Installing the Password Capture Agent with MSIEXEC
Installing the Password Capture Agent with MSIEXEC
The Password Capture Agent Setup can be automated using MSIEXEC parameters. The parameters are listed in the following table.
Parameters for MSIEXEC
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Registry value: Service\WebService_URL |
The Webservice URL. |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: WebServiceType |
REST | Soap | WebService Api Type. |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Registry value: Service\CertificateThumbprint |
The One Identity Manager password encryption certificate. |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Registry value: Driver\LoggingSuccessfulOperations |
0 | 1 Default: 0 |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Registry value: Driver\Ignoring\PasswordResetOperations |
0 | 1 Default value: 0 |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: BackendClientCredentialType |
DialogUser | WebADS | ADSAccount Default: DialogUser |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: BackendClientCredentialUserName |
Default: viCaptureAgent |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: BackendClientCredentialUserPwd |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: BackendClientCredentialUserPwd_AcceptEmpty |
0 | 1 Default: 0 |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: WebServiceClientSkipHttpsValidation |
0 | 1 Default: 0 |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.exe: WebServiceClientCredentialType |
WindowsIntegrated | Certificate Default: WindowsIntegrated |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.Exe: WebServiceClientCredentialCertificateFindByType |
Default: FindByThumbprint |
| Configuration after Setup | Values | Comment |
|---|---|---|
|
Set-ServiceConfig.Exe: WebServiceClientCredentialCertificate |
| Configuration after Setup | Values | Comment |
|---|---|---|
| Only used by - and during the setup. |
0 | 1 Default: 1 |
Only used by setup to determine whether final function test should be executed. Failure will cause setup to fail. |
|
|
NOTE: MSIEXEC does not recognize 0 to uncheck checkboxes, instead use PROP_FINAL_FUNCTION_TEST="" for example. |
Example 1: Silent install with default settings
msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart /L "<LOGFILE>"
Example 2: Silent install with parameters
msiexec.exe /i "<SETUP_MSI_FILE>" /quiet /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEBSERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_NAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_DENY_SELF_SIGNED_CERTIFICATES_FOR_HTTPS="1" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"
Example 3: Interactive Installation
msiexec.exe /i "<SETUP_MSI_FILE>" /norestart PROP_WEBSERVICE="<WEBSERVICE_URL>" PROP_WEBSERVICE_TYPE="<WEBSERVICE_TYPE>" PROP_CERTIFICATE="<CERTIFICATE_THUMBPRINT>" PROP_USERNAME="<One Identity Manager system user>" PROP_BACKEND_CLIENT_CREDENTIAL_USER_PWD="<System user password>" PROP_DENY_SELF_SIGNED_CERTIFICATES_FOR_HTTPS="1" PROP_FINAL_FUNCTION_TEST="1" PROP_IGNORE_PASSWORD_RESET_OPERATIONS="" /L "<LOGFILE>"
Example 4: Uninstall
msiexec.exe /X{E7D3E2C0-0BD9-4EBB-A70C-E835D575611B} /quiet /norestart /L "<LOGFILE>"
Certificate Lookup Options
Because certificates have a limited lifetime and therefore have to be renewed or updated, Password Capture Agent service has the option to configure the search for valid certificates. Be aware that not all configurable FindByTypes may be suitable for you needs.
Example 1: Use certificate from local trusted root certificate authority (Active Directory Certificate Services)
All certificates issued by "DEMOCORP DEMO ROOT CA" to be valid for this purpose. Automatically enrollment is used to distribute the certificates and new certificates will automatically be generated before expiration.
- WebServiceClientCredentialCertificateFindByType = FindByIssuerName
- WebServiceClientCredentialCertificate = "DEMOCORP DEMO ROOT CA"
- OR-
- WebServiceClientCredentialCertificateFindByType = FindByIssuerDistinguishedName
- WebServiceClientCredentialCertificate = "CN=DEMOCORP DEMO ROOT CA, DC=Democorp, DC=com"
Example 2: Use certificate based on subject
All certificates with a subject "demoadmn" to be valid for this purpose.
- WebServiceClientCredentialCertificateFindByType = FindBySubjectName
- WebServiceClientCredentialCertificate = "demoadmn"
- OR-
- WebServiceClientCredentialCertificateFindByType = FindBySubjectDistinguishedName
- WebServiceClientCredentialCertificate = "CN=demoadmn, CN=Users, DC=Democorp, DC=com"
Example 3: Use static certificate by thumbprint and change manually when new certificate is available
- WebServiceClientCredentialCertificateFindByType = FindByIssuerName
- WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789
Known Error Codes
There are several known error codes that the script VI_CaptureAgent_SetPassword can use to reject a password change. The script is stored in the Password Capture Agent database. If you feel that it does not suits your needs, you are able to overwrite the script.
Following is the list of possible errors and appropriate actions that are returned by the script VI_CaptureAgent_SetPassword.
| Error Code | Error Message | Action | Adminstration Action |
|---|---|---|---|
| 0 | No Error. Change went through. | OK | - |
| 1 | Password cycle detected. | Skip | Check manual for password cycles. |
| 2 | ADS Account is marked as privileged and will not be handled. | Skip | - |
| 1212 | ADS Account has no domain. | Skip | - |
| 1317 | ADS Account is not known by One Identity Manager. | Skip | Check if your Active Directory domain has been configured to be synchronized regularly within One Identity Manager. |
| 1332 | ADS Account exists but is not mapped to a Person in One Identity Manager. | Skip | Check One Identity Manager configuration, you should not have Active Directory user accounts without mapped employees. |
| 1355 | ADS Domain is not known by One Identity Manager. | Skip | Check if your Active Directory domain has been configured to be synchronized within One Identity Manager. |
| 9901 | More than one ADS Account found in One Identity Manager database matching DOMAIN\SAMAccountName. | Skip | Check for duplicate entries in table ADSAccount within One Identity Manager. |
| 9902 | Failed to load Person mapped to ADS Account from One Identity Manager database. | Skip | Check One Identity Manager for problems, try loading that employee within Object Browser. |
| 8205 | Password encryption does not match the configuration in One Identity Manager. | Skip | Compare configuration of One Identity Manager and Password Capture Agent. |
About us
Contacting us
For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
- Submit and manage a Service Request
- View Knowledge Base articles
- Sign up for product notifications
- Download software and technical documentation
- View how-to-videos at www.YouTube.com/OneIdentity
- Engage in community discussions
- Chat with support engineers online
- View services to assist you with your product