Chat now with support
Chat with Support

Identity Manager 8.0 - Password Capture Agent Administration Guide

The One Identity Manager Password Capture Agent Appendix About us

Secured Configuration Parameters

The configuration parameters in this section are secured using the Microsoft Cryptography API and are not directly accessible. If you want to change or review these parameters after the Password Capture Agent installation use either the command line Set-ServiceConfig.exe or the Password Capture Agent Windows PowerShell module.

The command line will be supplied with the Password Capture Agent and is located in the Password Capture Agent installation folder ...\Service.

Example (local)

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" WebServiceClientSkipHttpsValidation:0

NOTE: Retrieving secured configuration parameters requires a privileged user account. The process used to query for secured configuration parameters has to be elevated to retrieve parameter values.
Secured configuration parameters for Password Capture Agent
Table 11: parameter "WebServiceType"
Default Allowed Values Description
REST REST | Soap

Specifies wether the Webservice at should be accessed using REST Api (AppServer) or Soap Api (SoapService).

Table 12: parameter "WebServiceClientSkipHttpsValidation"
Default Allowed Values Description

0

0 | 1

If enabled, HTTPS connections will be established without validation.

This is potentially insecure and should never be used in production.

Table 13: parameter "WebServiceClientCredentialType"
Default Allowed Values Description

WindowsIntegrated

WindowsIntegrated | Certificate

Specifies if the authentication against the Internet Information Services (IIS) should use Windows integrated authentication or certificate based authentication.

Table 14: parameter "WebServiceClientCredentialCertificateFindByType"
Default Allowed Values Description

FindByThumbprint

 

Specifies how to search for the authentication certificate. All values of the X509FindType-Enumeration are allowed.

Used in combination with "WebServiceClientCredentialType=Certificate".

Table 15: parameter "WebServiceClientCredentialCertificate"
Default Allowed Values Description

 

 

Finds the certificate based on the find type defined in the configuration parameter "WebServiceClientCredentialCertificateFindByType".

Used in combination with "WebServiceClientCredentialType=Certificate".

Table 16: parameter "BackendClientCredentialType"
Default Allowed Values Description

DialogUser

DialogUser | WebADS | ADSAccount

Specifies how to authenticate against One Identity Manager. "WebADS" and "ADSAccount" reuse the Windows credentials used for authentication against IIS.

  • ADSAccount = One Identity Manager 7.x
  • WebADS = One Identity Manager 6.1.x
Table 17: parameter "BackendClientCredentialUserName"
Default Allowed Values Description

viCaptureAgent

 

Specifies a system user for the authentication against One Identity Manager.

Used in combination with "BackendClientCredentialType=DialogUser".

Table 18: parameter "BackendClientCredentialUserPwd_AcceptEmpty"
Default Allowed Values Description

0

0 | 1

Required if your system user is using a blank password. This is potentially insecure and should never be used in production.

Used in combination with "BackendClientCredentialType=DialogUser" .

NOTE: The parameter "BackendClientCredentialUserPwd" is a write only parameter. The currently configured value cannot be retrieved using Set-ServiceConfig.
Example 1: Retrieve information about a secured configuration parameter

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Describe:WebServiceClientCredentialType

Configuration parameter 'BackendClientCredentialType':

Name: BackendClientCredentialType

Possible values: DialogUser;WebADS;ADSAccount

Default value: DialogUser

Corresponding installer property: PROP_BACKEND_CLIENT_CREDENTIAL_TYPE

Description: Specify one of the credential types for authentication against the One Identity Manager

Present in installer GUI: Yes

Write only (read out not allowed): No

Read only (setting not allowed): No

Public in registry: No

Hint:

Comment:

Example 2: Retrieving a secured configuration parameter

"%ProgramFiles%\One Identity\One Identity Manager\Password Capture Agent\Service\Set-ServiceConfig.exe" Get:WebServiceClientCredentialType

WebServiceClientCredentialType=Certificate

Value was written to stderr.

Get configuration parameter - operation done.

Related Topics

Authentication Options

The One Identity Manager Password Capture Agent supports several authentication options that can be configured separately for the authentication against the IIS hosting the Webservice and for the authentication against the One Identity Manager database.

Detailed information about this topic

Authentication against the Webservice

The authentication against the Webservice can be configured with the secured configuration parameter "WebServiceClientCredentialType".

Table 19: Options for parameter "WebServiceClientCredentialType"

Option

Description

WindowsIntegrated

This option uses the credentials of the user running the Password Capture Agent service to authenticate against the IIS hosting the Webservice. By default, this is the user "Local System" which uses the machine account to authenticate over the network. You can change the user of the Password Capture Agent service. The user requires administrative privileges to access the configuration parameters.

