFindByType = FindByIssuerDistinguishedName
  • WebServiceClientCredentialCertificate = "CN=DEMOCORP DEMO ROOT CA, DC=Democorp, DC=com"
Example 2: Use certificate based on subject

All certificates with a subject "demoadmn" to be valid for this purpose.

  • WebServiceClientCredentialCertificateFindByType = FindBySubjectName
  • WebServiceClientCredentialCertificate = "demoadmn"

- OR-

  • WebServiceClientCredentialCertificateFindByType = FindBySubjectDistinguishedName
  • WebServiceClientCredentialCertificate = "CN=demoadmn, CN=Users, DC=Democorp, DC=com"
Example 3: Use static certificate by thumbprint and change manually when new certificate is available
  • WebServiceClientCredentialCertificateFindByType = FindByIssuerName
  • WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789

Known Error Codes

There are several known error codes that the script VI_CaptureAgent_SetPassword can use to reject a password change. The script is stored in the Password Capture Agent database. If you feel that it does not suits your needs, you are able to overwrite the script.

Following is the list of possible errors and appropriate actions that are returned by the script VI_CaptureAgent_SetPassword.

Table 36: Errors and appropriate actions
Error Code Error Message Action Adminstration Action
0 No Error. Change went through. OK -
1 Password cycle detected. Skip Check manual for password cycles.
2 ADS Account is marked as privileged and will not be handled. Skip -
1212 ADS Account has no domain. Skip -
1317 ADS Account is not known by One Identity Manager. Skip Check if your Active Directory domain has been configured to be synchronized regularly within One Identity Manager.
1332 ADS Account exists but is not mapped to a Person in One Identity Manager. Skip Check One Identity Manager configuration, you should not have Active Directory user accounts without mapped employees.
1355 ADS Domain is not known by One Identity Manager. Skip Check if your Active Directory domain has been configured to be synchronized within One Identity Manager.
9901 More than one ADS Account found in One Identity Manager database matching DOMAIN\SAMAccountName. Skip Check for duplicate entries in table ADSAccount within One Identity Manager.
9902 Failed to load Person mapped to ADS Account from One Identity Manager database. Skip Check One Identity Manager for problems, try loading that employee within Object Browser.
8205 Password encryption does not match the configuration in One Identity Manager. Skip Compare configuration of One Identity Manager and Password Capture Agent.

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

  • Submit and manage a Service Request
  • View Knowledge Base articles
  • Sign up for product notifications
  • Download software and technical documentation
  • View how-to-videos at www.YouTube.com/OneIdentity
  • Engage in community discussions
  • Chat with support engineers online
  • View services to assist you with your product
Related Documents