Certificate

This option uses a certificate to authenticate against the IIS hosting the Webservice. The certificates will be searched in Cert: \CurrentUser\My\ and if not found in Cert: \LocalMachine\My\. Ensure that the user running the Password Capture Agent service has enough permissions to access the private key of the certificate.

Related Topics

Authentication against One Identity Manager

Authentication against One Identity Manager

The authentication against the One Identity Manager database can be configured with the secured configuration parameter "BackendClientCredentialType".

Table 20: Options for parameter "BackendClientCredentialType"

Option

Description

DialogUser

The One Identity Manager service uses the credentials stored in "BackendClientCredentialUserName" and "BackendClientCredentialPwd" to login as One Identity Manager system user.

You can test your configuration by running the Object Browser with the system user login.

ADSAccount

This option uses the credentials of the user running the Password Capture Agent service to authenticate against the One Identity Manager database. This option is working for One Identity Manager version 7.x or later.

NOTE: The user account has to be synchronized into by the One Identity Manager database and needs to be linked to an employee where the system user property is set accordingly. A machine account will not be able to authenticate against the One Identity Manager database.

You can test your configuration by running the Object Browser with the same credentials as the Password Capture Agent service and using the Active Directory user account login.

WebADS

This option behaves the same as the option "ADSAccount" but is working for One Identity Manager version 6.1.x.

Example 1: Windows authentication and One Identity Manager system user login

The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the Webservice running. To authenticate against One Identity Manager the system user "viCaptureAgent" is used.

  • Prerequisites

    Configure the IIS site to only use Windows authentication for the Webservice.

  • Testing

    You should be able to access the Webservice with a browser and the given WindowsActive Directory user account. Start a Windows PowerShell and try to access the Webservice using the given user account.

    Invoke-WebRequest -Uri https://servername.domain.com/SoapService/ -Credential $(Get-Credential <AD domain>\<AD user account>)

    You should be able to log into the Object Browser using the system user login and the credentials provided.

  • Password Capture Agent configuration settings
    • WebServiceClientCredentialType = WindowsIntegrated
    • BackendClientCredentialType = DialogUser
    • BackendClientCredentialUserName = viCaptureAgent
    • BackendClientCredentialUserPwd = viCaptureAgentPasswordHere
Example 2: Windows authentication and Active Directory login

The Password Capture Agent service uses Windows authentication to authenticate against the IIS with the Webservice running. The Windows user account used to authenticate against the IIS will be reused to authentication against One Identity Manager.

  • Prerequisites
    • Configure the IIS site to only use Windows authentication for the Webservice.
    • Configure IIS site to allow given users to access the Webservice (authorization).
    • The Password Capture Agent service is not allowed to run as "Local System" and requires an administrative user account to run with.
    • Given user accounts have to be known to the One Identity Manager database and have to be linked to an employee that has a system user configured to use for this type of authentication.
  • Testing

    You should be able to access the Webservice with a browser and the given Active Directory user account. Start a Windows PowerShell and try to access the Webservice using the given user account.

    Invoke-WebRequest -Uri https://servername.domain.com/SoapService/ -Credential $(Get-Credential <ADDomain>\<ADUser>)

    You can test your configuration by running the Object Browser as the given user account and using the Active Directory user account login.

  • Password Capture Agent configuration settings
    • WebServiceClientCredentialType = WindowsIntegrated
    • BackendClientCredentialType = ADSAccount
Example 3: Certificate authentication and One Identity Manager system user login

This scenario allows you to connect from a host outside of your Active Directory domain. Stored credentials will be used to authenticate against One Identity Manager as system user.

  • Prerequisites
    • Configure the IIS site to use HTTPS and Client Certificate Mapping. If you are not using Active Directory Certificate Services, you need to map the certificate to an Active Directory user account within IIS.
    • Client certificate with private key installed on the domain controller.
  • Testing

    You should be able to access the Webservice with a browser using the given certificate. Start a Windows PowerShell as the user with the assigned certificate and try to access the Webservice.

    Invoke-WebRequest -Uri https://servername.domain.com/SoapService/ -CertificateThumbprint <ThumbprintOfGivenCertificate>

    You should be able to log into the Object Browser using the system user login and the credentials provided.

  • Password Capture Agent configuration settings
    • WebServiceClientCredentialType = Certificate
    • WebServiceClientCredentialCertificateFindByType = FindByThumbprint
    • WebServiceClientCredentialCertificate = 0123456789ABCED0123456789ABCED0123456789
    • BackendClientCredentialType = DialogUser
    • BackendClientCredentialUserName = viCaptureAgent
    • BackendClientCredentialUserPwd = viCaptureAgentPasswordHere
Related Topics
Related Documents